OpenVPN client showing 100% packetloss following 2.5.0 upgrade
-
@rummonkey69 Had you added those Enable Data Encryption Algorithms or did they show up on their own after the upgrade? Those are not the same Algorithms shown to be added on the Nord 2.4.5 config guide.
-
@skooby I don't believe clean install will help. It is likely added option is set to enable instead of disable like for example the monitor of the gateways. When I was using 2.4, I don't believe there was monitor feature for the gateways. I recommend going through each setting for the interface, gateway and vpn profile.
-
@bjames88 it was default settings, I only added VPN server name , usernames and passwords and the custom rules as mentioned on the site.
-
@nevar yes the monitor features has been there for long time.
-
@rummonkey69 hmmm, i can only guess there some changes to it since i didn't encounter with "offline, 100% packetloss" on the gateway after i upgrade to 2.5 and only resolve my issue to enable "disable monitoring" checkboxes.
-
@nevar yeah I had to disable them when I upgraded. But no issues when clean.
-
@rummonkey69 i had the same issue with the late dev builds. No matter what i did, post upgrade Nord would not connect, or after editing it would connect but total traffic loss. A clean build and it worked fine.
-
@griffo I had issues with a clean install of pfsense and restoring my config. I'd lean towards something wrong with the old config and how it transfers over to the new version of openvpn.
-
@hypnosis4u2nv Yes same, restoring config did not work. Clean build, restoring just OpenVPN config did not work.
Clean build, manual config recreation worked.
-
Hi!
Does anyone have Torguard OpenVPN UDP / TCP working with 2.5? I have setup the OpenVPN tunnel with Torguard and it connects fine. But it stays on Gateway Monitor down. I have tried setting up a specific Ip for gateway monitoring (tried with 8.8.8.8 and 1.1.1.1) but it is still not registering the interface up. I have tried several reboots already. Now I'm thinking I have to downgrade my pfsense to (clean install ofcourse) version 2.4 to get this working.I already have a ticket open with Torguard support and awaiting their answer. In my research I stumbled on this topic. Thank you guys for helping!
-
@vjizzle here are setting that got my torguard working again:
- System > Routing > Gateways > Edit (your torguard), checked the following option: disable gateway monitoing and disable gateway monitoring action. Gateway : dynamic.
- VPN > OpenVPN > Clients > Edit (your torguard), I can't get udp working before so I stuck using tcp for Protocol. TLS keydir direction: use default direction. Unchecked "Enable Data Encryption Negotiation". Fallback Data Encryption Algorithm: AES-128-GCM. Checked "Don't pull routes" and "Don't add/remove routes"
-
@nevar
Thank you for sharing your configuration :). Disabling gateway monitoring is not an option for me. The idea is to use several tunnels in a gateway group and have a sort of "fallback" when one VPN server goes doen. So I think I will do the downgrade and wait for Torguard to officially support pfSense 2.5.Thanks again!
-
@vjizzle I tried playing with this a little while again and I couldn't get it to stay up. It would show connected and then go down.
I have working and will stick with that for a whileuuntil Netgate fixes these issues.
-
Just a small status update :)
I downgraded my pfSense to version 2.4.5 p1 tonight. Did a clean install, restored my backup I made before the upgrade to version 2.5. I had to change the update manager in pfSense to 2.4.5 (depricated) to let it install all the packages. From there on everything went well. I love the simplicity and efficiency in the backup and restore procedure in pfSense!
Then I configured Torguard VPN client. Initially the Gateway Monitor was down again but that was not a problem. I know from experience that ExpressVPN shows the same behaviour in pfSense. I then added 1.1.1.1 as monitoring ip in the gateway settings of the Torguard VPN tunnel and I am up and running! Policy based routing is working as expected, some traffic I send trough another VPN tunnel.
I don't know what is happening here but clearly something in the OpenVPN client settings is done different in version 2.5 and breaking a lot of VPN configurations out there. When you update your pfSense and are using OpenVPN tunnels, beware that OpenVPN client in pfSense 2.5 is not 100% backwards compatible with OpenVPN client in pfSense 2.4.5 ;).
-
And another update. I just spoke to the guys at Torguard and they keep telling me that everything should be working on pfsense 2.5.
So I decided to do a backup of the 2.4.5 setup, do a clean install of 2.5 and restore my backup. Guess what....everything is working! Torguard is working as expected, routing as expected monitor gateway is doing it's thing with 1.1.1.1 or 8.8.8.8.
Lessons learned: I strongly advise do not do an in-place upgrade from 2.4.5 to 2.5 if you have OpenVPN tunnels running. Just take the time, backup your 2.4.5 config and do a clean install of 2.5. Then restore your configuration and that should have your firewall running up again!
-
@vjizzle They told me the same thing but I couldn't get the connection to stay up. Gonna try again another day. Wireguard on Torguard works without issue.
-
@hypnosis4u2nv
Wireguard works ok? I would love to set that up but I am missing some information. Like on pfSense when I enable wg0 what do I need to enter in the Address field? And then when I generate the Wireguard config on Torguard do I need to enter that information in wg0 peers? Maybe you can share some settings/screenshots? Would be greatly appreciated. -
@vjizzle There's a "general guide" recipe on Netgates site:
http://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html
In short, your VPN provider will give you the IP address to stick in the config.
-
@vjizzle Use the configurator on Torguard, choose Wireguard from the drop down box. Choose a server location. Have pfsense generate the private and public keys. Enter them in the Torguard configurator and it will spit out a configuration. Use the server IP generated and enter that in the address field in pfsense. Click "Add Peer", fill in the keys generated by the configurator and all the other settings it spit out. Save. Add NAT rule for Wireguard. Add interface wg0 and create a firewall rule to allow any for all. Go to LAN and create your PBR to use Wireguard.
-
@vjizzle where can i find info about setting up several tunnels in a gateway group? it may come handy for future use.