OpenVPN client showing 100% packetloss following 2.5.0 upgrade
-
Hi!
Does anyone have Torguard OpenVPN UDP / TCP working with 2.5? I have setup the OpenVPN tunnel with Torguard and it connects fine. But it stays on Gateway Monitor down. I have tried setting up a specific Ip for gateway monitoring (tried with 8.8.8.8 and 1.1.1.1) but it is still not registering the interface up. I have tried several reboots already. Now I'm thinking I have to downgrade my pfsense to (clean install ofcourse) version 2.4 to get this working.I already have a ticket open with Torguard support and awaiting their answer. In my research I stumbled on this topic. Thank you guys for helping!
-
@vjizzle here are setting that got my torguard working again:
- System > Routing > Gateways > Edit (your torguard), checked the following option: disable gateway monitoing and disable gateway monitoring action. Gateway : dynamic.
- VPN > OpenVPN > Clients > Edit (your torguard), I can't get udp working before so I stuck using tcp for Protocol. TLS keydir direction: use default direction. Unchecked "Enable Data Encryption Negotiation". Fallback Data Encryption Algorithm: AES-128-GCM. Checked "Don't pull routes" and "Don't add/remove routes"
-
@nevar
Thank you for sharing your configuration :). Disabling gateway monitoring is not an option for me. The idea is to use several tunnels in a gateway group and have a sort of "fallback" when one VPN server goes doen. So I think I will do the downgrade and wait for Torguard to officially support pfSense 2.5.Thanks again!
-
@vjizzle I tried playing with this a little while again and I couldn't get it to stay up. It would show connected and then go down.
I have working and will stick with that for a whileuuntil Netgate fixes these issues.
-
Just a small status update :)
I downgraded my pfSense to version 2.4.5 p1 tonight. Did a clean install, restored my backup I made before the upgrade to version 2.5. I had to change the update manager in pfSense to 2.4.5 (depricated) to let it install all the packages. From there on everything went well. I love the simplicity and efficiency in the backup and restore procedure in pfSense!
Then I configured Torguard VPN client. Initially the Gateway Monitor was down again but that was not a problem. I know from experience that ExpressVPN shows the same behaviour in pfSense. I then added 1.1.1.1 as monitoring ip in the gateway settings of the Torguard VPN tunnel and I am up and running! Policy based routing is working as expected, some traffic I send trough another VPN tunnel.
I don't know what is happening here but clearly something in the OpenVPN client settings is done different in version 2.5 and breaking a lot of VPN configurations out there. When you update your pfSense and are using OpenVPN tunnels, beware that OpenVPN client in pfSense 2.5 is not 100% backwards compatible with OpenVPN client in pfSense 2.4.5 ;).
-
And another update. I just spoke to the guys at Torguard and they keep telling me that everything should be working on pfsense 2.5.
So I decided to do a backup of the 2.4.5 setup, do a clean install of 2.5 and restore my backup. Guess what....everything is working! Torguard is working as expected, routing as expected monitor gateway is doing it's thing with 1.1.1.1 or 8.8.8.8.
Lessons learned: I strongly advise do not do an in-place upgrade from 2.4.5 to 2.5 if you have OpenVPN tunnels running. Just take the time, backup your 2.4.5 config and do a clean install of 2.5. Then restore your configuration and that should have your firewall running up again!
-
@vjizzle They told me the same thing but I couldn't get the connection to stay up. Gonna try again another day. Wireguard on Torguard works without issue.
-
@hypnosis4u2nv
Wireguard works ok? I would love to set that up but I am missing some information. Like on pfSense when I enable wg0 what do I need to enter in the Address field? And then when I generate the Wireguard config on Torguard do I need to enter that information in wg0 peers? Maybe you can share some settings/screenshots? Would be greatly appreciated. -
@vjizzle There's a "general guide" recipe on Netgates site:
http://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html
In short, your VPN provider will give you the IP address to stick in the config.
-
@vjizzle Use the configurator on Torguard, choose Wireguard from the drop down box. Choose a server location. Have pfsense generate the private and public keys. Enter them in the Torguard configurator and it will spit out a configuration. Use the server IP generated and enter that in the address field in pfsense. Click "Add Peer", fill in the keys generated by the configurator and all the other settings it spit out. Save. Add NAT rule for Wireguard. Add interface wg0 and create a firewall rule to allow any for all. Go to LAN and create your PBR to use Wireguard.
-
@vjizzle where can i find info about setting up several tunnels in a gateway group? it may come handy for future use.
-
@nevar
I would suggest this awesome blog: https://nguvu.org/pfsense/pfsense-multi-vpn-wan/It is initially for AirVPN but it should give you the general idea of how it works.
-
@hypnosis4u2nv
Thank you for sharing this information! I set it up this morning and Wireguard seems to work fine! Lower latency as well :) -
@vjizzle said in OpenVPN client showing 100% packetloss following 2.5.0 upgrade:
And another update. I just spoke to the guys at Torguard and they keep telling me that everything should be working on pfsense 2.5.
So I decided to do a backup of the 2.4.5 setup, do a clean install of 2.5 and restore my backup. Guess what....everything is working! Torguard is working as expected, routing as expected monitor gateway is doing it's thing with 1.1.1.1 or 8.8.8.8.
Lessons learned: I strongly advise do not do an in-place upgrade from 2.4.5 to 2.5 if you have OpenVPN tunnels running. Just take the time, backup your 2.4.5 config and do a clean install of 2.5. Then restore your configuration and that should have your firewall running up again!
Just to report back: with the clean install approach and restore your 2.4.5 backup everything on OpenVPN seems to work. VPN tunnels are up and running for about 12hours now with no downtime. It is stable :)
-
@vjizzle be interesting to know what PfSense team did between upgrading and clean install that borked this.
I needed a clean install anyway ;)
-
@vjizzle I'm on a clean install, restore didn't help. The VPN stayed down, even on reboot. Got rid of all my OpenVPN configs and set up Wireguard, no issues. I'm frustrated because I'm trying to find the cause but everything points to a service being the issue, not me lol.
-
Wow I don't know what to say. Are you also using Torguard OpenVPN? Make sure you have the monitoring ip set to 1.1.1.1 or 8.8.8.8. Mine works with those but also with 9.9.9.9. I just checked and it also comes up after reboot of pfSense. Everything works here :|
-
@vjizzle YEah, i tried setting it up yesterday and the certifications were crashing and I couldn't get rid of the offending CA - https://redmine.pfsense.org/issues/11489 so I just restored from previous config.
I gave up, shouldn't be this difficult to get working, i had it working first time on 2.4.5...
-
@vjizzle Just wanted to give an update. I got it working and I finally figured out what it was.
I'm using Torguard, and with the newest version of OpenVPN there were some settings that were added and/or removed since their last guide to setting up a client. The issues I was experiencing all fell on one setting that their guide says to leave unchecked - "Dont pull routes".
I never had this setting enabled on version 2.4.5. Plus some new settings that didnt get applied properly, so obviously it explains why everything went down after the upgrade.
With the "Don't pull routes" disabled, EVERYTHING was being routed via the VPN client, no matter what PBR I had in place. So if the client was configured wrong and not up, my entire network would go down as well. Once enabled, PBR would only route via the VPN client and everything else through the WAN.
What a fucking shit show the last week has been trying to figure this shit out. -
@hypnosis4u2nv my part is mainly on the fallback which was default to AES-256-GCM instead AES-128-GCM and gateway monitor. Once I set fallback to AES-128-GCM and gateway monitor either disable or enable. If you want to monitor it, as @vjizzle pointed out that use public domain. I recently just enable monitor and monitor my two vpn connection. I also checked "Don't pull routes" and "Don't add/remove routes" to avoid conflict with the two torguard vpn connection that i'm using. Otherwise, i will have situation where user A will have same public ip address of user B but both user are assign to different VPN connection.