PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?

N8LBV

@n8lbv ```
ar 2 04:08:39 openvpn 33449 Peer Connection Initiated with [AF_INET]S.S.S.S:1195
Mar 2 04:08:40 openvpn 33449 Initialization Sequence Completed
Mar 17 08:40:05 openvpn 33449 write UDPv4: No route to host (code=65)
Mar 17 08:40:15 openvpn 33449 write UDPv4: No route to host (code=65)
Mar 17 08:40:25 openvpn 33449 write UDPv4: No route to host (code=65)
Mar 17 08:40:35 openvpn 33449 write UDPv4: No route to host (code=65)
Mar 17 08:40:46 openvpn 33449 write UDPv4: No route to host (code=65)
Mar 17 08:40:49 openvpn 33449 Inactivity timeout (--ping-restart), restarting
Mar 17 08:40:49 openvpn 33449 SIGUSR1[soft,ping-restart] received, process restarting
Mar 17 08:40:54 openvpn 33449 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 17 08:40:54 openvpn 33449 Re-using pre-shared static key
Mar 17 08:40:54 openvpn 33449 Preserving previous TUN/TAP instance: ovpnc1
Mar 17 08:40:54 openvpn 33449 TCP/UDP: Preserving recently used remote address: [AF_INET]P.P.P.P:1195
Mar 17 08:40:54 openvpn 33449 TCP/UDP: Socket bind failed on local address [AF_INET]C.C.C.C:0: Can't assign requested address (errno=49)
Mar 17 08:40:54 openvpn 33449 Exiting due to fatal error
Mar 17 08:40:54 openvpn 33449 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1572 44.11.11.2 44.11.11.1 init

Gertjan

@n8lbv
Log from the client side, right ?
"Socket not found" and "Socket bind failed on local address" : The interface used is down or no IP ?

stephenw10

@n8lbv said in PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?:

Clicked the start button (in the client ipsec status page) and it came back up and is working.

Did you mean IPSec here?

N8LBV

@stephenw10 No sorry only testing openvpn at this point.
Must have been really tired when I posted that.
Also it's been up & working 18 days since that post.
We're both on battery backup.
It just that when it gets shutdown or rebooted that thing go wonky again
and I have to mess with it to get it to work.

N8LBV

This continues to be an issue.
Had to restart the OPenVPN physical server and lose the vpn client connection.
For this reason I have been unable to use any openVPN site to site persistant tunnels.

I'm guessing anyone doing this has to use IPSEC for this purpose.
The tunnel stayed up since my last post here back in March.
But the moment that either end of the tunnel gets rebooted or loses power the tunnel is gone and never comes back on its own ever.
Took me a half-hour of messing with it restarting services, re-saving the WAN connection settings to get it to work again.

Same as before.

I will need to look around and research if anyone else has reported or fixed this or related issues since March of 2022.

-Steve

stephenw10

I have several OpenVPN site to site tunnels and have done in all pfSense versions without any significant issues.
Currently I'm running 22.05 there and will shortly be moving to 23.01 snapshots for testing.

PSK will be going away in OpenVPN at some point so if you're using that for S2S tunnels it's worth switching to ssl/tls now. Though that shouldn't be causing any problems currently.

Steve

N8LBV

@stephenw10 Thanks for the reply..
When you say "all versions" not exactly sure what that means or if it matters too much but
the more data points the better for sure.

The problem might have something to do with the fact I am running multiple static IP (two in use at the moment) on the
router public Internet facing versus using only one IP address.
And I guess I may be in a minority here being the combination of this and running an openvpn
server.

This is also my first attempt to ever use OpenVPN for site to site..
IPSEC works find always has and I think most people are using IPSEC for S2S even with PFSense.

This time around I wanted to be "different" and see if I could use OPENVPN instead for what I have
always done in the past with IPSEC on PFSense.

I've not tried using this type of configuration in production with any clients yet.
For now it's just a single test connection going to a friend's house.

I will need to do some work if I want to troubleshoot it further and work on a fix.
narrow it down to if a single IP address fixes it and such.

And simplify the arrangement as much as possible.
Right now I'm running two VPN serves on two different ports.
I don't think that's part of the problem but I'll need to re-test that.
I seem to remember trying that to rule it out but didn't document it unless I documented it here
on this thread which I'll have to have a full lookback before I go back to work on it.

The connection had been up for months and I had to reboot the router at the friends house
and had to visit this all over again as it takes some significant fussing about it restarting services
and re-saving the settings on the WAN page to get the connection to work again.

I need to better track that process and determine what exactly does get the connection to work again when it finally does...
As of now it's just random restarting things and re-saving the WAN page on BOTH ends until it works.

Which is no position to actually start troubleshooting this from.
I really need to read my previous nodes (above) to remind myself of what I had determined already on this. :)

Thanks for the heads-up on PSK going away. (I've not been keeping up lately).
I will start to get familiar with that now that you mentioned it.

I am super happy that AES-NI did not end up being a requirement as it was going to be.
SO many of my implementations do not need it and so many of my customers are on
Little J1900 no moving parts firewalls that do a great job for their needs.

stephenw10

Yeah, I'd have to re-read it all too.

But I would expect that to work without issues. I have run s2s OpenVPN tunnels in each version as we've released them and I've not seen an issue with tunnels failing that couldn't be fixed with a config change.
So I guess I'd say let's try to see exactly what's happening now and what's logged when it happens.

Steve

N8LBV

Probably not the most elegant solution but I just switched the family and friends VPN server to 2.7
This appears to have fixed it.
I actually just moved the edge router (PFSense) from ESXI6 over to a Hyper-V server.
I ran into all sorts of issues with speed to-from PFSense in Hyper-V and Hyper-V
and other VMs on the server.
Was getting 2mbps upload and around 3mbps download between servers.
and to the gigabit lan and a 2.5gb lan.
Read the huge PFS/FreeBSD/RSC Reddit thread for an hour or so.

Turning off RSC globally fixed the issue to the wired networks, but still had slow
transfers from PFsense to the other VMs.
Threw in the towel and switched to 2.7 and everything appears to be great.

This also appears to have fixed the ongoing issue I've had with OPENVPN tunnel server connections not being able to re-establish themselves (after a reboot/restart) without requiring manually going in and re-saving the WAN settings page as well as restarting the two OpenVPN servers I have on my PFsense system.

stephenw10

Yeah, that Hyper-V RSC issue in 2.6 was painful. But as you said is fixed in 2.7, RSC support in the hn driver is disabled by default.
Good news on the OpenVPN server there too. Would have been nice to know exactly what the cause was. There have been a number of fixes gone in for boot issues though. Many of them are only ever hit on some systems because of timing issues. I could imagine this being one of them.

Steve

N8LBV

@stephenw10 switching over to 2.7 in January was a great fix for me.
Those systems are working flawlessly and have stayed up for months now and have not had to
be messed with.

I tried to setup another one about a week ago and I am no longer able to create a working 2.7 system.
If I upgrade from a clean 2.6.0 install to 2.7 it makes a system that hardlocks as soon as it tries to boot.
If I try a memstick install (from february the ONLY snapshot I can find anywhere) the installer will not boot and gives only a solid cursor.
I tried a lot of things I did not yet document.
At the moment I'm stuck!

I also started a new thread here:
link text

stephenw10

Mmm, yeah let me see about getting the 2.7 snapshots back. That Feb 15th snap ws the lasts one with php8.1 which is why it's there.
Upgrading fails but only in Hyper-V I assume?

N8LBV

@stephenw10 Hi,
Upgrading fails in all cases I have tried if upgrading from 2.6.0
Hyper-V and 4 different PC hardware routers I have tried it on.
I have two separate threads I started on that yesterday.
in the dev section for 2.7.0 CE
It used to work awhile back but at some point along the way it no longer works.
You can't upgrade from 2.6.0 to 2.7.0 dev latest
Well- you can but it results in an unbootable kernel or driver immediate failure when it goes
to reboot.
But works fine if you install the 2.7.0 CE memstick and then update from that.
That is my work-around and I'm very happy that at least works.
2.7 openvpns setups stay up like they're supposed to :)