PFSense Release 2.5 + OpenVPN 2.5 broken? Any fixes?
-
Mmm, gonna need more data to troubleshoot that further. There must be something specific in your config though.
-
@stephenw10 Realize this :)
I will get at it soon.There seem to be a number of posts about it, I've went thought them in the past and will need to do it again.
-
Not sure if this is a clue. System still acts braindead, nothing is logged when attempting a client connection, Upon startup I see the following as the only clue something might be wrong.
I have tried completey wiping ALL vpn configs and certificates from scratch
and created a new OPENSEC VPN server. and client.Jan 28 14:17:51 openvpn 39698 Initialization Sequence Completed Jan 28 14:17:51 openvpn 39698 UDPv4 link remote: [AF_UNSPEC] Jan 28 14:17:51 openvpn 39698 UDPv4 link local (bound): [AF_INET]x.x.x.x:1194 Jan 28 14:17:51 openvpn 39698 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 44.44.73.1 255.255.255.0 init Jan 28 14:17:51 openvpn 39698 /sbin/ifconfig ovpns1 44.44.73.1 44.44.73.2 mtu 1500 netmask 255.255.255.0 up Jan 28 14:17:51 openvpn 39698 ioctl(TUNSIFMODE): Device busy (errno=16) Jan 28 14:17:51 openvpn 39698 TUN/TAP device /dev/tun1 opened Jan 28 14:17:51 openvpn 39698 TUN/TAP device ovpns1 exists previously, keep at program end
-
@stephenw10 Yes I see a state for 1194 when attempting a connection:
WAN udp c.c.c.c:1194 -> s.s.s.s:1194 NO_TRAFFIC:SINGLE 3 / 0 246 B / 0 B
c= remote client IP
s= test server IPWith logging enabled for the port 1194 rule I see in the log the packets are being accepted (green checkmark).
Nothing is being blocked.
Nothing is being logged in IPSEC otehr than on startup or IPSEC services restart.
The "braindead" appearance I mention a few times here.
Also this server has more than one public IP available on the WAN interface.
I don't know if this is related to my problem or if it's a factor.
I seem to remember reading something about this being and issue with 2.5.0
But am having difficulty finding it. -
This post is deleted! -
@n8lbv Also if this provides anything useful:
Not sure about the warnings, but same way of setting up a clean install single public IP box works fine.
This box as most I have in the field are multiple public IP on WAN (most only two).
and have been upgraded from pfsense 2.4.5 t0 2.5.2
Every upgraded box I have upgraded has no working VPNs IPSEC or OPENVPN since upgrading.Trying hard to provide mroe logs but almost anything I post is "flagged as spam"
I have spent literally hours trying to figure out how to post and include logs.
Incredibly frustrating!Jan 28 14:17:51 openvpn 39698 TUN/TAP device /dev/tun1 opened Jan 28 14:17:51 openvpn 39698 TUN/TAP device ovpns1 exists previously, keep at program end Jan 28 14:17:51 openvpn 39698 WARNING: experimental option --capath /var/etc/openvpn/server1/ca Jan 28 14:17:51 openvpn 39698 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 28 14:17:51 openvpn 39698 GDG: problem writing to routing socket Jan 28 14:17:51 openvpn 39698 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Jan 28 14:17:51 openvpn 35907 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10 Jan 28 14:17:51 openvpn 35907 OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021 Jan 28 14:12:36 openvpn 98001 Initialization Sequence Completed Jan 28 14:12:36 openvpn 98001 UDPv4 link remote: [AF_UNSPEC]
-
@n8lbv Tried a couple of this and there is some more data.
-
@n8lbv This error-
Jan 28 14:17:51 openvpn 39698 ioctl(TUNSIFMODE): Device busy (errno=16)
does not appear to be an issue from reading.
Also I can't find any indication that multiple IP addresses on the WAN should be any issue.When setting up the OVPN server the WAN dropdown list includes both what I am using as a primary WAN IP and my secondary use WAN IP.
It is clear that you can select either for the OVPN server and that I am selecting the one that I want.
This apparently should not be any kind of an issue. -
Nope, that's normal (reversed) logs when the server starts.
Do you see states in the firewall when clients try to connect?
-
@stephenw10 Yes somwhere he posted today I showed that there are states. (replying from my phone browser) at the bar :)
-
@n8lbv When posted earlier :) but yes. states exist!
-
Pretty much clueless and right back to where I started ages ago when 2.5.0 was released.
No clue what to try next and no luck success or further information with all of the normal checks and suggestions.This is why most of my customer sites are still stuck on 2.4.5
VPN guaranteed to break after upgrading.
And doing a fresh install and trying to get all of the individual site config/settings manually reconfigured will not be an easy option for me at all.And pulling over the config backup from a 2.4.5 system after clean installing 2.5.2 has not worked either.
Same issue, VPN functionality ends up like what I have here. braindead.
-
@n8lbv Hi, When you do one of this updates, are you verifying that the Default Gateway is correct in your SYSTEM-ROUTING settings? Can you access the internet ok and ping say 8.8.8.8 from the PFSENSE ping utility?
I was seeing issues with my update to 2.5.2 as well, and my OPEN VPN's were not working.
Turns out that my gateway was messed up in my Routing settings.
However, I could NOT get PFS to update properly with multiple installs from the GUI!
When I did a backup of the 2.4 config then a FRESH install of 2.5.2, with the 2.4 config on the usb drive, it grabbed it and applied all the settings at the end of the install.
Then after it is up, it had to update my packages. (you will get a message at top of PFS about packages will be updated and check back later or such) Well if I remember correctly I believe that at least once even with the fresh install it the package updates crashed PFS. I could not access the GUI even though the firewall was still functioning.
PFS suggests that you DO NOT UPDATE packages before trying a system update and ALSO that you UNINSTALL ALL PACKAGES BEFORE you try to update if you are seeing problems!
Maybe a package is messing you up?
Now I'm not sure how it knows, but when I did this with a package, it still knew and kept all my settings!
Maybe try this. Maybe a package is wrecking your VPN's somehow. And check you Routing (and DNS settings) like mentioned above, make sure PFS is getting out to the internet and getting proper DNS function.
MP
-
@mrpushner Thanks for the reply.
No problems at all with default (and only) gateway settings.
And system works perfectly fine other than I have been unable to get an IPSEC or openVPN server to work on them after upgrading yet ever.
I have tried pretty much everything that I could think of including following the directions and uninstalling all packages before upgrading) then reinstalling packages after upgrading.
--> t\The only package I have installed is the client export package. This was simple and not a lot of work.At this troubleshooting stage I am only testing setting up an OpenVPN Server as to not confuse or complicate matters.
Fact is IPSEC does not work as expected either. But I am trying to keep initial troubleshooting easy here.A simple OPENVPN server (Remote Access SSL/TLS + User Auth) on the server.
And a windows remote client.Pretty much using the default settings that PFSense sets for you when setting this up.
It works on any clean install box with a single public IP (static or dynamic) that I have tested.
It is not working on any of my production systems that have both been upgraded from 2.4.5 to 2.5.2 and have two static public IP addresses configured.
When setting up the server I am clearly selecting the intended "main" public IP I intend to use.
The firewall rules and packet captures and firewall logging all seem to be working as expected.
VPN server seems braindead and nothing is logged when connection attempts are made.
Only logging you see from the openVPN server is when it is started up or manually restarted or when the system is rebooted and the service starts up. -
@n8lbv Humm...then something (like PFS rule maybe) has to be blocking the attempts to connect to the server. Have you checked the FW logs when trying to connect? Any blocks to that Ip from your client source?
Just seems to me that with TWO Static IP's setup, its like the client request is not ever getting to the server. How does PFS handle multiple IP addresses? I can't answer that. Maybe its a limitation with the VPN protocols? I'm not sure.
Can you ping either of the VPN server IP's from the client successfully?
Did you try disabling IPv6?
Have you setup a dual IP setup and confirmed its does not work, then removed one IP, REBOOT and tested again?
None of my systems use multiple IP's so I can't comment on that.
It just seems to me that if ALL your systems see the same things, it could be the SAME settings in each that are doing it.
When connection attemps are made to the open VPn server I get entries like this:
Jan 28 10:30:45 openvpn 77264 xxx.xx.xx.xx:39600 peer info: IV_VER=2.5.0
or "Authenticate/Decrypt packet error: missing authentication info"
entries.
If you get nothing, then my guess is there is confusion with your multiple static IPS setup.
Drop one IP and try again, if it works, re-add it and see what happens.
Also make sure you have server set as IP4 only.
Not sure what else to suggest. Maybe try to WAN PFS guru's on the forum.
Have you reviewed this:
https://docs.netgate.com/pfsense/en/latest/multiwan/openvpn.html
MP
-
@n8lbv If it's too much for you, I can offer remote technical support at a very low cost.
-
@mrpushner Not blocking the packets, and I am logging the rule and seeing the pass logs.
If you scroll up just a little bit I showed one example.
:) -
@silence It's not too much, I intend to figure it out, learn something and then share back to this thread what I learned and what fixed it as this may also help anyone else that runs into this.
-
@n8lbv ok so if it's not too much for you i can help you here, what i would recommend is to do a backup and then a fresh install of pfsense the latest stable version and try to upload your clean config please...this should work for you simple and fast in 15 minutes you have your vpn working without problem.
-
@silence I will try this.
I think I already did try this back when I was troubleshooting 2.5.0
But it's been so long now I am not sure so yes I need to retry that.
Thanks. :)