OpenVPN stopped working after upgrade to version 21.05 (SG-3100)
-
After update my SG-3100 to 21.05 version the OpenVPN stopped working. I've tried to restart the service, disable/enable the Firewall Rule, change the password client, remove and reinstall the openvpn client but the problem persists. Any ideas?
-
What does "stopped working" mean here?
Is it an OpenVPN client? A server? What mode?
Any errors in the OpenVPN log?
-
@jimp said in OpenVPN stopped working after upgrade to version 21.05 (SG-3100):
What does "stopped working" mean here?
Is it an OpenVPN client? A server? What mode?
Any errors in the OpenVPN log?After the upgrade my OpenVPN stopped working, the clients can't connect anymore.
Client side error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
During the attempt to connect I capture some packages in PFSense:
Looks like the requests are ok, but the rules are not, but the rules are ok, they weren't changed. I've tried stopped all rules and started again, the OpenVPN service too, but nothin solved.
-
That's still not enough information.
Do you see entries in the states table for these connections to port 1194? (Check Diagnostics > States, filter on
:1194
)What is in the OpenVPN log when a client attempts to connect?
-
Jun 24 11:23:44 openvpn 49741 event_wait : Interrupted system call (code=4)
Jun 24 11:23:44 openvpn 49741 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 192.168.168.1 255.255.255.0 init
Jun 24 11:23:45 openvpn 49741 SIGTERM[hard,] received, process exiting
Jun 24 11:23:56 openvpn 18629 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Jun 24 11:23:56 openvpn 18629 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 24 11:23:56 openvpn 18629 OpenVPN 2.5.2 armv7-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2021
Jun 24 11:23:56 openvpn 18629 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Jun 24 11:23:56 openvpn 18654 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 11:23:56 openvpn 18654 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Jun 24 11:23:56 openvpn 18654 TUN/TAP device ovpns1 exists previously, keep at program end
Jun 24 11:23:56 openvpn 18654 TUN/TAP device /dev/tun1 opened
Jun 24 11:23:56 openvpn 18654 /sbin/ifconfig ovpns1 192.168.168.1 192.168.168.2 mtu 1500 netmask 255.255.255.0 up
Jun 24 11:23:56 openvpn 18654 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 192.168.168.1 255.255.255.0 init
Jun 24 11:23:56 openvpn 18654 UDPv4 link local (bound): [AF_INET]189.112.XXX.XXX:1194
Jun 24 11:23:56 openvpn 18654 UDPv4 link remote: [AF_UNSPEC]
Jun 24 11:23:56 openvpn 18654 Initialization Sequence Completed
Jun 24 11:24:15 openvpn 18654 event_wait : Interrupted system call (code=4)
Jun 24 11:24:15 openvpn 18654 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 192.168.168.1 255.255.255.0 init
Jun 24 11:24:15 openvpn 18654 SIGTERM[hard,] received, process exiting
Jun 24 11:24:27 openvpn 26680 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Jun 24 11:24:27 openvpn 26680 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jun 24 11:24:27 openvpn 26680 OpenVPN 2.5.2 armv7-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2021
Jun 24 11:24:27 openvpn 26680 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Jun 24 11:24:27 openvpn 26968 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 11:24:27 openvpn 26968 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Jun 24 11:24:27 openvpn 26968 TUN/TAP device ovpns1 exists previously, keep at program end
Jun 24 11:24:27 openvpn 26968 TUN/TAP device /dev/tun1 opened
Jun 24 11:24:27 openvpn 26968 /sbin/ifconfig ovpns1 192.168.168.1 192.168.168.2 mtu 1500 netmask 255.255.255.0 up
Jun 24 11:24:27 openvpn 26968 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 192.168.168.1 255.255.255.0 init
Jun 24 11:24:27 openvpn 26968 UDPv4 link local (bound): [AF_INET]189.112.XXX.XXX:1194
Jun 24 11:24:27 openvpn 26968 UDPv4 link remote: [AF_UNSPEC]
Jun 24 11:24:27 openvpn 26968 Initialization Sequence Completed -
I don't see any connection attempts from clients in the OpenVPN log just the startup entries.
Are you certain the
189.112.x.x:1194
IP address in the log matches the one in the state table? You masked it out so I can't tell. -
I'm having a similar problem. My client, PIA VPN, is no longer active. I've bounced modem, pfsense, and mesh network. I've switch from TCP to UDP; neither make a difference. It was working fine prior to the upgrade. Any guidance is appreciated.
Jun 24 15:38:22 openvpn 9927 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 24 15:38:24 openvpn 9927 TCP/UDP: Preserving recently used remote address: [AF_INET]154.xx.xx.xx:1198
Jun 24 15:38:24 openvpn 9927 Attempting to establish TCP connection with [AF_INET]154.xx.xx.xx:1198 [nonblock]
Jun 24 15:38:24 openvpn 9927 TCP: connect to [AF_INET]154.xx.xx.xx:1198 failed: Connection refused
Jun 24 15:38:24 openvpn 9927 SIGUSR1[connection failed(soft),init_instance] received, process restarting -
Check if OpenVPN is running: On the PFSense dashboard, add the "Services Status" widget. OpenVPN Mobile will be on that list. Red X means not running. Click the "Play" button (arrow) next to it to try starting it. If it doesn't start, you need to find out why.
-
Problem solved. In VPN\OpenVPN\Servers\ edit the configuration and "Device" option I select the all IP Adress receive the VPN connections.
-
@rafael-3 Thank you Rafael. I will give that a try.