22.05 - DCO and OpenVPN problems?

o3x3omasmc

Hello,

I just updated to 22.05 and it seems to have broken my VPN to AirVPN as a client as well as my OpenVPN servers i connect to when travelling.
Looking at the logs it appears to have to do with DCO.

When i have DCO disabled, pfsense adds the "disable-dco" command, giving this error in the log:

Jun 8 10:51:49 php-fpm 4315 /vpn_openvpn_client.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/client1/config.ovpn'' returned exit code '1', the output was 'Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:2: disable-dco (2.5.4) Use --help for more information.'

If i enable DCO it appears to connect/create the connection, but gets an ifconfig error. From the openvpn server log:

Jun 8 13:16:48 openvpn 31427 /sbin/ifconfig ovpns6 192.168.99.1 192.168.99.2 mtu 1500 netmask 255.255.255.0 up
Jun 8 13:16:48 openvpn 31427 FreeBSD ifconfig failed: external program exited with error status: 1

The openvpn client log is similar, with different IPs, Naturally.

Any tips?

Everything worked fine before i upgraded, so I'm thinking it's on my end and not AirVPN.

Thank you for any help!

jimp

Your update must have failed in some way or did not fully complete. It isn't running the correct version of OpenVPN for 22.05-RC. It says it's OpenVPN 2.5.4 when it should be OpenVPN 2.6.0

o3x3omasmc

@jimp thank you. How's that possible? Is there a reinstall option?

jimp

It's not clear how that might have happened without seeing the upgrade log and console output. It could have been interrupted partway through, for example.

If you go to the console and try running pfSense-upgrade -d it may pick up and complete the remaining items. You may also be able to run pkg update -f; pkg upgrade -y which would update the remaining items that are out of date.

If you are running pfSense Plus software on Netgate hardware you can request installation media from TAC. If it's an installation you upgraded from CE to Plus you'd need to reinstall CE, upgrade to Plus 22.01, then upgrade to Plus 22.05 from there. Once 22.05 is officially released (and not an RC) then it will be possible to move from CE to Plus 22.05 directly.

o3x3omasmc

@jimp Thank you. It is a Netgate SG4860 and i dont know if it was upgraded from CE. It is actually saying on the dash that there is a new version available and points to the same version i have. Strange. It also did that when i had 22.01 which is why i updated to 22.05. However clicking on system update says it up to date.

The commands you list; i run them through SSH or is there a browser based command window in the gui? (Apologies for the somewhat basic question, i have ssh disabled for security purposes)

jimp

Ideally, run them from the serial console if you have access. SSH is OK if you don't have console access.

o3x3omasmc

@jimp yes, i have console, i just dont remember all the settings. I used it once 3 years ago :)

o3x3omasmc

@jimp said in 22.05 - DCO and OpenVPN problems?:

It's not clear how that might have happened without seeing the upgrade log and console output. It could have been interrupted partway through, for example.

If you go to the console and try running pfSense-upgrade -d it may pick up and complete the remaining items. You may also be able to run pkg update -f; pkg upgrade -y which would update the remaining items that are out of date.

If you are running pfSense Plus software on Netgate hardware you can request installation media from TAC. If it's an installation you upgraded from CE to Plus you'd need to reinstall CE, upgrade to Plus 22.01, then upgrade to Plus 22.05 from there. Once 22.05 is officially released (and not an RC) then it will be possible to move from CE to Plus 22.05 directly.

@jimp You absolute gem. The "pfSense-upgrade -d" via console did the trick and everything booted up just right. About 13 packages was updated. I have no idea why they were left in limbo during the last update via the GUI.