22.05 Upgrade breaks Remote Access OpenVPN

exrich · Jun 28, 2022, 10:38 AM

Hi,

I recently upgraded a Netgate 2100 from pfSense plus 22.01 to 22.05 however since the upgrade the OpenVPN Remote access server doesn't work properly (it worked perfectly on 22.01). I can connect to the server and ping clients on the remote network but no services work. Can't access the pfsense web gui, can't access websites/gui on other remote clients. I could do all these things before the upgrade to 22.05.

The Remote Access Server is pretty standard, TUN Mode and a SUBNET topology.

Any ideas or has anyone else experienced issues with OpenVPN after the 22.05 upgrade?

isewanus · Jun 28, 2022, 9:50 PM

I have the same problem with Negate 6100. I just upgraded the version and firmware, and found OpenVPN is not running at all even though I ran the services and rebooted the router several times. I need the solution asap...

isewanus · Jun 29, 2022, 7:25 AM

I found OpenVPN was not properly upgraded (still showed 2.5.4) when I checked it by console by referring the different thread).
After I ran pfSense-upgrade -d command in the console and rebooted the device, it was upgraded to 2.6 and is now running fine now. Thank you @jimp!
I guess this 22.05 upgrade is somehow problematic....
I hope this will help you to solve your problem.

exrich · Jun 29, 2022, 7:25 AM

@isewanus Unfortunately pfSense-upgrade -d didn't work. Same issue. I'm seeing blocked openvpn packets in the firewall so I'm guessing that the 22.05 upgrade might have altered the firewall rules in some way but I can't see anything that's obviously incorrect.

I did do the 22.05 Upgrade remotely over the OpenVPN connection. Could this have caused problems?

jonna99 · Jun 29, 2022, 9:46 AM

Hi! I have the same problem after upgrading to 22.05 my peer to peer connection is lost. Status is green and connected. Must be something with the firewall settings that have been altered when upgrading?
Thanks
Jonna

jonna99 · Jun 29, 2022, 4:02 PM

Hi, I´ve added some info since last post..
I have the same problem after upgrading to 22.05. My peer to peer connection (TLS) is not working. Cant reach serverside firewall or any other clients. Status is green and connected on both sides.
Remote (openvpn) connection on the other hand works fine.
I have the same firewall- and NAT settings as before, nothing changed, and its been working for the last few years.
Could it be something with the firewall settings that have been altered when upgrading? Any ideas? Anybody else having same issues?
Thanks
Jonna

Neverstopdreaming · Jun 29, 2022, 5:15 PM

@jonna99 similar issue here testing 2.7 DEV snapshot
I have two OpenVPN site2site client connections.
One (ovpnc1) uses sharedkey and the other (ovpnc2) uses SSL/TLS.

After the upgrade, the SSL/TLS connects but it doesn't apply the route of the "IPv4 Remote network"

[2.7.0-DEVELOPMENT][root@xxxx]/root: netstat -nr |grep ovpn
10.0.11.0&0xa000b01 10.0.11.1 UGS ovpnc2
10.0.11.1 link#12 UH ovpnc2
10.0.12.1 link#11 UH ovpnc1
192.168.192.0/18 10.0.12.1 UGS ovpnc1

Neverstopdreaming · Jun 30, 2022, 9:01 AM

I solved removing the "IPv4 Remote network(s)" from the client.
it gets the routes directly from the server.
Even if this configuration was working properly with SharedKey, it seems that SSL doens't like it.
Also removing the "IPv4 Tunnel Network" from the client seems safe.

jonna99 · Jul 3, 2022, 12:13 PM

That manouver didn´t work for me. I rolled back to 22.01.
CE 2.6 and 22.01+ both work fine. Peer to peer reestablished.

Luca De Andreis · Jun 30, 2022, 12:41 PM

@neverstopdreaming I solved with several site to site SSL / TLS configurations. The routing data on the client, as well as the tunnel vpn segment must be NOT specified. The data must be taken from the server ... this is how it works (after configuring client exceptions for each single vpn on the server). Works fine on 22.01 and 22.05.

Neverstopdreaming · Jun 30, 2022, 12:48 PM

@luca-de-andreis thanks. the "Client Specific Overrides" is the other important config that was missing

nomadmd · Jul 1, 2022, 1:49 AM

It looks like this bug reared its ugly head...

When I start OpenVPN client on pfsense connecting to my google cloud instance I get this:

netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.8.0.0/24        10.8.0.1           UGS      ovpnc5
10.8.0.1           10.8.0.2           UGHS        lo0
10.8.0.2           link#16            UHS         lo0

instead of this:

netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.8.0.0/24        10.8.0.1           UGS      ovpnc5
10.8.0.1           10.8.0.2           UGHS     ovpnc5
10.8.0.2           link#16            UHS         lo0

Quick and dirty fix:

route change 10.8.0.1 10.8.0.2 -ifp ovpnc5

because every change to firewall will break this rule added this command as a cron job to run every minute.

But ultimately Netgate has to issue a fix and their QA department as well...

busk · Jul 4, 2022, 8:41 AM

@jonna99
I also have the problem after update to 22.05 - the system log gives the message:
"Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client2/config.ovpn:42: keysize (2.6_git) "

After fiddling with setup parameters around OpenVPN, without success, I want to roll back to 22.01.

My problem now is that I am not sure how I can roll back.

I made a backup before the upgrade, including extra data. But how can I reestablish the system software?
Could it be as simple as selecting "Restore Configuration" after specifying the restore area "all"?

jonna99 · Jul 4, 2022, 8:41 AM

@busk
Hi, you have to reinstall 2.6 CE and then upgrade to 22.01. After that just restore with your old config file and all your settings will be back.

busk · Jul 4, 2022, 2:12 PM

@jonna99
Thank you for the info.

I realize now that a complete reinstall will be necessary to get the advantage of ZFS

I forgot to mention that I am running on a Netgate SG 5100, so it will probably be easier to get a new ticket for installing pfSense+ hopefully for version 22.01 or else an earlier version as long as it accept formatting ZFS. And then apply the old config.

buzz2912 · Jul 5, 2022, 4:01 PM

I do not know, if it's the same problem,
but my wireguard Site-to-Site connections do not work anymore on 22.05 and 2.7.0
On 2.6.0 and 22.01 everything is and has been perfect.
The Gateways stay diabled. Handshake is green.

Posted a bug report which was closed

Report

I do not know what to do?

Thanks Sebastian

jonna99 · Jul 8, 2022, 1:49 PM

Hallo again.
Tried once more to upgrade from 22.01 to 22.05 again but cant get rid of the problem. P2P doesn´t work. Connected on both sides but no traffic passes through.
I now want to reinstall 22.01 but that choice is gone. Only 22.05 branch available now. Is there a way to get the 22.01 upgrade using the command prompt instead? Otherwise I´ll stay with 2.6 for now.
Also. .I also tried 2.7 with the same poor result.

busk · Jul 8, 2022, 4:01 PM

@jonna99
if you are on Netgear hardware you can get pfSense plus in newer versions, including 22.01 by their support page, but you need to give the equipment ID.

I tried it a couple of days ago, and within few minutes I got a mail from them with links to an install file to burn to a USB-memory, and a description of the process.
It is probably locked to the ID-number on the hardware.
I have not yet tried to install it as I wont risk that my only firewall stop functioning, and so I will be cut off the Internet and my own network will be useless too.
I need some more planning before I try.

arkin87 · Jul 11, 2022, 11:15 PM

I’m no longer receiving the route from the server, log output above. I can mainly add the route manually on the client side and get it to work. Also - Radius logins is broken in this release.

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.20.0