22.05 Upgrade breaks Remote Access OpenVPN

jonna99

Hi, I´ve added some info since last post..
I have the same problem after upgrading to 22.05. My peer to peer connection (TLS) is not working. Cant reach serverside firewall or any other clients. Status is green and connected on both sides.
Remote (openvpn) connection on the other hand works fine.
I have the same firewall- and NAT settings as before, nothing changed, and its been working for the last few years.
Could it be something with the firewall settings that have been altered when upgrading? Any ideas? Anybody else having same issues?
Thanks
Jonna

Neverstopdreaming

@jonna99 similar issue here testing 2.7 DEV snapshot
I have two OpenVPN site2site client connections.
One (ovpnc1) uses sharedkey and the other (ovpnc2) uses SSL/TLS.

After the upgrade, the SSL/TLS connects but it doesn't apply the route of the "IPv4 Remote network"

[2.7.0-DEVELOPMENT][root@xxxx]/root: netstat -nr |grep ovpn
10.0.11.0&0xa000b01 10.0.11.1 UGS ovpnc2
10.0.11.1 link#12 UH ovpnc2
10.0.12.1 link#11 UH ovpnc1
192.168.192.0/18 10.0.12.1 UGS ovpnc1

Neverstopdreaming

I solved removing the "IPv4 Remote network(s)" from the client.
it gets the routes directly from the server.
Even if this configuration was working properly with SharedKey, it seems that SSL doens't like it.
Also removing the "IPv4 Tunnel Network" from the client seems safe.

jonna99

That manouver didn´t work for me. I rolled back to 22.01.
CE 2.6 and 22.01+ both work fine. Peer to peer reestablished.

Luca De Andreis

@neverstopdreaming I solved with several site to site SSL / TLS configurations. The routing data on the client, as well as the tunnel vpn segment must be NOT specified. The data must be taken from the server ... this is how it works (after configuring client exceptions for each single vpn on the server). Works fine on 22.01 and 22.05.

Neverstopdreaming

@luca-de-andreis thanks. the "Client Specific Overrides" is the other important config that was missing

nomadmd

It looks like this bug reared its ugly head...

When I start OpenVPN client on pfsense connecting to my google cloud instance I get this:

netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.8.0.0/24        10.8.0.1           UGS      ovpnc5
10.8.0.1           10.8.0.2           UGHS        lo0
10.8.0.2           link#16            UHS         lo0

instead of this:

netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.8.0.0/24        10.8.0.1           UGS      ovpnc5
10.8.0.1           10.8.0.2           UGHS     ovpnc5
10.8.0.2           link#16            UHS         lo0

Quick and dirty fix:

route change 10.8.0.1 10.8.0.2 -ifp ovpnc5

because every change to firewall will break this rule added this command as a cron job to run every minute.

But ultimately Netgate has to issue a fix and their QA department as well...

busk

@jonna99
I also have the problem after update to 22.05 - the system log gives the message:
"Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client2/config.ovpn:42: keysize (2.6_git) "

After fiddling with setup parameters around OpenVPN, without success, I want to roll back to 22.01.

My problem now is that I am not sure how I can roll back.

I made a backup before the upgrade, including extra data. But how can I reestablish the system software?
Could it be as simple as selecting "Restore Configuration" after specifying the restore area "all"?

jonna99

@busk
Hi, you have to reinstall 2.6 CE and then upgrade to 22.01. After that just restore with your old config file and all your settings will be back.

busk

@jonna99
Thank you for the info.

I realize now that a complete reinstall will be necessary to get the advantage of ZFS

I forgot to mention that I am running on a Netgate SG 5100, so it will probably be easier to get a new ticket for installing pfSense+ hopefully for version 22.01 or else an earlier version as long as it accept formatting ZFS. And then apply the old config.

buzz2912

I do not know, if it's the same problem,
but my wireguard Site-to-Site connections do not work anymore on 22.05 and 2.7.0
On 2.6.0 and 22.01 everything is and has been perfect.
The Gateways stay diabled. Handshake is green.

Posted a bug report which was closed

Report

I do not know what to do?

Thanks Sebastian

jonna99

Hallo again.
Tried once more to upgrade from 22.01 to 22.05 again but cant get rid of the problem. P2P doesn´t work. Connected on both sides but no traffic passes through.
I now want to reinstall 22.01 but that choice is gone. Only 22.05 branch available now. Is there a way to get the 22.01 upgrade using the command prompt instead? Otherwise I´ll stay with 2.6 for now.
Also. .I also tried 2.7 with the same poor result.

busk

@jonna99
if you are on Netgear hardware you can get pfSense plus in newer versions, including 22.01 by their support page, but you need to give the equipment ID.

I tried it a couple of days ago, and within few minutes I got a mail from them with links to an install file to burn to a USB-memory, and a description of the process.
It is probably locked to the ID-number on the hardware.
I have not yet tried to install it as I wont risk that my only firewall stop functioning, and so I will be cut off the Internet and my own network will be useless too.
I need some more planning before I try.

arkin87

I’m no longer receiving the route from the server, log output above. I can mainly add the route manually on the client side and get it to work. Also - Radius logins is broken in this release.

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.20.0