22.05 Upgrade breaks Remote Access OpenVPN
I recently upgraded a Netgate 2100 from pfSense plus 22.01 to 22.05 however since the upgrade the OpenVPN Remote access server doesn't work properly (it worked perfectly on 22.01). I can connect to the server and ping clients on the remote network but no services work. Can't access the pfsense web gui, can't access websites/gui on other remote clients. I could do all these things before the upgrade to 22.05.
The Remote Access Server is pretty standard, TUN Mode and a SUBNET topology.
Any ideas or has anyone else experienced issues with OpenVPN after the 22.05 upgrade?
I have the same problem with Negate 6100. I just upgraded the version and firmware, and found OpenVPN is not running at all even though I ran the services and rebooted the router several times. I need the solution asap...
I found OpenVPN was not properly upgraded (still showed 2.5.4) when I checked it by console by referring the different thread).
After I ran
pfSense-upgrade -dcommand in the console and rebooted the device, it was upgraded to 2.6 and is now running fine now. Thank you @jimp!
I guess this 22.05 upgrade is somehow problematic....
I hope this will help you to solve your problem.
pfSense-upgrade -ddidn't work. Same issue. I'm seeing blocked openvpn packets in the firewall so I'm guessing that the 22.05 upgrade might have altered the firewall rules in some way but I can't see anything that's obviously incorrect.
I did do the 22.05 Upgrade remotely over the OpenVPN connection. Could this have caused problems?
Hi! I have the same problem after upgrading to 22.05 my peer to peer connection is lost. Status is green and connected. Must be something with the firewall settings that have been altered when upgrading?
Hi, I´ve added some info since last post..
I have the same problem after upgrading to 22.05. My peer to peer connection (TLS) is not working. Cant reach serverside firewall or any other clients. Status is green and connected on both sides.
Remote (openvpn) connection on the other hand works fine.
I have the same firewall- and NAT settings as before, nothing changed, and its been working for the last few years.
Could it be something with the firewall settings that have been altered when upgrading? Any ideas? Anybody else having same issues?
@jonna99 similar issue here testing 2.7 DEV snapshot
I have two OpenVPN site2site client connections.
One (ovpnc1) uses sharedkey and the other (ovpnc2) uses SSL/TLS.
After the upgrade, the SSL/TLS connects but it doesn't apply the route of the "IPv4 Remote network"
[2.7.0-DEVELOPMENT][root@xxxx]/root: netstat -nr |grep ovpn
10.0.11.0&0xa000b01 10.0.11.1 UGS ovpnc2
10.0.11.1 link#12 UH ovpnc2
10.0.12.1 link#11 UH ovpnc1
192.168.192.0/18 10.0.12.1 UGS ovpnc1
I solved removing the "IPv4 Remote network(s)" from the client.
it gets the routes directly from the server.
Even if this configuration was working properly with SharedKey, it seems that SSL doens't like it.
Also removing the "IPv4 Tunnel Network" from the client seems safe.
That manouver didn´t work for me. I rolled back to 22.01.
CE 2.6 and 22.01+ both work fine. Peer to peer reestablished.
@neverstopdreaming I solved with several site to site SSL / TLS configurations. The routing data on the client, as well as the tunnel vpn segment must be NOT specified. The data must be taken from the server ... this is how it works (after configuring client exceptions for each single vpn on the server). Works fine on 22.01 and 22.05.
@luca-de-andreis thanks. the "Client Specific Overrides" is the other important config that was missing
It looks like this bug reared its ugly head...
When I start OpenVPN client on pfsense connecting to my google cloud instance I get this:
netstat -nrf inet Routing tables Internet: Destination Gateway Flags Netif Expire 10.8.0.0/24 10.8.0.1 UGS ovpnc5 10.8.0.1 10.8.0.2 UGHS lo0 10.8.0.2 link#16 UHS lo0
instead of this:
netstat -nrf inet Routing tables Internet: Destination Gateway Flags Netif Expire 10.8.0.0/24 10.8.0.1 UGS ovpnc5 10.8.0.1 10.8.0.2 UGHS ovpnc5 10.8.0.2 link#16 UHS lo0
Quick and dirty fix:
route change 10.8.0.1 10.8.0.2 -ifp ovpnc5
because every change to firewall will break this rule added this command as a cron job to run every minute.
But ultimately Netgate has to issue a fix and their QA department as well...
I also have the problem after update to 22.05 - the system log gives the message:
"Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client2/config.ovpn:42: keysize (2.6_git) "
After fiddling with setup parameters around OpenVPN, without success, I want to roll back to 22.01.
My problem now is that I am not sure how I can roll back.
I made a backup before the upgrade, including extra data. But how can I reestablish the system software?
Could it be as simple as selecting "Restore Configuration" after specifying the restore area "all"?
Hi, you have to reinstall 2.6 CE and then upgrade to 22.01. After that just restore with your old config file and all your settings will be back.
Thank you for the info.
I realize now that a complete reinstall will be necessary to get the advantage of ZFS
I forgot to mention that I am running on a Netgate SG 5100, so it will probably be easier to get a new ticket for installing pfSense+ hopefully for version 22.01 or else an earlier version as long as it accept formatting ZFS. And then apply the old config.
I do not know, if it's the same problem,
but my wireguard Site-to-Site connections do not work anymore on 22.05 and 2.7.0
On 2.6.0 and 22.01 everything is and has been perfect.
The Gateways stay diabled. Handshake is green.
Posted a bug report which was closed
I do not know what to do?
Tried once more to upgrade from 22.01 to 22.05 again but cant get rid of the problem. P2P doesn´t work. Connected on both sides but no traffic passes through.
I now want to reinstall 22.01 but that choice is gone. Only 22.05 branch available now. Is there a way to get the 22.01 upgrade using the command prompt instead? Otherwise I´ll stay with 2.6 for now.
Also. .I also tried 2.7 with the same poor result.
if you are on Netgear hardware you can get pfSense plus in newer versions, including 22.01 by their support page, but you need to give the equipment ID.
I tried it a couple of days ago, and within few minutes I got a mail from them with links to an install file to burn to a USB-memory, and a description of the process.
It is probably locked to the ID-number on the hardware.
I have not yet tried to install it as I wont risk that my only firewall stop functioning, and so I will be cut off the Internet and my own network will be useless too.
I need some more planning before I try.
I’m no longer receiving the route from the server, log output above. I can mainly add the route manually on the client side and get it to work. Also - Radius logins is broken in this release.
Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.20.0