OpenVPN Peer-to-peer w. PSK broken after upgrade to 2.6.0

hoegge

I upgraded both my routers from 2.5.2 to 2.6.0. I have an OpenVPN pre-shared key peer-to-peer connection between them both. After upgrading the server router first, everything continued to work fine. But when I upgraded the client router, the connection broke.

This is a snippet of the logs:

Aug 17 20:13:55	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:13:56	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:13:56	openvpn	35928	MANAGEMENT: CMD 'quit'
Aug 17 20:13:56	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:14:42	openvpn	79066	Inactivity timeout (--ping-restart), restarting
Aug 17 20:14:42	openvpn	79066	SIGUSR1[soft,ping-restart] received, process restarting
Aug 17 20:14:47	openvpn	79066	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 17 20:14:47	openvpn	79066	Re-using pre-shared static key
Aug 17 20:14:47	openvpn	79066	WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug 17 20:14:47	openvpn	79066	Preserving previous TUN/TAP instance: ovpnc1
Aug 17 20:14:47	openvpn	79066	TCP/UDP: Preserving recently used remote address: [AF_INET]87.104.5.4:1194
Aug 17 20:14:47	openvpn	79066	UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:0
Aug 17 20:14:47	openvpn	79066	UDPv4 link remote: [AF_INET]xxx.xxx.xx.xxx:1194
Aug 17 20:14:57	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock

and

Aug 17 20:23:56	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:23:56	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:23:56	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:23:56	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:23:56	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:23:56	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:24:02	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:24:02	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:24:02	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:24:14	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:24:14	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:24:14	openvpn	35928	MANAGEMENT: CMD 'quit'
Aug 17 20:24:14	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:24:22	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 17 20:24:22	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 17 20:24:22	openvpn	35928	MANAGEMENT: Client disconnected
Aug 17 20:24:28	openvpn	79066	Inactivity timeout (--ping-restart), restarting
Aug 17 20:24:28	openvpn	79066	SIGUSR1[soft,ping-restart] received, process restarting
Aug 17 20:24:33	openvpn	79066	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 17 20:24:33	openvpn	79066	Re-using pre-shared static key
Aug 17 20:24:33	openvpn	79066	WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug 17 20:24:33	openvpn	79066	Preserving previous TUN/TAP instance: ovpnc1

When I go to the configuration page and try to save I get this error - both on server and client router. I tried to make a new key using the GUI (on client), which works fine, but when I paste that key on server I get the same error and also on client if I try to change anything:

Is peer-to-peer using PSK already "gone"?

Thanks in advance, if anybody knows.

jimp

PSK still works now, especially on pfSense CE 2.6.0 which still uses OpenVPN 2.5.x where they haven't even added log messages for it being deprecated in the future.

There isn't a lot to go on here, though. The error in the logs just seems to be a timeout, like a problem with connectivity in between, not an OpenVPN issue, but it's hard to say without more details.

The key should still work provided you copied the whole thing (including the header and footer armor lines). Make sure there aren't any blank lines before or after the key as well.

hoegge

@jimp Strange, since the key has not changed. I also tried with a new key, same result. The remote access to the server router from remote clients still work (another open vpn server instance on the server router). So the only thing that has changed was the update to 2.6.0. It is not a connectivity issue.

hoegge

@jimp
Actually I think it is a bug, since the key IS valid - I did not change it, it worked for a year, and making a new key using PFsense also says the key is invalid.

Rico

Have you tried another browser and/or incoginto mode to create and save the new key?
Some browser plugins cause weird problems sometimes...

-Rico

hoegge

@rico Hi
Yes, seemed like the "key validation" in the form was disturbed by something. Now I can save (changed and unchanged key) but the client still does not connect.

Aug 19 13:36:42	openvpn	43990	Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Aug 19 13:36:42	openvpn	43990	OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
Aug 19 13:36:42	openvpn	43990	library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
Aug 19 13:36:42	openvpn	44249	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 19 13:36:42	openvpn	44249	Initializing OpenSSL support for engine 'rdrand'
Aug 19 13:36:42	openvpn	44249	WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug 19 13:36:42	openvpn	44249	TUN/TAP device ovpnc1 exists previously, keep at program end
Aug 19 13:36:42	openvpn	44249	TUN/TAP device /dev/tun1 opened
Aug 19 13:36:42	openvpn	44249	/sbin/ifconfig ovpnc1 10.0.8.2 10.0.8.1 mtu 1400 netmask 255.255.255.255 up
Aug 19 13:36:42	openvpn	44249	/usr/local/sbin/ovpn-linkup ovpnc1 1400 1472 10.0.8.2 10.0.8.1 init
Aug 19 13:36:42	openvpn	44249	TCP/UDP: Preserving recently used remote address: [AF_INET]yy.yy.yy.yy:1194
Aug 19 13:36:42	openvpn	44249	UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:0
Aug 19 13:36:42	openvpn	44249	UDPv4 link remote: [AF_INET]yy.yy.yy.yy:1194
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: Client disconnected
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:36:59	openvpn	35928	MANAGEMENT: Client disconnected
Aug 19 13:37:05	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:37:05	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:37:05	openvpn	35928	MANAGEMENT: Client disconnected
Aug 19 13:37:14	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:37:14	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:37:14	openvpn	35928	MANAGEMENT: Client disconnected
Aug 19 13:37:25	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:37:25	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:37:25	openvpn	35928	MANAGEMENT: Client disconnected
Aug 19 13:37:25	openvpn	35928	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 19 13:37:25	openvpn	35928	MANAGEMENT: CMD 'status 2'
Aug 19 13:37:26	openvpn	35928	MANAGEMENT: CMD 'quit'
Aug 19 13:37:26	openvpn	35928	MANAGEMENT: Client disconnected