UNDEF and TLS Error after 22.05 Upgrade
-
Hello,
After upgrading my pfSense Netgate cloud based server from 22.01 to 22.05 I am seeing a lot of these TLS errors in the logs. I am also see them show up as UNDEF in the OpenVPN logs. We did not have this problem prior to the upgrade and I do have the "Username as common name" enabled. All of the IP's showing up as UNDEF or TLS Errors were IP's that were previously able to connect successfully. And post upgrade I do have other users able to connect successfully. All of the UNDEF's seem to correspond to AES-CBC which in turn seem to correlate to the TLS Errors. However the Cipher is permitted in the server config. Is there anything about the upgrade and the use of AES-256-CBC that would cause this?
Status/OpenVPN
UNDEF x.x.x.x:63792 2023-02-08 16:56:55 0 B 27 KiB AES-256-CBC UNDEF x.x.x.x:10134 2023-02-08 16:57:37 0 B 10 KiB AES-256-CBC UNDEF x.x.x.x:32765 2023-02-08 16:57:39 0 B 10 KiB AES-256-CBC UNDEF x.x.x.x:51555 2023-02-08 16:56:38 0 B 10 KiB AES-256-CBC UNDEF x.x.x.x:1851 2023-02-08 16:56:37 0 B 10 KiB AES-256-CBC UNDEF x.x.x.x:62497 2023-02-08 16:57:39 0 B 10 KiB AES-256-CBC
Status/System Logs/OpenVPN
Feb 8 16:54:30 openvpn 38471 x.x.x.x:50137 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:50137 (si=3 op=P_CONTROL_V1) Feb 8 16:54:29 openvpn 38471 x.x.x.x:49351 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:49351 (si=3 op=P_CONTROL_V1) Feb 8 16:54:29 openvpn 38471 x.x.x.x:19575 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:19575 (si=3 op=P_CONTROL_V1) Feb 8 16:54:29 openvpn 38471 x.x.x.x:50137 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:50137 (si=3 op=P_CONTROL_V1) Feb 8 16:54:28 openvpn 38471 x.x.x.x:49351 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:49351 (si=3 op=P_CONTROL_V1) Feb 8 16:54:28 openvpn 38471 x.x.x.x:19575 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:19575 (si=3 op=P_CONTROL_V1)
This is a paired down version of my config.ovpn
dev xxxxx disable-dco verb 3 dev-type tun dev-node /dev/tun1 proto udp4 auth SHA256 tls-server username-as-common-name remote-cert-tls client tls-auth /var/etc/openvpn/server1/tls-auth 0 data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression no persist-remote-ip float topology subnet explicit-exit-notify 1 inactive 300
This is a paired down version of my client.config
dev tun persist-tun persist-key ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote x.x.x.x ### udp lport 0 verify-x509-name "removed" name auth-user-pass remote-cert-tls server explicit-exit-notify