pfsense 2.6.0 system logs message OpenVPN failed to start

Jonas Souza

I do all the openvpn configuration in pfsense but it fails to start the service. I have configured and reconfigured several times but it does not return to normal

Gertjan

@Jonas-Souza

The 'general' log :

doesn't show useful information.

Show us this log :

and we'll show you why OpenVPN doesn't want to start

Jonas Souza

@Gertjan

Hello, thanks for helping.

When trying to start the service, it does not generate a log within OpenVPN, it follows the print. Before taking the print I tried to start the service again, but it does not generate a record.

Thanks

viragomann

@Jonas-Souza
Did this VPN server ever work?

Show the config, please.
If you have multiple servers show all.

Jonas Souza

@viragomann

Yes, it already worked, I tried to recreate the server back, when I finish the creation the service is online and works, but when I need to restart the service it is turned off. Follow the screenshots. I only have this vpn active.

Gertjan

@Jonas-Souza

When you stop the OpenVPN server in the GUI : Dashnoard, I see :

<27>1 2023-06-29T14:36:16.104857+02:00 pfs.bhf.net openvpn 45417 - - event_wait : Interrupted system call (fd=-1,code=4)
<29>1 2023-06-29T14:36:16.105221+02:00 pfs.bhf.net openvpn 45417 - - /sbin/ifconfig ovpns1 192.168.3.1 -alias
<29>1 2023-06-29T14:36:16.114670+02:00 pfs.bhf.net openvpn 45417 - - /usr/local/sbin/ovpn-linkdown ovpns1 1500 0 192.168.3.1 255.255.255.0 init
<13>1 2023-06-29T14:36:16.118951+02:00 pfs.bhf.net openvpn 4823 - - Flushing states on OpenVPN interface ovpns1 (Link Down)
<29>1 2023-06-29T14:36:16.127949+02:00 pfs.bhf.net openvpn 45417 - - SIGTERM[hard,] received, process exiting

When I start it

<29>1 2023-06-29T14:36:58.436068+02:00 pfs.bhf.net openvpn 93117 - - OpenVPN 2.6.2 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
<29>1 2023-06-29T14:36:58.436646+02:00 pfs.bhf.net openvpn 93117 - - library versions: OpenSSL 1.1.1t-freebsd  7 Feb 2023, LZO 2.10
<29>1 2023-06-29T14:36:58.436773+02:00 pfs.bhf.net openvpn 93117 - - DCO version: FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Mon Jun 26 06:35:42 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/amd64/f2Em2w3l/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/sources/
<28>1 2023-06-29T14:36:58.438556+02:00 pfs.bhf.net openvpn 93453 - - NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
<29>1 2023-06-29T14:36:58.439054+02:00 pfs.bhf.net openvpn 93453 - - Initializing OpenSSL support for engine 'rdrand'
<28>1 2023-06-29T14:36:58.441128+02:00 pfs.bhf.net openvpn 93453 - - WARNING: experimental option --capath /var/etc/openvpn/server1/ca
<29>1 2023-06-29T14:36:58.441811+02:00 pfs.bhf.net openvpn 93453 - - TUN/TAP device ovpns1 exists previously, keep at program end
<29>1 2023-06-29T14:36:58.442119+02:00 pfs.bhf.net openvpn 93453 - - TUN/TAP device /dev/tun1 opened
<29>1 2023-06-29T14:36:58.442476+02:00 pfs.bhf.net openvpn 93453 - - /sbin/ifconfig ovpns1 192.168.3.1/24 mtu 1500 up
<29>1 2023-06-29T14:36:58.452004+02:00 pfs.bhf.net openvpn 93453 - - /usr/local/sbin/ovpn-linkup ovpns1 1500 0 192.168.3.1 255.255.255.0 init
<29>1 2023-06-29T14:36:58.459600+02:00 pfs.bhf.net openvpn 93453 - - UDPv4 link local (bound): [AF_INET]192.168.10.4:1194
<29>1 2023-06-29T14:36:58.459630+02:00 pfs.bhf.net openvpn 93453 - - UDPv4 link remote: [AF_UNSPEC]

Use

tail -f /var/log/openvpn.log

on the console / SSG to follow the /var/log/openvpn.log file easily.

<29>1 2023-06-29T14:36:58.459750+02:00 pfs.bhf.net openvpn 93453 - - Initialization Sequence Completed

viragomann

@Jonas-Souza
Your advanced setting are wrong. You have to separate the push command by a semicolon.
Further the first address is wrong. It must be the network address.

But anyway, instead of putting the push command into the custom options, you should rather state them at "Local networks".
So the field should look like this:

100.120.1.0/24,10.210.1.0/24

And empty the custom options, of course.

Jonas Souza

@viragomann

Adjusting the settings you mentioned, it worked perfectly. Thank you very much

Gertjan

@viragomann said in pfsense 2.6.0 system logs message OpenVPN failed to start:

And empty the custom options, of course.

The perfect custom settings :

Using that for several years now, just great. Easy to maintain.

Btw : Because my tunnel network is 192.168.3.0/24 (an available local RFC1918) :
You saw my :

<29>1 2023-06-29T14:36:58.442476+02:00 pfs.bhf.net openvpn 93453 - - /sbin/ifconfig ovpns1 192.168.3.1/24 mtu 1500 up

Because :

edit :

In case you didn't do so already :
Assign the OpenVPN server instnce interface to a new interface - I called mine 'OPENVPN'.

Then : activate it :

(nothing more to do there)

Add some rule on the Interface OPENVPN (otherwise nothing can gets in).
This one will do just fine :

Then, pay a visit to the Resolver (DNS !) and make sure it listens to All incoming interfaces.
Or at least all incoming interfaces - 'OPENVPN' included :

Finally : even if they are years old now, do visit Youtube. Go to the Netgate Channel and re-watch the 3 official OpenVPN (server) video's. It's worth it.

Jonas Souza

@viragomann @Gertjan

Now I'm having another problem, here's the screenshot.

OpenVPN service is online.

What can it be?

viragomann

@Jonas-Souza
Mostly this error means that the client cannot reach the server.
The server IP is correct in the client settings?

Check the firewall log on the server if it has blocked the packets.
Or run a packet capture on WAN to see if the packets arrive at all.

Jonas Souza

@viragomann

Yes, the ip is correct, follow the client's log.

Would it be a problem with the certificates now?

viragomann

@Jonas-Souza
Yes, as the server log shows, there is something wrong with the certificate verification.

Is the client certificate issued by the CA, which you stated in the server settings?

Jonas Souza

@viragomann

Perfectly, I redid the user CA and it worked.

Many thanks for the instructions.

Excuse my ignorance, but how and where do I consider this topic resolved?

viragomann

@Jonas-Souza
Just edit the topic in the first post and put "[SOLVED]" in front of it.

Jonas Souza

@viragomann

sorry but when editing the post notifies this warning.

viragomann

@Jonas-Souza
Obviously there is a lock now for editing old posts.
Do you have access to the topic in the most recent?

Jonas Souza

@viragomann

From the last post yes, but I can't edit the title of the post.

viragomann

@Jonas-Souza
Sorry, so I can't sadly help you with that. Obviously the forum haves different now. Don't now what's actually the proper way to mark a topic as solved.

Jonas Souza

@viragomann

I reposted, thanks

https://forum.netgate.com/topic/181119/solved-pfsense-2-6-0-system-logs-message-openvpn-failed-to-start