Upgraded from 2.6 to 2.7 and OpenVPN client no longer works

anonymouse

I have a very basic and simple setup. I connect to an external VPN via this guide:
https://mullvad.net/en/help/using-pfsense-mullvad/

This used to work fine for 2.6, but now, unfortunately, no longer works.

What happens is the following:

1. I restart the OpenVPN client
2. I ping from my laptop to a known external IP and I get back result (< 20ms)
3. I start browsing the internet on a browser. Sometimes something renders, but most of the times it just gets stuck.
4. I try to ping the external IP again from my laptop, and I get Request timeout for icmp_seq ...

I can repeat the instructions above and it's 100% reproducable every single time.

This is with a factory reset of 2.7, and by following the instructions on top of this post.

Do you perhaps have an idea what could be going on here?

SeaMonkey

@anonymouse What errors, if any, do you see in your OpenVPN log?

anonymouse

I've attached the log below.

There are two parts that I'm not too sure about:

• SIGTERM[soft,exit-with-notification] received, process exiting
• GDG6: problem writing to routing socket: No such process (errno=3)

The web GUI says it connected successfully and stays connected while I experience the problems described in the first post.

Jul 28 18:23:52	openvpn	70772	event_wait : Interrupted system call (fd=-1,code=4)
Jul 28 18:23:52	openvpn	70772	SIGTERM received, sending exit notification to peer
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(4000::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(8000::/2)
Jul 28 18:23:53	openvpn	70772	delete_route_ipv6(c000::/2)
Jul 28 18:23:53	openvpn	70772	/sbin/ifconfig ovpnc1 10.15.0.31 -alias
Jul 28 18:23:53	openvpn	70772	/sbin/ifconfig ovpnc1 inet6 CENSORED_IPV6:1301::101d/64 -alias
Jul 28 18:23:53	openvpn	70772	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.15.0.31 255.255.0.0 init
Jul 28 18:23:53	openvpn	75022	Flushing states on OpenVPN interface ovpnc1 (Link Down)
Jul 28 18:23:53	openvpn	70772	SIGTERM[soft,exit-with-notification] received, process exiting
Jul 28 18:23:53	openvpn	88678	WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
Jul 28 18:23:53	openvpn	88678	OpenVPN 2.6.4 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Jul 28 18:23:53	openvpn	88678	library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10
Jul 28 18:23:53	openvpn	88678	DCO version: FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Jul 28 18:23:53	openvpn	88884	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 28 18:23:53	openvpn	88884	Initializing OpenSSL support for engine 'rdrand'
Jul 28 18:23:53	openvpn	88884	WARNING: experimental option --capath /var/etc/openvpn/client1/ca
Jul 28 18:23:53	openvpn	88884	TCP/UDP: Preserving recently used remote address: [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	Attempting to establish TCP connection with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	TCP connection established with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	TCPv4_CLIENT link local (bound): [AF_INET]192.168.178.23:0
Jul 28 18:23:53	openvpn	88884	TCPv4_CLIENT link remote: [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:53	openvpn	88884	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 28 18:23:53	openvpn	88884	[nl-ams-ovpn-003.mullvad.net] Peer Connection Initiated with [AF_INET]CENSORED_REMOTE_IP:80
Jul 28 18:23:56	openvpn	88884	GDG6: problem writing to routing socket: No such process (errno=3)
Jul 28 18:23:56	openvpn	88884	TUN/TAP device ovpnc1 exists previously, keep at program end
Jul 28 18:23:56	openvpn	88884	TUN/TAP device /dev/tun1 opened
Jul 28 18:23:56	openvpn	88884	/sbin/ifconfig ovpnc1 10.6.0.7/16 mtu 1500 up
Jul 28 18:23:56	openvpn	88884	/sbin/ifconfig ovpnc1 inet6 CENSORED_IPV6:80::1005/64 mtu 1500 up
Jul 28 18:23:56	openvpn	88884	/usr/local/sbin/ovpn-linkup ovpnc1 1500 0 10.6.0.7 255.255.0.0 init
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(4000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(8000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	add_route_ipv6(c000::/2 -> CENSORED_IPV6:80:: metric -1) dev ovpnc1
Jul 28 18:23:56	openvpn	88884	Initialization Sequence Completed

What fascinates me is that I can keep pinging a remote host indefinitely without failure up until the point I start browsing on my laptop. At that stage, I can no longer ping anything.

Could that be a routing problem? I have no firewall rules configured for OPT1 nor OpenVPN, and I have only the default 3 LAN rules setup:

• 0/585 KiB * * * LAN Address 443 80 22 * * Anti-Lockout Rule
• 23/1.16 MiB IPv4 * LAN net * * * * none Default allow LAN to any rule
• 0/0 B IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule

anonymouse

I think I found the culprit, yet I have no idea how to fix it:

Aug  5 19:49:25 pfSense filterlog[41547]: 5,,,1000000104,ovpnc1,match,block,out,4,0x0,,63,0,0,DF,6,tcp,141,10.15.0.2,OUTGOING_IP,13281,443,89,FPA,1717258034:1717258123,761365153,2048,,nop;nop;TS

I see that it also blocks the OPT1 traffic in the system log, as it mentions Default deny rule IPv4 (1000000104).

Does anyone see anything wrong with the instructions I posted in the first post? It doesn't mention any firewall rules on the OPT1 or OpenVPN tab. However, I have come to believe this is no longer correct. Yet when I allow any traffic, it also still doesn't work. It could potentially be asymmetric routing according to the documentation, but I use UDP as a protocol, which it mentions that it shouldn't affect it (https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html).

Any help would be greatly appreciated!