Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN client process fails after upgrade to 2.7.0

    OpenVPN
    1
    1
    283
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BobW 0
      last edited by

      This needs some explaining, so....
      I've got two sites separated by the Internet where I need to transport Multicast traffic. I have had two boxes running for several years running static key. Pretty much the config is site A has the client machine. Motherboard NIC is WAN - used as normal. Intel 4 port card. One port is bridged to the tunnel which is configured as TAP. Traffic - multicast - goes in to this port and eventually makes it to the other side. Server is at site B where I have direct access to the public IP.. Same deal. Motherboard port is WAN, and port on Intel card is bridged to the tunnel.

      All has been well for several years, Most recently on 2.6.0. With the recent notices about static going away, I went down the path of migrating to TLS. Figured I'd upgrade to 2.7.0. Did that and all was still good with static key. Created CA and client / server certs. Made the necessary changes to the client and server, and I wound up with the client side OpenVPN status saying the service isn't running. Logs basically say TLS successful, but the daemon then dies. Restarted box - client - and the tunnel comes up and starts passing traffic. I restarted the service on the client, and it does the same "service now dead" thing,

      This is weird. So, after a bunch of messing around, I do a fresh install of 2.6.0 on the client. Restore config, and all works. Can restart the Ovpn service, and all works fine. So, figuring that there's some issue with 2.7.0 not liking tap bridged to physical interface, I do an update to 2.7.0. After reboot, tunnel comes up, and traffic passes. Restart service, and log shows TLS good, followed by fatal error, and dead daemon. This has been several iterations of clean install, and complete manual client rebuild. The weird part... If I revert to static key with no other changes, it works OK again.

      In the attached files, I have the client talking to the server over the LAN (via the WAN port, but private IP). Log files will show 2.6.0 coming up, and what happens after service restart. I then show what it does following updating to 2.7.0. I include the complete client config including the CA Cert and key, and and the client cert and key. These were made for this test, and will never be put in production. Password for the config is Password. Only LAN IPs are shown, and again this box was built from scratch to demonstrate the problem.so there's nothing sensitive in any of this.

      2.7.0 seems not to like OpenVPN tunnel bridged to physical LAN port. I've seen some other posts that seem similar to this, but no details given. I'm trying to give as much as I can so someone who knows more than I can tell me what I'm doing wrong if I am. Also, as for as the server side, I got to the point of just building a server instance on the other side with not much different than the defaults, and no bridging, so nothing fancy needed on server side to watch the client side fail.

      This could really bite someone who has the same sort of application and they just update to 2.7.0 and all of a sudden, it's broken.

      config-TestpfSense.mydomain.net-20230928181948.xml Ovpn establish on 260.txt Post upgrade to 270.txt Tunnel establish after reboot.txt Tunnel fail after service restart.txt

      1 Reply Last reply Reply Quote 0
      • B BobW 0 referenced this topic on
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.