Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connections undefined

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 2.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      stage
      last edited by

      We have a PFSence 2.7.2 with more than 500+ connections.
      The problem arises after updating from 2.6.0 to 2.7.2 the openVPN is experiencing issues.
      Specifically the openVPN server with more than 100 connections reports 90% as undefined and regarding the logging: We're not really figuring it out but it can be added if requested.

      anyone know what the problems is??

      Thank you very much

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @stage
        last edited by

        @stage said in OpenVPN Connections undefined:

        openVPN server with more than 100 connections reports 90% as undefined and regarding the logging

        What happens when you change the OpenVPN port from (example) 1194 to (example) 1195 ?
        All the "undefined connections" go away, right ? 😊

        There are zillions of port scanners on the internet, testing all IP addresses for open port.
        That these are hitting an IP and protocol and port you are using for your OpenVPN Server is nothing exceptional. These will reach the OpenVPN server, but will fail to identify. For a short period of time these connection attempts will be marked as "undefined".
        This is not a real a problem, as the OpenVPN server is there to stop the scanners, and only let pass the identified connection.

        @stage said in OpenVPN Connections undefined:

        We have a PFSence 2.7.2 with more than 500+ connections.

        What does this mean ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          stage @Gertjan
          last edited by

          @Gertjan

          The OpenVPN tunnels are allready originated from different ports. We use different OpenVPN servers in PFSense.
          So, that should not be an isseu i think?

          The VPN's are connecting, using Teltonika RUT routers and work without any problem, using PFsense 2.6; the problems come when we use 2.7 or higher.

          Also we changed the following rule in the connections.
          connect-freq

          And added:
          connect-freq-initial

          Then it seems to be working beter; but the connections keep comming as Undef; also it seems that after a while there are less Undef's; but if we look after about 30 minutes more then half of them are undef again :-(

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @stage
            last edited by Gertjan

            @stage said in OpenVPN Connections undefined:

            using PFsense 2.6; the problems come when we use 2.7 or higher.

            Oh ... that's a big red urgency button problem.
            Read this first : Home > pfSense® Software > OpenVPN the very first pinned post.

            2.6.0 is depreciated, as is any OpenVPN before "2.6" and OpenSSL binaries. See also the recent Netgate blog posts.
            I get it : you stick with the old versions as they work fine for you. But you also keep the now know security issues ....
            OpenVPN 2.6.8, that comes with pfSense 2.7.2 works just fine. I had to ditch non supported Data Encryption Algorithms, and that ment I had to re export clienst config files. And I had to make sure that my OpenVPN don't use a OpenVPN client from early "2000" but a more recent one, like the one shown here.
            I know, that means you have to some maintenance, deployment, but that's ok, as issue isn't about admin's confort, but security.

            @stage said in OpenVPN Connections undefined:

            Then it seems to be working beter; but the connections keep comming as Undef; also it seems that after a while there are less Undef's; but if we look after about 30 minutes more then half of them are undef again

            If you have a lot of users, this can happen :
            They have the OpenVPN client activated, and they start to "move". This means their connection drops, and comes back, drops again, etc.
            Every time, the OpenVPN tries to reconnect against the server. The connections gets lost, and reconnects etc etc.
            So some (or many) of the OpenVPN connections are what I call 'stale', they didn't finish the client server renegotiation. I guess this is what also can produce these Undef connections shown.
            Not an issue to worry about.
            And there is just one solution : train your OpenVPN client users to disable their connection when they are not using the OpenVPN and/or start to "move" with their device (I know : easily said then done)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              stage @Gertjan
              last edited by

              @Gertjan
              Here is my setup of the certs.
              If not wrong, the encryption is still up to date?

              cabf4db7-549a-4e1d-9208-3b727f8b7b05-image.png

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                stage @stage
                last edited by

                After running a few tests this morning (nobody works at this time except me :-) )

                AEAD Decrypt error: cipher final failed
                Open VPN TLS Error: Unroutable control packet received from
                Error: Unroutable control packet
                VERIFY WARNING: depth=1, unable to get certificate CRL:
                SIGUSR1[soft,tls-error] received, client-instance restarting
                Note: OpenSSL hardware crypto engine functionality is not available
                (in config Crypto HW: AES-NI and BSD Crypto both enabled (and reboot done)

                After a while log shows:
                Note: OpenSSL hardware crypto engine functionality is not available
                And from one orignating IP:(client)
                SIGUSR1[soft,tls-error] received, client-instance restarting
                TLS Error: TLS handshake failed
                TLS Error: TLS object -> incoming plaintext read error
                TLS_ERROR: BIO read tls_read_plaintext error
                OpenSSL: error:0A000086:SSL routines::certificate verify failed:
                VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak:
                If i look at this cert; it has a signature like this: Signature Digest: RSA-SHA1 (Weak Digest)

                So we do need to check them right?

                Problem there is, that sombody makes the certificate's; whell try to talk to concrete; there is no isseu he says...

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @stage
                  last edited by

                  @stage

                  First of all, sorry for the confussion.
                  I somehow had the impression you were using 2.6.0, and that's not the case.
                  You are using the most recent pfSense version, that is 2.7.2.

                  This :

                  @stage said in OpenVPN Connections undefined:

                  Note: OpenSSL hardware crypto engine functionality is not available

                  is a harmless message. It's a 'Note', consider that as a friendly "Hi !".

                  @stage said in OpenVPN Connections undefined:

                  VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak:
                  If i look at this cert; it has a signature like this: Signature Digest: RSA-SHA1 (Weak Digest)

                  As said above, and I wasn't mistaken here : redo your certificates.
                  RSA-SHA1 is not concrete.
                  No need to listen to 'somebody' : you control pfSense, you can make certificates for the OpenVPN server, and then a certificate for every connected user.
                  500 OpenVPN users ? Well, ok, that will take a day or so.

                  Search the occurrence of SHA1 on this page : it's not supported anymore.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    stage @Gertjan
                    last edited by

                    @Gertjan

                    Thnx,
                    With Conrete i ment, one person in our organisation is responable to keep the certificates up to date and also create them.
                    Working with him for changes is often like working a peace of concret or a big steel door ;-) ( feel free to translate to dutch )

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      allxi
                      last edited by

                      If you use SHA1 in clients. Temporary add "tls-cert-profile insecure" in "Advanced Configuration -> Custom options" on your Server.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.