OpenVPN network table missing data after upgrade from 2.6.0 to 2.7.2

enrilor

Hi everybody,
I had an issue migrating my pfsense. The disk was almost full and I wasn't able to upgrade to new version, so I prepared a new disk with version 2.7.0, upgrade to 2.7.2, installed the extension and recovered a backup. Everythings seems to go well and all VPNs was up (I have some openvpn and some ipsec). I discovered that I had an issue with VPN table, I was not able to reach the openVPN networks from the pc behind firewall, only ipsec was working.

PFSENSE 192.168.10.254
LAN 192.168.8.0/22

OPENVPN 192.168.12.0/22 ROUTER 192.168.12.253

I was able to ping 192.168.12.253 from pfsense but not from pc on 192.168.8.0/22 network

IPSEC VPN 10.0.0.0/24
Everythings works fine

I also found another strange thing.
I had an IPSEC VPN decativated on network 192.168.45.0/24 that was switched to OpenVPN. This was working properly

Any idea ?
I will try to switch disk and then upgrade.

Vpn_networks Table after update
IP Address
10.0.0.0/24
10.30.30.0
172.18.3.0/24
172.28.12.0/24
172.28.24.0/24
192.168.1.0/24
192.168.2.0/24
192.168.25.0/24
192.168.45.0/24
192.168.120.0/24

Vpn_networks before update
Vpn_networks Table
IP Address
10.0.0.0/24
10.0.7.0/24
10.0.8.0/24
10.0.9.0/24
10.0.19.0/24
10.0.20.0/24
10.0.22.0/24
10.0.23.0/24
10.0.26.0/24
10.0.27.0/24
10.0.28.0/24
10.0.29.0/24
10.0.44.0/24
10.0.58.0/24
10.0.59.0/24
10.0.98.0/24
10.30.30.0
172.18.3.0/24
172.28.12.0/24
172.28.24.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.7.0/24
192.168.12.0/24
192.168.25.0/24
192.168.33.0/24
192.168.41.0/24
192.168.44.0/24
192.168.45.0/24
192.168.46.0/24
192.168.48.0/24
192.168.70.0/24
192.168.88.0
192.168.120.0/24
192.168.188.0/24

stephenw10

So pfSense here is an OpenVPN client?

Check the outbound NAT rules for traffic from LAN to the OpenVPN interface.

Otherwise the server side would need iroutes back to your client for the LAN subnet.

enrilor

No, pfsense is server.
Client Specific Overrides is setted

an example
iroute 172.18.3.0 255.255.255.0

It works fine with 2.6.0

Now I tried to reinstall 2.6.0 on the new disk, recovered backup and it's ok. I should try to upgrade to 2.7.2 and check if it broken again.

Will update the post soon

viragomann

@enrilor said in OpenVPN network table missing data after upgrade from 2.6.0 to 2.7.2:

Vpn_networks Table after update

If you're talking about the pfSense routing table I'd suspect that you're missing the remote networks in the server settings.

enrilor

@viragomann [

Is setted. Everythigs works fine before update.

viragomann

@enrilor
Is the server configured as "peer to peer"?

If so and you don't see the 191.168.24.0/24 in the routing table, I'd assume that there went something wrong, when adding the routes.
Restart the server and check the OpenVPN log then for regarding entries.

For the CSO, pfSense provides the "remote network" field to enter the client sides networks. This does the proper iroute for you then.

stephenw10

There seem to be some mismatches there. Your post shows the tunnel subnet as 192.168.12.0/22 with the router (server?) at 192.168.12.253.

That conflicts with the CSO.

And yes you shouldn't need to add an iroute as a custom config line like that. You already have it as a remote network.

enrilor

@viragomann
Yes Peer to Peer SSL/TLS
I tried to restart vpn. Deactive, reactivate, delete, add CSO, but not working.

enrilor

@stephenw10
192.168.12.0 is 24 not 22. Doesn't confict with 192.168.8.0/22.
I repeat this configuration works for 26 month correctly with 2.6.0, till I update to 2.7.2

enrilor

Same problem, after update from 2.6.0 to 2.7.0 vpn_network_table lose all openvpn CSO

I also get this error after upgrade

PHP_errors.log.TXT

viragomann

@enrilor
I didn't say, that restarting the server would magically solve your issue.
The goal is, that OpenVPN adds the routes to the systems routing table on startup, and there are any problems a record in the OpenVPN log would be added with details. This could help to narrow down the issue.

enrilor

@viragomann
Feb 20 19:56:08 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: Learn: 192.168.12.31 -> canneto-mikrotik/x.x.x.x:53913
Feb 20 19:56:05 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: Learn: 192.168.12.32 -> canneto-mikrotik/x.x.x.x:53913
Feb 20 19:56:05 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Timers: ping 10, ping-restart 120
Feb 20 19:56:05 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Data Channel: cipher 'AES-256-CBC', auth 'SHA1'
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 SENT CONTROL [canneto-mikrotik]: 'PUSH_REPLY,route 192.168.8.0 255.255.252.0,route-gateway 10.0.28.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.28.2 255.255.255.0' (status=1)
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 PUSH: Received control message: 'PUSH_REQUEST'
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 Data Channel MTU parms [ mss_fix:1363 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: Learn: 192.168.12.0/24 -> canneto-mikrotik/x.x.x.x:53913
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: internal route 192.168.12.0/24 -> canneto-mikrotik/x.x.x.x:53913
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: primary virtual IP for canneto-mikrotik/x.x.x.x:53913: 10.0.28.2
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI: Learn: 10.0.28.2 -> canneto-mikrotik/x.x.x.x:53913
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn/server16/csc/canneto-mikrotik
Feb 20 19:56:04 openvpn 8555 canneto-mikrotik/x.x.x.x:53913 MULTI_sva: pool returned IPv4=10.0.28.2, IPv6=(Not enabled)
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 [canneto-mikrotik] Peer Connection Initiated with [AF_INET]x.x.x.x:53913
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 TLS: tls_multi_process: initial untrusted session promoted to trusted
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY OK: depth=0, CN=canneto-mikrotik, C=IT,
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY SCRIPT OK: depth=0, CN=canneto-mikrotik,
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY EKU OK
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 Validating certificate extended key usage
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY KU OK
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY OK: depth=1,
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY SCRIPT OK: de
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=internal-ca, C=IT
Feb 20 19:56:04 openvpn 8555 x.x.x.x:53913 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=canneto-mikrotik, C=IT,

that's the log I don't really see any error.
I also added at the previus post the CSO route, and it seems ok. any remote device that open a connection with local device is correctly added

stephenw10

If you remove the php error report does it return at reboot?

If it does it sounds like the upgrade did not complete correctly.

@enrilor said in OpenVPN network table missing data after upgrade from 2.6.0 to 2.7.2:

OPENVPN 192.168.12.0/22 ROUTER 192.168.12.253

So that is incorrect?

enrilor

@stephenw10
Sorry I misstype 24

enrilor

I changed in Ipsec an old tunnel that is deactiveted

the remote subnet from 192.168.7.0/24 to 192.168.12.0/24

this is the vpn_table and now it works for 192.168.12.0/24

Other Openvpn obviously not

stephenw10

Ok so it looks like:
The tunnel subnet is 10.0.28.0/24
The subnet behind the client is 192.168.12.0/24
The subnet behind the server is 192.168.8.0/22

Is that correct?

So what exactly is failing here? What does still work?

enrilor

@stephenw10
Yes

The issue is that from 192.168.8.0/22 subnet I can't reach device on 192.168.12.0/24 but from 192.168.12.0 they can reach device on 192.168.8.0/24

If you check the VPN table on the first post the subnet 192.168.12.0/24 is not in table. If it's like the CSO didn't add it.

stephenw10

It shouldn't need to be in that table as long as it's in the main routing table.

Unless maybe your traffic from LAN behind pfSense is policy routed via a WAN gateway (or group) and needs the VPN networks populated to by-pass that.

viragomann

@enrilor
Just noted that you need to set the servers verbosity level to 3 to log added routes.

And you have to restart the server as mentioned.
I'd expect to see a log line with the OpenVPN version, when the server is starting up. I'm missing this in your log snip.

The CSO is applied properly according the log. But remote networks, you've set there are is not reflected into the system routing table. This is only applied within OpenVPN.

As mentioned, it's the "Remote Networks" setting in the server configuration, which adds system routes. And the OpenVPN log should show this action.