Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN service stopping when Internet is gone v2.7.2

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 457 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fthomasr
      last edited by fthomasr

      I've got a site to site hub/spoke network with many (10+) SSL/TLS OpenVPN routers connected that have been going for years. They were all shared key but recently I've converted all but 4 to SSL/TLS. They are all the same hardware and all v2.7.2. However recently a brand new one that I added and was never shared key, when their Internet service goes down for whatever reason, OpenVPN tunnel does not come back online when the Internet returns automatically which is not normal behavior as that has always been rock solid in the past(shared key). What I find is that the service is just stopped. A start of the OpenVPN service brings it the tunnel back up.

      Here is the OpenVPN log entries showing the down entries just before showing me starting it back up:

      Feb 23 21:08:13 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:14 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:14 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:14 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:14 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:15 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:16 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:16 openvpn 40385 write UDPv4: No route to host (fd=5,code=65)
      Feb 23 21:08:17 openvpn 40385 [S2SServer] Inactivity timeout (--ping-restart), restarting
      Feb 23 21:08:17 openvpn 40385 SIGUSR1[soft,ping-restart] received, process restarting
      Feb 23 21:08:17 openvpn 40385 Restart pause, 1 second(s)
      Feb 23 21:08:18 openvpn 40385 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Feb 23 21:08:18 openvpn 40385 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Feb 23 21:08:18 openvpn 40385 TCP/UDP: Preserving recently used remote address: [AF_INET]
      Feb 23 21:08:18 openvpn 40385 Socket Buffers: R=[42080->42080] S=[57344->57344]
      Feb 23 21:08:18 openvpn 40385 TCP/UDP: Socket bind failed on local address [AF_INET]: Can't assign requested address (errno=49)
      Feb 23 21:08:18 openvpn 40385 Exiting due to fatal error
      Feb 23 21:08:18 openvpn 40385 /sbin/route delete -net
      Feb 23 21:08:18 openvpn 40385 Closing TUN/TAP interface
      Feb 23 21:08:18 openvpn 40385 /sbin/ifconfig ovpnc1 -alias
      Feb 23 21:08:18 openvpn 40385 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0
      Feb 23 21:08:18 openvpn 24348 Flushing states on OpenVPN interface ovpnc1 (Link Down)

      Restarted Service Below / / / / /

      Feb 26 09:03:52 openvpn 84295 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
      Feb 26 09:03:52 openvpn 84295 OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
      Feb 26 09:03:52 openvpn 84295 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
      Feb 26 09:03:52 openvpn 84295 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F
      Feb 26 09:03:52 openvpn 84319 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1/sock
      Feb 26 09:03:52 openvpn 84319 WARNING: using --pull/--client and --ifconfig together is probably not what you want
      Feb 26 09:03:52 openvpn 84319 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Feb 26 09:03:52 openvpn 84319 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Feb 26 09:03:52 openvpn 84319 WARNING: experimental option --capath /var/etc/openvpn/client1/ca
      Feb 26 09:03:52 openvpn 84319 TCP/UDP: Preserving recently used remote address: [AF_INET]
      Feb 26 09:03:52 openvpn 84319 Socket Buffers: R=[42080->42080] S=[57344->57344]
      Feb 26 09:03:52 openvpn 84319 UDPv4 link local (bound): [AF_INET]-
      Feb 26 09:03:52 openvpn 84319 UDPv4 link remote: [AF_INET]
      Feb 26 09:03:52 openvpn 84319 TLS: Initial packet from [AF_INET]
      Feb 26 09:03:52 openvpn 84319 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=
      Feb 26 09:03:52 openvpn 84319 VERIFY OK: depth=1, CN=S2SCA
      Feb 26 09:03:52 openvpn 84319 VERIFY OK: depth=0, CN=
      Feb 26 09:03:52 openvpn 84319 Control Channel: TLSv1.3, cipher TLSv1.3 , peer certificate: 4096 bits RSA, signature: RSA-SHA512, peer temporary key: 253 bits X25519
      Feb 26 09:03:52 openvpn 84319 [S2SServer] Peer Connection Initiated with [AF_INET]
      Feb 26 09:03:52 openvpn 84319 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
      Feb 26 09:03:52 openvpn 84319 TLS: tls_multi_process: initial untrusted session promoted to trusted
      Feb 26 09:03:53 openvpn 84319 SENT CONTROL [S2SServer]: 'PUSH_REQUEST' (status=1)
      Feb 26 09:03:53 openvpn 84319 PUSH: Received control message: 'PUSH_REPLY,route
      Feb 26 09:03:53 openvpn 84319 OPTIONS IMPORT: --ifconfig/up options modified
      Feb 26 09:03:53 openvpn 84319 OPTIONS IMPORT: route options modified
      Feb 26 09:03:53 openvpn 84319 OPTIONS IMPORT: route-related options modified
      Feb 26 09:03:53 openvpn 84319 OPTIONS IMPORT: tun-mtu set to 1500
      Feb 26 09:03:53 openvpn 84319 ROUTE_GATEWAY
      Feb 26 09:03:53 openvpn 84319 TUN/TAP device ovpnc1 exists previously, keep at program end
      Feb 26 09:03:53 openvpn 84319 TUN/TAP device /dev/tun1 opened
      Feb 26 09:03:53 openvpn 84319 /sbin/ifconfig ovpnc1 mtu 1500 up
      Feb 26 09:03:53 openvpn 84319 /usr/local/sbin/ovpn-linkup ovpnc1 1500 0
      Feb 26 09:03:53 openvpn 84319 /sbin/route add -net
      Feb 26 09:03:53 openvpn 84319 ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Feb 26 09:03:53 openvpn 84319 Initialization Sequence Completed
      Feb 26 09:03:53 openvpn 84319 Data Channel: cipher '**********', peer-id: 0
      Feb 26 09:03:53 openvpn 84319 Timers: ping 10, ping-restart 60

      Researching this I saw where JIMP once advised to change the Interface from WAN to any on the client router. I would very much appreciate any help you could offer. Thank you.

      1 Reply Last reply Reply Quote 0
      • R
        romega3 Banned
        last edited by

        This post is deleted!
        F 1 Reply Last reply Reply Quote 0
        • F
          fthomasr @romega3
          last edited by

          @romega3 No it's pfSense OpenVPN on both sides.

          R 1 Reply Last reply Reply Quote 0
          • R
            romega3 Banned @fthomasr
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.