• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfsense openvpn client to ubuntu server connects but wont reconnect

OpenVPN
2
10
859
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    ariban99
    last edited by Dec 31, 2024, 12:18 AM

    i can succesfully upload the config file into pfsense from ubuntu server and it connect well and works. in the server i have the extra CCD files for the client specific override.
    however, if for any reason the router restarts (updates to pfsense or any other reason) the vpn will not start and wont connect. i get the Unable to contact daemon: and if i press the start button, nothing happens! i have to reupload the file again as if i am making a new client .
    logs show this

    Dec 30 13:49:33 openvpn 82621 event_wait : Interrupted system call (fd=-1,code=4)
    Dec 30 13:49:33 openvpn 82621 Closing TUN/TAP interface
    Dec 30 13:49:33 openvpn 82621 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
    Dec 30 13:49:33 openvpn 82621 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
    Dec 30 13:49:33 openvpn 11077 Flushing states on OpenVPN interface ovpnc1 (Link Down)
    Dec 30 13:49:34 openvpn 82621 SIGTERM[hard,] received, process exiting
    Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)
    Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)
    Dec 30 14:14:54 openvpn 22253 Use --help for more information.

    G 1 Reply Last reply Jan 2, 2025, 7:40 AM Reply Quote 0
    • G
      Gertjan @ariban99
      last edited by Gertjan Jan 2, 2025, 7:42 AM Jan 2, 2025, 7:40 AM

      This one :

      @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

      Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)

      You see this option ( taken from the pfSense Client Export page ) :

      login-to-view

      I know, you've created your client ovpn config file on an Ubuntu OpenVPN server, butt somehow, the option was set in the config file. As pfSense, and thus the OpenVPN client isn't "Windows" it tells you that it can't understand that option.
      Open your ovpn config file in a etxt editor, you will find :

      setenv opt block-outside-dns
      

      Line 39 ;)

      and that option makes only sense on a Windows OpenVPN system, not a pfSense OpenVPN.

      Btw : It's just a message telling the admin, "what are you doing ? I'm not a Windows system, I will ignore this option".

      @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

      Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)

      This is the actual error that will make the pfSense OpenVPN client to fail.

      Open the config file again.
      You'll see stuff like this :

      login-to-view

      Some how, the ovpn config is miss interpreted, and the OpenVPN clients completely fails.

      The line was 40 .... but that can't be treu, because there would have to start with (for example) :

      <ca>
      -----BEGIN CERTIFICATE-----
      

      or well ready know that on line 39 you have this

      setenv opt block-outside-dns
      

      Show us your ovpn config file.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      A 1 Reply Last reply Jan 2, 2025, 7:45 AM Reply Quote 0
      • A
        ariban99 @Gertjan
        last edited by Jan 2, 2025, 7:45 AM

        @Gertjan thank you for your reply, this is the ovpn file (i changed the ip and certs)
        client
        proto udp
        explicit-exit-notify
        remote 1.1.1.1 1194
        dev tun
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        remote-cert-tls server
        verify-x509-name server_11e name
        auth SHA256
        auth-nocache
        cipher AES-128-GCM
        tls-client
        pull-filter ignore redirect-gateway
        route-nopull
        route 10.8.0.0 255.255.255.0
        tls-version-min 1.2
        tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
        ignore-unknown-option block-outside-dns
        setenv opt block-outside-dns # Prevent Windows 10 DNS leak
        verb 3
        <ca>
        -----BEGIN CERTIFICATE-----
        111
        -----END CERTIFICATE-----
        </ca>
        <cert>
        -----BEGIN CERTIFICATE-----
        11
        -----END CERTIFICATE-----
        </cert>
        <key>
        -----BEGIN PRIVATE KEY-----
        11
        -----END PRIVATE KEY-----
        </key>
        <tls-crypt>

        2048 bit OpenVPN static key

        -----BEGIN OpenVPN Static key V1-----
        11
        -----END OpenVPN Static key V1-----
        </tls-crypt>

        G 2 Replies Last reply Jan 2, 2025, 7:56 AM Reply Quote 0
        • G
          Gertjan @ariban99
          last edited by Gertjan Jan 2, 2025, 7:57 AM Jan 2, 2025, 7:56 AM

          @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

          setenv opt block-outside-dns # Prevent Windows 10 DNS leak

          That's line 22, or close, not line 39 as your pfSense OpenVPN client said.

          Double check with what the OpenVPN client actually uses : it here :

          /var/etc/openvpn/client1/config.opvn
          

          (the '1' here might be a '2' )

          The rest of the format looks right to me.
          Just to be sure, before importing, remove the inline comment :

          login-to-view

          Or remove that line entirely, as it is a Windows only option, and pfSense isn't Windows ;)

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          A 1 Reply Last reply Jan 2, 2025, 8:39 AM Reply Quote 0
          • A
            ariban99 @Gertjan
            last edited by Jan 2, 2025, 8:39 AM

            @Gertjan i removed the line completely, now the logs show an issue with the tls cipher
            Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
            Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
            Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
            Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
            Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
            Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
            Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
            Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
            Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
            Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
            Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
            Jan 1 22:35:23 openvpn 52243 Use --help for more information.
            Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
            Jan 1 22:37:45 openvpn 94131 Use --help for more information.

            A 1 Reply Last reply Jan 2, 2025, 8:49 AM Reply Quote 0
            • A
              ariban99 @ariban99
              last edited by Jan 2, 2025, 8:49 AM

              @ariban99 i tried removing the tls-cipher and hence got the second error
              Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
              Jan 1 22:37:45 openvpn 94131 Use --help for more information.
              but if i put it back i only get
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
              Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
              Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
              Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
              Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
              Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
              Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
              Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
              Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
              Jan 1 22:35:23 openvpn 52243 Use --help for more information.

              1 Reply Last reply Reply Quote 0
              • G
                Gertjan @ariban99
                last edited by Jan 2, 2025, 9:04 AM

                @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

                tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                Hummm.

                Run

                openvpn --show-tls
                

                on the pfSense command line (the real one, console or SSH).
                pfSense 2.7.2 or 24.11 uses a recent OpenVPN, 2.6.12 and probably doesn't support your "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" (I guess ...)

                I don't recall I've seen these two :

                @ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:

                tls-version-min 1.2
                tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                in my config files - client or server.


                This part :

                <tls-crypt>
                #
                # 2048 bit OpenVPN static key
                #
                -----BEGIN OpenVPN Static key V1-----
                893c76e84187bb1e40f987c83db4d256
                affa44d8bdafead00ef6c206862f1d39
                fda1cac0ea6cd969c2f35d1777256f90
                e11433e025ae0024a2583ac71db58b55
                857f07c3e2ff571cee71e5d7070b07a4
                b5a7b74ab7a4fc9420104f0760840fed
                47ecc410d57de29ba7c75e02b91dda2d
                .......
                97577cfa0a03aa384350e49bf26d2b15
                97ba6f852d7b3531f8204a73c7f1293f
                ece32853d36402fe32c384500c0baa5d
                d98ddda17568898ed19b75671bb24467
                8c5a6102dc6ab3275c6fa36d8853b668
                -----END OpenVPN Static key V1-----
                </tls-crypt>
                

                is 'mandatory'.
                Yours looks the same ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                A 3 Replies Last reply Jan 2, 2025, 9:14 AM Reply Quote 0
                • A
                  ariban99 @Gertjan
                  last edited by Jan 2, 2025, 9:14 AM

                  @Gertjan the output is
                  Available TLS Ciphers, listed in order of preference:

                  For TLS 1.3 and newer (--tls-ciphersuites):

                  TLS_AES_256_GCM_SHA384
                  TLS_CHACHA20_POLY1305_SHA256
                  TLS_AES_128_GCM_SHA256

                  For TLS 1.2 and older (--tls-cipher):

                  TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
                  TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
                  TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
                  TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
                  TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
                  TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
                  TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
                  TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
                  TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
                  TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
                  TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
                  TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
                  TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
                  TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
                  TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
                  TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
                  TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
                  TLS-DHE-RSA-WITH-AES-256-CBC-SHA
                  TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
                  TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
                  TLS-DHE-RSA-WITH-AES-128-CBC-SHA

                  Be aware that that whether a cipher suite in this list can actually work
                  depends on the specific setup of both peers. See the man page entries of
                  --tls-cipher and --show-tls for more details.

                  1 Reply Last reply Reply Quote 0
                  • A
                    ariban99 @Gertjan
                    last edited by Jan 2, 2025, 9:17 AM

                    @Gertjan
                    both my my client ovpn and the server config file has
                    tls-version-min 1.2
                    tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

                    yes my file has this for the TLS ( i broke the real one with lines that start with 111

                    <tls-crypt>

                    2048 bit OpenVPN static key

                    -----BEGIN OpenVPN Static key V1-----
                    89adff0d024f4b0cdeb8f2b5f0d7d52d
                    1111ec561
                    6757da21950d7bf075cbd3b9430fd552
                    7861728c9db9a99c8da70d09678c4c94
                    6900a656e7642edc64ada8c960f9990e
                    111120e67dc1
                    4b996b5309bc42e7771fe43637fdc1ce
                    986ea2b7c8116b5577c503a790bc0f0d
                    111e2544be6b
                    ab6a818fb8dd5e212ee5f0183e43ff1b
                    -----END OpenVPN Static key V1-----
                    </tls-crypt>

                    1 Reply Last reply Reply Quote 0
                    • A
                      ariban99 @Gertjan
                      last edited by Feb 4, 2025, 4:19 AM

                      @Gertjan
                      in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here.
                      then for TLS Key Usage Mode change it to TLS encryption and authentication.
                      now it works after saving the changes!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.