pfsense openvpn client to ubuntu server connects but wont reconnect
-
i can succesfully upload the config file into pfsense from ubuntu server and it connect well and works. in the server i have the extra CCD files for the client specific override.
however, if for any reason the router restarts (updates to pfsense or any other reason) the vpn will not start and wont connect. i get the Unable to contact daemon: and if i press the start button, nothing happens! i have to reupload the file again as if i am making a new client .
logs show thisDec 30 13:49:33 openvpn 82621 event_wait : Interrupted system call (fd=-1,code=4)
Dec 30 13:49:33 openvpn 82621 Closing TUN/TAP interface
Dec 30 13:49:33 openvpn 82621 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
Dec 30 13:49:33 openvpn 82621 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
Dec 30 13:49:33 openvpn 11077 Flushing states on OpenVPN interface ovpnc1 (Link Down)
Dec 30 13:49:34 openvpn 82621 SIGTERM[hard,] received, process exiting
Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)
Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)
Dec 30 14:14:54 openvpn 22253 Use --help for more information. -
This one :
@ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:
Dec 30 14:14:54 openvpn 22253 Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:39: block-outside-dns (2.6.12)
You see this option ( taken from the pfSense Client Export page ) :
I know, you've created your client ovpn config file on an Ubuntu OpenVPN server, butt somehow, the option was set in the config file. As pfSense, and thus the OpenVPN client isn't "Windows" it tells you that it can't understand that option.
Open your ovpn config file in a etxt editor, you will find :setenv opt block-outside-dnsLine 39 ;)
and that option makes only sense on a Windows OpenVPN system, not a pfSense OpenVPN.
Btw : It's just a message telling the admin, "what are you doing ? I'm not a Windows system, I will ignore this option".
@ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:
Dec 30 14:14:54 openvpn 22253 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:40: 89adff0d024f4b0cdeb8f2b5f0d7d52d (2.6.12)
This is the actual error that will make the pfSense OpenVPN client to fail.
Open the config file again.
You'll see stuff like this :
Some how, the ovpn config is miss interpreted, and the OpenVPN clients completely fails.
The line was 40 .... but that can't be treu, because there would have to start with (for example) :
<ca> -----BEGIN CERTIFICATE-----or well ready know that on line 39 you have this
setenv opt block-outside-dnsShow us your ovpn config file.
-
@Gertjan thank you for your reply, this is the ovpn file (i changed the ip and certs)
client
proto udp
explicit-exit-notify
remote 1.1.1.1 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_11e name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
pull-filter ignore redirect-gateway
route-nopull
route 10.8.0.0 255.255.255.0
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
111
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
11
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
11
-----END PRIVATE KEY-----
</key>
<tls-crypt>2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
11
-----END OpenVPN Static key V1-----
</tls-crypt> -
@ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
That's line 22, or close, not line 39 as your pfSense OpenVPN client said.
Double check with what the OpenVPN client actually uses : it here :
/var/etc/openvpn/client1/config.opvn(the '1' here might be a '2' )
The rest of the format looks right to me.
Just to be sure, before importing, remove the inline comment :
Or remove that line entirely, as it is a Windows only option, and pfSense isn't Windows ;)
-
@Gertjan i removed the line completely, now the logs show an issue with the tls cipher
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
Jan 1 22:35:23 openvpn 52243 Use --help for more information.
Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
Jan 1 22:37:45 openvpn 94131 Use --help for more information. -
@ariban99 i tried removing the tls-cipher and hence got the second error
Jan 1 22:37:45 openvpn 94131 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:34: <tls-crypt>-----BEGIN (2.6.12)
Jan 1 22:37:45 openvpn 94131 Use --help for more information.
but if i put it back i only get
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'state 1'
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: CMD 'status 2'
Jan 1 22:35:02 openvpn 82472 MANAGEMENT: Client disconnected
Jan 1 22:35:22 openvpn 82472 event_wait : Interrupted system call (fd=-1,code=4)
Jan 1 22:35:22 openvpn 82472 Closing TUN/TAP interface
Jan 1 22:35:22 openvpn 82472 /sbin/ifconfig ovpnc1 10.8.0.0 -alias
Jan 1 22:35:22 openvpn 82472 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.0.0 255.255.255.0 init
Jan 1 22:35:22 openvpn 48655 Flushing states on OpenVPN interface ovpnc1 (Link Down)
Jan 1 22:35:22 openvpn 82472 SIGTERM[hard,] received, process exiting
Jan 1 22:35:23 openvpn 52243 Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1/config.ovpn:35: tls-cipher (2.6.12)
Jan 1 22:35:23 openvpn 52243 Use --help for more information. -
@ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
Hummm.
Run
openvpn --show-tlson the pfSense command line (the real one, console or SSH).
pfSense 2.7.2 or 24.11 uses a recent OpenVPN, 2.6.12 and probably doesn't support your "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" (I guess ...)I don't recall I've seen these two :
@ariban99 said in pfsense openvpn client to ubuntu server connects but wont reconnect:
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256in my config files - client or server.
This part :
<tls-crypt> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 893c76e84187bb1e40f987c83db4d256 affa44d8bdafead00ef6c206862f1d39 fda1cac0ea6cd969c2f35d1777256f90 e11433e025ae0024a2583ac71db58b55 857f07c3e2ff571cee71e5d7070b07a4 b5a7b74ab7a4fc9420104f0760840fed 47ecc410d57de29ba7c75e02b91dda2d ....... 97577cfa0a03aa384350e49bf26d2b15 97ba6f852d7b3531f8204a73c7f1293f ece32853d36402fe32c384500c0baa5d d98ddda17568898ed19b75671bb24467 8c5a6102dc6ab3275c6fa36d8853b668 -----END OpenVPN Static key V1----- </tls-crypt>is 'mandatory'.
Yours looks the same ? -
@Gertjan the output is
Available TLS Ciphers, listed in order of preference:For TLS 1.3 and newer (--tls-ciphersuites):
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256For TLS 1.2 and older (--tls-cipher):
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHABe aware that that whether a cipher suite in this list can actually work
depends on the specific setup of both peers. See the man page entries of
--tls-cipher and --show-tls for more details. -
@Gertjan
both my my client ovpn and the server config file has
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256yes my file has this for the TLS ( i broke the real one with lines that start with 111
<tls-crypt>
2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
89adff0d024f4b0cdeb8f2b5f0d7d52d
1111ec561
6757da21950d7bf075cbd3b9430fd552
7861728c9db9a99c8da70d09678c4c94
6900a656e7642edc64ada8c960f9990e
111120e67dc1
4b996b5309bc42e7771fe43637fdc1ce
986ea2b7c8116b5577c503a790bc0f0d
111e2544be6b
ab6a818fb8dd5e212ee5f0183e43ff1b
-----END OpenVPN Static key V1-----
</tls-crypt>
