Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade 2.6 to 2.7 Open VPN broken

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 525 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      voxmagna1
      last edited by voxmagna1

      I tried this update a long time ago and it broke a lot of things including Open VPN and expired certificates lurked until discovered with Certificate Manager. There are many posts here and on VPN sites about this. After a lot of time I've discovered why my 2.6.0 to 2.7.0 went bad:

      OpenVPN has had various updates and latest versions are installed in Pfsense 2.7 build. My problem was in OpenVPN advanced options for a custom string where the syntax had been deleted or changed. 'ncp-disable' is not in the latest version command set and neither are DHCP and DNS the same which are now handled differently. Refer to latest version OpenVPN manual and check any command syntax you may have used in previous Pfsense versions. They will exist in backups if you try importing them.

      I've learned a lesson that a Pfsense update with updated packages may not be backwards compatible with previous configurations. Many users help us with Pfsense configurations but I will be more careful if they are for different versions.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Almost everything should be updated by the upgrade code to produce something compatible but, yes, not custom options. There's no way we could account for everything there.

        I assume the OpenVPN instance just didn't start and threw an error?

        V 1 Reply Last reply Reply Quote 0
        • V
          voxmagna1 @stephenw10
          last edited by voxmagna1

          @stephenw10 Yes you are correct. My Pfsense config is unusual because all my home network clients are on static IPs, the only way I could understand and easily filter and remotely route direct to WAN ISP or VPN from a desktop host PC. Some websites still block access from a VPN. I use an IP switcher app on a client PC to hot switch the static IP to change the route. Therefore when my routing goes wrong (after an update) it's hard to revisit my config. and sort it it out.

          Pfsense is an aggregator of 3rd party packages sucked in from Pfsense servers during an update and so I discovered config. conflicts can arise. Many are unlikely to look at package version changes and how these can be responsible for breaking a previously working configuration and in this respect as you said PFsense isn't backwards compatible.

          Unfortunately after this happens you are left with a broken crashed box, previous XML backup files with their package info. can't be imported into a later upgrade. Even if they could, the GUI link can be broken and you can't access the upgrade via a browser. On a commercial hardware firewall the system image prior to a reflash is saved locally and can be restored. Pfsense wipes everything with no easy way back.

          I've had Pfsense crash during upgrade attempts and don't now enable automatic upgrade although I need an easier route to restore an original config. I tried 2.7.2 but it seemed a huge change and much larger compared to 2.7.0?

          Ideally I'd like to export the working box SSD image and restore that from an external drive after a crash. I can't see a way of doing it through FreeBSD so I'm looking at externally mounting the internal drive and using a PC adaptor. It's less work (after a GUI fail crash) to replace the drive or replace the working image from a PC than removing the box and doing a clean re-install from flash, then pray it will work as before. An option I haven't tried is using a USB3 stick instead of the internal mSATA drive if FreeBSD and Pfsense can install on it without compromising performance.

          I often forget my ISP credentials, not often needed after first setup . I'm sure older versions of Pfsense e.g 2.6.0 allowed an installation from flash to proceed offline before requiring an active WAN to download packages? Later upgrades seem to require the WAN active to do anything?

          stephenw10S 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator @voxmagna1
            last edited by

            @voxmagna1 said in Upgrade 2.6 to 2.7 Open VPN broken:

            previous XML backup files with their package info. can't be imported into a later upgrade.

            Yes they can. The upgrade code will update the config to the current version for any older config. What you can't do is go the other way and import a new config into an older pfSense version.

            But upgrade code only exists for gui options. If you have included anything custom then it will not be upgraded.

            If you're running ZFS you can just take a BE snap before upgrade. If you're running Plus that is done automatically and in the event of a boot failure it will rollback to the last known good BE.

            The legacy installer images for CE are still available here.

            V 1 Reply Last reply Reply Quote 0
            • V
              voxmagna1 @stephenw10
              last edited by

              @stephenw10 Yes you are correct, I misunderstood myself. After my box crashed doing the 2.6.0 to 2.7.0 upgrade and eventually after getting 2.7.0 to work, I compared both xml backup files and only saw differences in time stamps, but now realise it's the import of updated packages that caused my problem.

              I'm running ZFS and will look at taking an image snap once I work out how to get from Pfsense to FreeBSD, out and back via a USB3 port. That suggests I need an external monitor, keyboard, and mouse on the box, unless it can be done through Pfsense GUI, but that won't work for recovery if the GUI has crashed. I've met these situations before and an image snap can only be trusted to work if you've actually used it successfully to recover. In the PC world I've trusted and used Acronis for years. Thanks for the link. I've always created bootable flash sticks and created matching config XMLs. Once the box crashes, I'm offline with no internet access to download anything or get help asking questions. I still keep an ISP Thomson box handy just in case.

              Thanks for your help - regards - Vox

              1 Reply Last reply Reply Quote 1
              • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.