pfSense 2.4.5->2.6.0 OpenVPN: "no route to host"
-
The title pretty much sums it up: Updating pfSense 2.4.5 to 2.6.0 breaks OpenVPN. OpenVPN connects, says "no route to host" and then disconnects.
The virtualized pfSense install is set up in such a way that when there's no internet access through VPN, all internet traffic is blocked. There's a topic somewhere about how to setup this so called "kill switch".
The VM with this pfSense install has been in use as PIA VPN client for years, this to do selective tunneling with the help of a proxy-server in pfSense.
The VM with 2.4.5, though outdated, still works without problems, thankfully I made a backup. But the copy that I updated to 2.6.0 keeps throwing the "no route to host" error, not sure why.
As far as other errors, I spotted one during boot: sockd depends on "libcrypto.so.8" which is not found.
And there's a warning in OpenVPN's log about compression:
Jun 8 10:43:07 openvpn 50709 WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using "--allow-compression yes" is strongly discouraged for common usage. See --compress in the manual page for more informationThe compression is configured like shown on PIA's website: https://helpdesk.privateinternetaccess.com/guides/routers/pfsense/pfsense-2-6-0-openvpn-setup
Oh and just in case someone asks why 2.6.0 and not 2.7.0, when I tried to update to 2.7.0, all I got was "Please wait while the update system initializes", while with 2.6.0 the update process began immediately. Figured I'd do 2.6.0 first and then continue with 2.7.0, once I've got things working again that is.
Can anyone think of a change between 2.4.5 and 2.6.0 that could explain the "no route to host" and if related to the connection problem, the missing "libcrypto.so.8" error?
I've skimmed through pfSense's changelog, don't see anything obvious standing out, though could've missed something, there's a lot to go through.
-
@bartgrefte
Library errors can mean the wrong version of things was installed. Specifically how did you choose update branches etc? Did you try to update or install a package after? (See my sig)If starting back far enough Netgate usually recommends just installing new and restoring the config file.
-
@SteveITS said in pfSense 2.4.5->2.6.0 OpenVPN: "no route to host":
@bartgrefte
Library errors can mean the wrong version of things was installed. Specifically how did you choose update branches etc? Did you try to update or install a package after? (See my sig)If starting back far enough Netgate usually recommends just installing new and restoring the config file.
I chose the branch on System->Update -> System Update ( pfSenseIP/pkg_mgr_install.php?id=firmware ), this after the update to 2.7.0 didn't start, then thought it might be better to go to 2.6.0 first which I selected on that page.
Couldn't do anything after the update because due to the down connection with PIA-VPN, there was no internet access in pfSense. I'd have to find the tutorial about the "kill switch" firewall rules to see how that works, been so long I set this up I've forgotten how...
The library issue aside, did anything significant change between 2.4.5 and 2.6.0 that could influence OpenVPN connections? Other than the "no route to host" (and library issue with the proxy server) I've got nothing to go on, setting up the connection with PIA seems to go without any authentication or certificate errors, just the "no route to host"-error.
edit: @SteveITS Just checked pfSenseIP/diag_routes.php and compared the working and not working install. There are no routes related to ovpnc1 on the not working install. Seems there's no route being created upon connecting to PIA.