Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    2.6.20 Upgrade Issues with OpenVPN & pfBlockerNG

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 58 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      SuperTechie
      last edited by

      Using pfSense 2.8.1 upgraded OpenVPN per the instructions provided about CVE-2026-40215, confirmed and restarted all the VPN's. But after the update have had issues, especially with the Tun VPN's not working. Client/Server connects and server authenticates, but then client would timeout waiting for confirmation of username/pwd. As there are so many fixes in Plus, upgraded to 26.03.1 in case that would solve the issues, but alas it is still a problem there as well.

      In troubleshooting this appears to be a problem with a combination of many VPN's and a heavy pfBlocker load. I have a similar system with only 1 VPN and it does not have the problem. The problem always goes away if pfBlocker is turned off. The issue is not related to memory or CPU as the systems I am testing have more than 48 Gig of memory and very powerful CPU's.

      Configuration of the system with issues:
      96 Gig Memory
      Dual Xeon E5-2470 v2
      12 Tun VPN's
      4 Tap VPN's
      pfBlockerNG with IP Blacklists & DNSBL configured
      Suricata with numerous networks

      1 Reply Last reply Reply Quote 0
      • S Offline
        SuperTechie
        last edited by

        Troubleshooting & Workarounds so far:
        Main Workaround: Turn off pfBlocker.

        Suricata on/off made no difference.
        pfBlocker IP blocks on but DNSBL off worked.
        pfBlocker IP blocks on and DNSBL with malware & other filters on but porn filter off works, but connections are slower to establish. Note the porn filter is the single biggest filter list.

        Of course testing the different DNSBL options takes a lot of time as after each change pfBlocker must be reloaded, which with a lot of lists can take 30 min to an hour each time.

        I'll do more testing as time allows, but hopefully this may help someone else. What is odd to me is that it only affects the Tun VPN's as Tap VPN's are so much more complicated.

        If anyone has any other ideas they would like me to test/try let me know!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.