OpenVPN Not Running?



  • Hey all,

    I've had OpenVPN working on 1.2.3 for a few months now, and was working on adding another interface today (having a different port only allow access to one machine).  For some reason or other, I couldn't get it working (handshake would fail after 60 seconds, but the firewall log claimed it passed the UDP connection from my machine, nothing appeared in the OpenVPN log about it)

    Out of curiosity, I installed the OpenVPN packages in the package manager, both Status and Enhancements.  I haven't touched any other configurations, but now things that were working this morning (both UDP and TCP port 1194 connections) now simply time out.  Trying to telnet into the port (which again, worked this morning) results in a time out, leading me to believe the OpenVPN service isn't running.  Again, the firewall log claims it passes the traffic on port 1194, so it's not being blocked there.

    I've tried restarting the machine twice, and now the OpenVPN log isn't displaying anything at all (I could usually at least get a SIGTERM if I disabled a tunnel).

    Is there any way to see if OpenVPN is running and way to start/restart it if is isn't running?

    Thanks


  • Rebel Alliance Developer Netgate

    To should show any active processes, go to Diagnostics > Command, and enter "ps uxaww | grep openvpn"

    Telnet will not work if your server mode is set to UDP.



  • Yup, running that command just shows the command itself being run.  Running it in the shell returns nothing.

    Nothing in the starting logs indicate OpenVPN even tried to start, much less an error to work with, except the error described http://forum.pfsense.org/index.php?topic=24684.0 which looks like it wouldn't be the problem.

    Is there any way to force OpenVPN to start?

    About the telnet, I had both TCP and UDP 1194 running OpenVPN for different subnets, I was using NMAP to test just UDP ports connectivity (which is currently saying TCP is filtered, UDP is open|filtered).


  • Rebel Alliance Developer Netgate

    There isn't a way to force OpenVPN to start as a whole, but editing and saving a tunnel should restart that one tunnel instance.

    Something should show up in the OpenVPN log at least, or the system log.

    If not it may not even be trying to run the tunnels, can you try to disable all but the one tunnel you had working before and then restart?



  • Turning tunnels on and off produce no logs in either openvpn.log (which is a binary file when I try reading it) and system.log simply talks about ARP.

    Turning all but a known working tunnel off and restarting causes no changes.


  • Rebel Alliance Developer Netgate

    The logs are clog format, not plain text. I thought you were viewing them from the WebGUI, which handles this automatically.

    See here:
    http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

    Do you see the OpenVPN configuration files in /var/etc ?



  • Ah, the WebGUI shows a blank page, which is why I started looking in the shell.

    In /var/etc, I can see openvpn_csc, and the .ca/.cert/.conf/.dh/.key for all of my tunnels.


  • Rebel Alliance Developer Netgate

    Can you try to run one of them by hand like so:

    openvpn --config /var/etc/openvpn_server0.conf
    


  • openvpn: Command not found

    Well I'm sure that's part of the problem.  No clue how it got uninstalled, and no clue how to get it back :(


  • Rebel Alliance Developer Netgate

    If you're running 1.2.3 full install, download a 1.2.3 full update image and then use it to upgrade. Since you're already on 1.2.3 it will just replace any missing files.



  • Great!  That did the trick.

    Now to figure out my other issues, but I'll post another thread if I get really stuck.

    Thanks a bunch for your help.


Locked