OpenVPN fails to create route after upgrade to rc1

  • Hi folks,

    after an upgrade from Beta-5 (early February I believe), to RC-1, I have a problem with the openvpn client connections.
    The connection itself works just fine, but when pfsense tries to add a route to the vpn network, it logs this error:

    openvpn[766]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    Naturally, without the route I cannot access the vpn network on the other side, so this is really a problem atm.
    Does anyone have any suggestions on how to fix or debug this further?


  • What is the command failing?

  • The actual command is not shown in the logs, just the error message posted above. Is there a way to up the verbosity of the openvpn client?

  • I was about to post the same thing. I just upgraded my main office from 1.2.3 to 2.0rc1, everything worked previously.

    I'm using pre-shared key, site to site openvpn, main office is the server, remote office is client. My remote site (also 2.0 rc1) is fine, it can access everything in the main office without issue. However from the main office going to the remote site, I've got nothing. This error is in the openvpn log on the main office side:

    openvpn[43883]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    Now if I ssh into pfsense, I can ping the remote office fine, so somewhere the routing is correct. From any of my vlans though it fails, it appears it's routing straight out to the internet.

    on the pfsense box, netstat -nr has a routing entry:
        UGS         0     2424 ovpns2

    Background info:
    Local network is (with a bunch of vlans)
    remote site is

    In the openvpn config, I have the info above, tunnel network is on both sides.
    On the server side, I have:

    route;push "route";

    in the advanced options.

  • Rebel Alliance Developer Netgate

    The usual reason for FreeBSD to fail adding a route is that you already have a route to that subnet.

    It's not 100% clear what exactly is where in your setup. Can you specify it a bit more in depth? At least distinguish exactly what subnets are at the main office and which are on the client side. Also, show the openvpn config and route table on both sides.

  • Ok, a little more testing and I was incorrect earlier, I can access the remote site from the other vlans, except (vlan 100 - SAA). It figures this is the one I need though.
    Let me know if you need more screenshots or info.

    Main office: - OpenVPN server - Dual WAN (WAN_T1 & WAN_DSL, openvpn tied to WAN_TA)
    subnets can be seen below in the routing table, but generally they are VLAN 100 VLAN 101

    Remote office: - OpenVPN client

    Routing tables -Main Office

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default       UGS         0   931024    em1      UGHS        0      784 pppoe0       UGHS        0      784    em1       link#9             U           0  1588250 em0_vl          link#9             UHS         0        0    lo0       link#10            U           0    30961 em0_vl          link#10            UHS         0        0    lo0       link#11            U           0    25691 em0_vl          link#11            UHS         0        0    lo0       link#12            U           0     5922 em0_vl          link#12            UHS         0        0    lo0       link#13            U           0        0 em0_vl          link#13            UHS         0        0    lo0       link#14            U           0        0 em0_vl          link#14            UHS         0        0    lo0       link#15            U           0        0 em0_vl          link#15            UHS         0        0    lo0       link#16            U           0   251035 em0_vl          link#16            UHS         0        0    lo0      link#17            U           0    35227 em0_vl         link#17            UHS         0        0    lo0      link#18            U           0        0 em0_vl         link#18            UHS         0        0    lo0      link#24            U           0        0 em0_vl         link#24            UHS         0        0    lo0      link#19            U           0    36129 em0_vl         link#19            UHS         0        0    lo0     link#20            U           0    31750 em0_vl        link#20            UHS         0        0    lo0     link#21            U           0    74373 em0_vl        link#21            UHS         0        0    lo0     link#22            U           0    19915 em0_vl        link#22            UHS         0        0    lo0      link#23            U           0        0 em0_vl         link#23            UHS         0        0    lo0        UGS         0      157 ovpns1        link#26            UHS         0        0    lo0        link#26            UH          0        0 ovpns1        link#27            UHS         0        0    lo0        link#27            UH          0        0 ovpns2      link#25            UHS         0        0    lo0  link#2             U           0      234    em1     link#2             UHS         0        0    lo0          link#7             UH          0      194    lo0        UGS         0   202444 ovpns2    UGHS        0     4468 pppoe0    UGHS        0     4498 pppoe0     UGHS        0        0    em1    UGHS        0        0 pppoe0    link#25            UH          0        0 pppoe0

    Routing tables- Remote Office

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default      UGS         0 42180042 pppoe0        UGS         0   222473 ovpnc2        link#10            UH          0      788 ovpnc2        link#10            UHS         0        0    lo0       link#8             UHS         0      555    lo0          link#4             UH          0       97    lo0        US          0        0    em1        link#2             UHS         0  1808284    lo0    link#1             U           0 37595518    em0       link#1             UHS         0        0    lo0      UGS         0    23784 ovpns1      link#9             UHS         0        0    lo0      link#9             UH          0        0 ovpns1    link#8             UH          0   942669 pppoe0

  • Rebel Alliance Developer Netgate

    Do you see anything in the firewall logs on either side?

    Have you done packet captures on both routers to see if the traffic you expect to see is actually going into the VPN tunnel interface?

  • And doing some further testing, I'm not sure this is an openvpn thing. I also have a few ipsec tunnels to some other lesser used sites. The ipsec tunnels are created using the subnet also, and again all vlans except for 100 can access the remote sites.

    I'd guess there is a more basic network config problem, but I'm just not seeing it. All the main subnets/vlans are created with the same /24 scheme, with similar rules.

    Nothing in the firewall logs on either side.

  • Ok, I've found the cause. My last rule in that vlans sends all non-local traffic (using an inverse) to my the 'failover' gateway group, vlan 100 is the only one that uses 'failover' as it's gateway, all the other vlans use the default. Is the gateway group bypassing the vpn tunnels when routing traffic?

    Any thoughts on the best solution? (I can create a rule just before the inverse block allow the vpn traffic, didn't know if that is the cleanest solution).

  • Rebel Alliance Developer Netgate

    That is the cleanest solution, make a rule above that that has a gateway of 'default'.

Log in to reply