PfSense OpenVPN as a client is not persistent and complains of "route add" fail

torontob · Apr 17, 2011, 10:49 PM

Hi Everyone,

I have just setup pfSense 1.2.3 to connect to a CentOS OpenVPN server. It connects and both sides clients have access to each other. However, in System Log > OpenVPN I see this which worries me:

Apr 17 22:43:03	openvpn[21428]: LZO compression initialized
Apr 17 22:43:03	openvpn[21429]: UDPv4 link local (bound): [undef]:1194
Apr 17 22:43:03	openvpn[21429]: UDPv4 link remote: 66.77.88.99:11194
Apr 17 22:43:03	openvpn[13333]: SIGTERM[hard,] received, process exiting
Apr 17 22:43:04	openvpn[21429]: [192-168-20-50] Peer Connection Initiated with 66.77.88.99:11194
Apr 17 22:43:05	openvpn[21429]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.6)
Apr 17 22:43:05	openvpn[21429]: gw 10.10.9.1
Apr 17 22:43:05	openvpn[21429]: TUN/TAP device /dev/tun0 opened
Apr 17 22:43:05	openvpn[21429]: /sbin/ifconfig tun0 172.16.14.6 172.16.14.5 mtu 1500 netmask 255.255.255.255 up
Apr 17 22:43:05	openvpn[21429]: /etc/rc.filter_configure tun0 1500 1558 172.16.14.6 172.16.14.5 init
Apr 17 22:43:08	openvpn[21429]: ERROR: FreeBSD route add command failed: shell command exited with error status:
Apr 17 22:43:08	openvpn[21429]: Initialization Sequence Completed

1- Notice second last line how pfSense complains of not being able to do a "route add"? I have seen that happening before on Windows Vista where there is no administration privilege. Is this a bug?

2- Despite putting this line in the "Custom Options" setting section of the client my tunnel is not presistent:

persist-key;persist-tun;resolv-retry infinite

This works fine when using OpenVPN client from windows and reconnect happens if OpenVPN server is down for a second or so but it doesn't seem to give me that presistency when putting it as an option on pfSense client side.

Is there anything I can do to fix this?

Thanks

jimp · Apr 18, 2011, 6:06 PM

What does the server config look like?

torontob · Apr 19, 2011, 2:30 PM

I don't think that matters as I have tested this on Windows with OpenVPN client and adding presistent tunnel actually gives me retries if connection drops without any changes to server config. But here it is:

port 1194
proto udp
dev tun
ca ca.crt
cert key1.crt
key key2.key
dh dh1024.pem
server 172.16.14.0 255.255.255.0
push "route 172.16.14.0 255.255.255.0"
client-config-dir ccd
route 10.200.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
cipher AES-256-CBC

By the way do you know why this is:

Apr 17 22:43:08	openvpn[21429]: ERROR: FreeBSD route add command failed: shell command exited with error status:

Thanks

jimp · Apr 19, 2011, 3:26 PM

The route error generally only happens if you already have a route to the network that you're trying to get pushed from the server side.

torontob · Apr 19, 2011, 4:09 PM

Thank you very much for the input.

Okay, that makes sense as I have a perfectly fine connection. Maybe I should restart the router to confirm this 100% because the once restarted all routes will be lost.

So, what are you thoughts about:
"persist-key;persist-tun;resolv-retry infinite"

Thanks,