Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    After upgrade to 2.1.2 OpenVPN interface don't up

    OpenVPN
    13
    28
    5631
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LittleGreenMan last edited by

      Hi to all.
      After upgrade from 2.1 to 2.1.1 and tonight to 2.1.2 i have strange problem:
      ovpnc1 interface after reboot or restart always has state DOWN.

      ovpnc1: flags=8942 <broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
              options=80000 <linkstate>ether 00:bd:13:55:00:01
              Opened by PID 96032</linkstate></broadcast,running,promisc,simplex,multicast> 
      

      if it up from shell or from GUI resave interface (Interfaces->MSKVPN(it assigned interface to ovpnc1)->SAVE) all working as needed till reboot / reconnect OpenVPN.
      Strange that i also have ovpnc2 with has up state always

      ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
              options=80000 <linkstate>inet6 fe80::205:5dff:fe33:f602%ovpns2 prefixlen 64 scopeid 0xb 
              nd6 options=1 <performnud>Opened by PID 11431</performnud></linkstate></up,pointopoint,running,multicast> 
      

      My Net config:
      WAN
      LAN
      ovpnc1 (assigned MSKVPN) as client of site to site OpenVPN
      Bridge0 members LAN & ovpnc1 (historically it was 1 network 192.168.100.0/24 with was divided between 2 cities)
      ovpnc2 as server for Roadwarrior.
      Best regards,
      Konstantin.
      P.S. sorry for my English.

      1 Reply Last reply Reply Quote 0
      • J
        jwsmiths last edited by

        Same problem here!

        1 Reply Last reply Reply Quote 0
        • C
          ChristOff last edited by

          Same problem too (vpn tap with certificate + bridge)

          The vpn connects correctly (from logs either client and server side), but no traffic passes through it as interface is down.
          Going to the interface properties hitting save makes it work

          The problem doesn't happen with vpn tun with shared key to another location

          It began with 2.1.1

          1 Reply Last reply Reply Quote 0
          • S
            saftig last edited by

            If I recall correctly it has something to do with a timing issue at bootup. The bridge is applied before the interfaces are started when the bridge needs to be applied after the interfaces have been initialized. Someone on the forums have already found a temporary work-around but not having the issue in the first place would be preferable. https://forum.pfsense.org/index.php?topic=74625.0

            1 Reply Last reply Reply Quote 0
            • J
              jwsmiths last edited by

              I think this has to do with an error in the tap driver - that's my guess b/c I haven't restarted my pfsense box.  The openvpn tap interface was created and then a bridge was added and after I tried to connect from my MacBook via my iPhone over LTE the interface went down and won't come up again w/o restart - but then once it does I try to connect and it crashes again.

              1 Reply Last reply Reply Quote 0
              • L
                LittleGreenMan last edited by

                Hi.
                I don't know what caused problem.
                at this time  i'm using workaround with sh script which check every minute if ovpnc1 interface is up/down then check working connections to other side and then doing up OpenVPN interface.

                cat /usr/local/bin/openvpn_autoup.sh```

                #!/bin/sh

                workaround for openvpn

                #check if it already up
                if /sbin/ifconfig ovpnc1 | grep UP > /dev/null 2>&1 ; then

                #nothing to do

                else
                #check inernet is up
                if  /sbin/ping -c2 -t5 XXXXX.linkpc.net >/dev/null 2>&1 ; then
                /sbin/ifconfig ovpnc1 up
                fi
                fi

                + add cron rule:
                cat /etc/crontab```
                cat /etc/crontab 
                SHELL=/bin/sh
                PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
                HOME=/var/log
                #minute hour    mday    month   wday    who      command
                #
                #
                # pfSense specific crontab entries
                # Created: April 12, 2014, 5:36 pm
                #
                
                1,31    0-5     *       *       *       root    /usr/bin/nice -n20 adjkerntz -a
                1       3       1       *       *       root    /usr/bin/nice -n20 /etc/rc.update_bogons.sh
                */60    *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
                1       1       *       *       *       root    /usr/bin/nice -n20 /etc/rc.dyndns.update
                */60    *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
                30      12      *       *       *       root    /usr/bin/nice -n20 /etc/rc.update_urltables
                #my rule to check openvpn
                */1     *       *       *       *       root    /usr/local/bin/openvpn_autoup.sh
                #
                # If possible do not add items to this file manually.
                # If you do so, this file must be terminated with a blank line (e.g. new line)
                #
                
                

                Best regards,
                Konstantin.
                P.S. sorry for my english.

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis last edited by

                  Maybe ermal has had a go at fixing this by the commits on 12 April 2014 - https://github.com/pfsense/pfsense/commits/RELENG_2_1
                  Those are since the 2.1.2 release.
                  Someone could try applying those changes and report if their system is happy.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • S
                    saftig last edited by

                    @phil.davis:

                    Maybe ermal has had a go at fixing this by the commits on 12 April 2014 - https://github.com/pfsense/pfsense/commits/RELENG_2_1
                    Those are since the 2.1.2 release.
                    Someone could try applying those changes and report if their system is happy.

                    Applied and still not working, I made sure to check twice that everything was in order. Saving either the OpenVPN-interface or the bridge gets the interface up and running again, just like before.

                    1 Reply Last reply Reply Quote 0
                    • S
                      saftig last edited by

                      After Phil's typo fix this morning I can report that it's running flawlessly so far! https://github.com/pfsense/pfsense/commit/c58dbe2fa836d26e3cf4a2077a4b6d398edc763f

                      1 Reply Last reply Reply Quote 0
                      • P
                        phil.davis last edited by

                        Yes, I discovered that fat-fingers typo when playing with 2.2.
                        Anyway, good to know that the functional side of ermal's fixes is working, once the fat fingers are removed from the equation  ;)

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • S
                          simi8 last edited by

                          same problem here, what can i do ?

                          1 Reply Last reply Reply Quote 0
                          • P
                            phil.davis last edited by

                            Look at the changes on 2.1 branch from (and including) 10 April 2014. Those are things that have been done since 2.1.2-RELEASE came out:
                            https://github.com/pfsense/pfsense/commits/RELENG_2_1

                            For this OpenVPN with bridges… problem, I think you need to make the changes from 3 commits:

                            1. Take care of the loops reported for OpenVPN in tap mode https://github.com/pfsense/pfsense/commit/f96b9a1830ee2b08c142207ebfa4f695d0628853
                            2. Forgot to remove the problematic part from previous OpenVPN loop fix https://github.com/pfsense/pfsense/commit/1f43ccf5539126254efa509e087133b522ee264f
                            3. Fix typo https://github.com/pfsense/pfsense/commit/c58dbe2fa836d26e3cf4a2077a4b6d398edc763f

                            Maybe you can use the System Patches package to apply all 3?

                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              I rolled the relevant commits into one patch file here:

                              http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff

                              You can use that with the system patches package.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • Q
                                quyda last edited by

                                @jimp:

                                I rolled the relevant commits into one patch file here:

                                http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff

                                You can use that with the system patches package.

                                Hello

                                Im newbie here, How do I update with this file?

                                Thanks
                                Q

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  http://doc.pfsense.org/index.php/System_Patches

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    simi8 last edited by

                                    thank for the support, I have simply copy the new version of rc.newwanip and now everything works.

                                    I would like to ask a more general question about the organization of update in an open source project like pfsense.
                                    For example, now there is this bug on openVPN files, and in github it is fixed but officially I don't receive any patch until the next release right ? what are the criteria commonly use to consider a release stable ? is "release management" the right word to describe this process ?

                                    1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      It's not quite so complex. A release … has been released. That's really its only distinction. It's been tested fairly thoroughly for common issues and configurations but not all corner cases -- yet.

                                      There aren't really any concrete qualifications for it to be called "stable" -- There is a bug, yes, but it impacts a very low number of users. If it were a huge bug that affected many users, it may warrant another release.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bennyc last edited by

                                        Also encountered the issue… took me a while before I figured out what was going on (updating multiple systems at once (not only pfSense) adds a lot of variables... lessons learned here  ::) )
                                        I installed the code changes by hand, but for sure going to try the system patches next time (another something learned)

                                        Tnx all...

                                        When in doubt, see: https://tools.ietf.org/html/rfc1925

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          bennyc last edited by

                                          @ Jimp
                                          I know this is almost hijacking the thread, but as it is related… I tried to apply it as a system patch, feching works but the test gave me these results:

                                          Output of full patch apply test:
                                          /usr/bin/patch –directory=/ -t -p1 -i /var/patches/534e74ea334a2.patch --check --forward --ignore-whitespace

                                          Hmm...  Looks like a unified diff to me...
                                          The text leading up to this was:

                                          |diff --git a/etc/rc.linkup b/etc/rc.linkup
                                          |index 1994336..b39f876 100755
                                          |--- a/etc/rc.linkup

                                          +++ b/etc/rc.linkup
                                          Patching file etc/rc.linkup using Plan A...
                                          Hunk #1 succeeded at 60.
                                          Hmm...  The next patch looks like a unified diff to me...
                                          The text leading up to this was:

                                          |diff --git a/etc/rc.newwanip b/etc/rc.newwanip
                                          |index 2fa450c..201f085 100755
                                          |--- a/etc/rc.newwanip

                                          +++ b/etc/rc.newwanip
                                          Patching file etc/rc.newwanip using Plan A...
                                          Hunk #1 succeeded at 62.
                                          Hunk #2 succeeded at 70.
                                          Hunk #3 succeeded at 113.
                                          Hunk #4 succeeded at 184.
                                          Hmm...  The next patch looks like a unified diff to me...
                                          The text leading up to this was:

                                          |diff --git a/etc/rc.newwanipv6 b/etc/rc.newwanipv6
                                          |index 92fe5ea..177e645 100755
                                          |--- a/etc/rc.newwanipv6

                                          +++ b/etc/rc.newwanipv6
                                          Patching file etc/rc.newwanipv6 using Plan A...
                                          Hunk #1 succeeded at 59.
                                          Hunk #2 succeeded at 69.
                                          Hunk #3 succeeded at 81.
                                          Hunk #4 succeeded at 106.
                                          Hunk #5 succeeded at 147.
                                          done

                                          As it also states this:

                                          Patch can be applied cleanly (detail)
                                          Patch can NOT be reverted cleanly (detail)

                                          and I am unfamiliar with patches (for now, learning here  ;) ) it seemed a better idea to ask if that is ok & safe to apply?

                                          When in doubt, see: https://tools.ietf.org/html/rfc1925

                                          1 Reply Last reply Reply Quote 0
                                          • jimp
                                            jimp Rebel Alliance Developer Netgate last edited by

                                            If the "apply" button shows, it can be applied safely.

                                            The test shows that the apply action would work. ("Patch can be applied cleanly (detail)")

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • B
                                              bennyc last edited by

                                              Right. (I was already afraid it was a noob question  ???)
                                              Applied & so far it doesn't complain. Tnx once more…

                                              When in doubt, see: https://tools.ietf.org/html/rfc1925

                                              1 Reply Last reply Reply Quote 0
                                              • V
                                                vlassic last edited by

                                                @jimp:

                                                I rolled the relevant commits into one patch file here:

                                                http://files.pfsense.org/jimp/patches/openvpn-tapbridgefix-2.1.x.diff

                                                You can use that with the system patches package.

                                                This fixed it for me. Thanks a lot. Anyone know if this fix will be rolled into a later version?

                                                1 Reply Last reply Reply Quote 0
                                                • jimp
                                                  jimp Rebel Alliance Developer Netgate last edited by

                                                  The fix is already in for 2.2

                                                  IFF there is another security issue that necessitates another 2.1.x release it will be in there also, but unless something like that comes up the next release will be 2.2.

                                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                  Need help fast? Netgate Global Support!

                                                  Do not Chat/PM for help!

                                                  1 Reply Last reply Reply Quote 0
                                                  • A
                                                    ahull last edited by

                                                    Just a quick +1

                                                    I upgraded my pfSense boxens to 2.1.2 and encountered this bug. Applied Jim's patch with System Patches package, and is working flawlessly.

                                                    Thank you, thank you, thank you.

                                                    1 Reply Last reply Reply Quote 0
                                                    • A
                                                      ahull last edited by

                                                      Can anyone confirm if this fix is included in the latest 2.1.3 security release? I didn't see specific mention of this in the changelog.

                                                      Thanks to the hard work of the whole pfSense team.

                                                      1 Reply Last reply Reply Quote 0
                                                      • jimp
                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                        It should be there in 2.1.3, yes. In the release notes it's actually mentioned but as a fix for OpenVPN and other interfaces looping.

                                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                        Need help fast? Netgate Global Support!

                                                        Do not Chat/PM for help!

                                                        1 Reply Last reply Reply Quote 0
                                                        • M
                                                          mevans336 last edited by

                                                          @jimp:

                                                          It should be there in 2.1.3, yes. In the release notes it's actually mentioned but as a fix for OpenVPN and other interfaces looping.

                                                          I had this issue (but just worked around it a different way) and I can confirm that when we upgraded all 3 of our boxes to 2.1.3 it has been resolved.

                                                          1 Reply Last reply Reply Quote 0
                                                          • M
                                                            Matchek last edited by

                                                            Is there fix for 2.1.3 ? I've made TUN bridge but vpn gateway is down.

                                                            1 Reply Last reply Reply Quote 0
                                                            • First post
                                                              Last post