OpenVPN is not passing traffic after upgrade from 2.1 to 2.1.4



  • Hello All!

    I upgraded my pfsense last week and after upgrading from 2.1 to 2.1.4 the OpenVPN still authenticates and gets an IP from dhcp, but no traffic appears to be passing.

    It is not possible to resolve DNS remotely and even ping IPs that I know is up on remote LAN. Nothing appears to be reaching the destination.

    Any advice? I double-checked the firewall rules and all the old settings is still there. OpenVPN interface has just one rule, that the OpenVPN wizard created (PASS ALL IPV4). But nothing is working.

    Thank you in advance,



  • Is pfSense the OVPN server or client?
    What's about the routes on client?
    Tell us your OVPN config, please.



  • Hello viragomann, thanks for your message!

    Pfsense is the OVPN server. The clients are Windows 7 or Windows 8 machines with OpenVPN GUI Client. They use the .exe install config generated by the "OpenVPN Client Export Utility" package for Pfsense that I installed on the firewall.

    These last 2 days I've been exploring the problem, I found out that if I check the OVPNServer option "Force all client generated traffic through the tunnel" it will work normally, but of course the connected client will suffer with slow public internet browsing because it will have to use the remote connection to browse public websites. This is NOT what I want and was working before upgrading.

    But if I fill the "IPv4 Local Network/s" with my correct CIDR "192.168.30.0/24" (my office LAN is 192.168.30.1-192.168.30.255 subnet 255.255.255.0) then no traffic is passing from the remote client to the office LAN.

    Any ideas why 2.1.4 is not working with my CIDR 192.168.30.0/24 to pass the traffic, forcing me to pass all traffic to the tunnel?

    Thank you again!




  • I think you need to tackle this from point of view client side.
    When OpenVPN connection is up, ask the clients route table (in cmd; route print)

    There you should see a Network destination (your local lan c.30.0), a gateway (something in the tunnel network range c.31.h), and an interface (somthing in the tunnel network range c.31.h).

    You should be able to ping your pfSense once the tunnel is up… is that so?



  • Everyday things are different here :(

    Now my client that was working yesterday using the "force all traffic to tunnel", now does not ping any VPN IP (even the Pfsense's IP returns as not found when connected). This is the log from OpenVPN Client. Why is all that "access denied" ocurring? I tried to reboot Windows 8, but no success to restore client to vpn traffic :(

    Thu Jul 31 13:16:25 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
    Thu Jul 31 13:16:25 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
    Thu Jul 31 13:16:30 2014 Control Channel Authentication: using 'proxy-udp-1194-tls.key' as a OpenVPN static key file
    Thu Jul 31 13:16:30 2014 UDPv4 link local (bound): [undef]
    Thu Jul 31 13:16:30 2014 UDPv4 link remote: [AF_INET]179.111.X.X:1194 (replacing my IP)
    Thu Jul 31 13:16:30 2014 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Thu Jul 31 13:16:31 2014 [OpenVPNServerCert] Peer Connection Initiated with [AF_INET]179.111.X.X:1194
    Thu Jul 31 13:16:33 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Jul 31 13:16:33 2014 open_tun, tt->ipv6=0
    Thu Jul 31 13:16:33 2014 TAP-WIN32 device [Local Area Connection] opened: \.\Global{C784BB60-26C2-4273-AB81-37F0D18052D4}.tap
    Thu Jul 31 13:16:33 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.6/255.255.255.252 on interface {C784BB60-26C2-4273-AB81-37F0D18052D4} [DHCP-serv: 10.0.8.5, lease-time: 31536000]
    Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=3]
    Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=29]
    Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=29]
    Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=29]
    Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Jul 31 13:16:38 2014 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.  [status=5 if_index=29]
    Thu Jul 31 13:16:38 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    Thu Jul 31 13:16:38 2014 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Thu Jul 31 13:16:38 2014 Initialization Sequence Completed

    This is the route print when connected:

    ===========================================================================
    Interface List
    32…00 ff c7 84 bb 60 ......TAP-Windows Adapter V9
      3...00 01 6c 6f ec 4a ......NVIDIA nForce Networking Controller
      1...........................Software Loopback Interface 1
      5...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
      6...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100    10
            10.0.8.4  255.255.255.252        On-link          10.0.8.6    286
            10.0.8.6  255.255.255.255        On-link          10.0.8.6    286
            10.0.8.7  255.255.255.255        On-link          10.0.8.6    286
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.0.0    255.255.255.0        On-link    192.168.0.100    266
        192.168.0.100  255.255.255.255        On-link    192.168.0.100    266
        192.168.0.255  255.255.255.255        On-link    192.168.0.100    266
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link    192.168.0.100    266
            224.0.0.0        240.0.0.0        On-link          10.0.8.6    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link    192.168.0.100    266
      255.255.255.255  255.255.255.255        On-link          10.0.8.6    286

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      6    306 ::/0                    On-link
      1    306 ::1/128                  On-link
      6    306 2001::/32                On-link
      6    306 2001:0:5ef5:79fb:38d7:4aa4:4299:2392/128
                                        On-link
      3    266 fe80::/64                On-link
    32    286 fe80::/64                On-link
      6    306 fe80::/64                On-link
      3    266 fe80::40:6376:4755:9b30/128
                                        On-link
      6    306 fe80::38d7:4aa4:4299:2392/128
                                        On-link
    32    286 fe80::4162:550b:a3bc:6ad9/128
                                        On-link
      1    306 ff00::/8                On-link
      3    266 ff00::/8                On-link
      6    306 ff00::/8                On-link
    32    286 ff00::/8                On-link

    Persistent Routes:
      None

    Really thanks for trying to help. I desperate here with no VPN since monday. :(



  • Are you using the OpenVPN GUI client? If so, did you start the client with the option "run as administrator"? (right click on shortcut, run as administrator).



  • Hello vindenesen,

    I indeed was running as standard user. Raised to admin and it managed to set route. However, on another machine with Windows 7 it was able to connect and route to VPN without admin rights. I think this is odd. It was the first time I had to set the GUI to admin in order to properly connect.

    However, this intrigues me, as out of randomly I am able to pass traffic and then suddenly not. This is the transcript on my CMD. Those commands I typed on after another, without waiting, and keeping the connection ON. Notice that sometimes it is able to pass traffic and then not. And then it passes again, without me having to do anything. Using "route print" shows that the network 192.168.30.0/24 is properly set. But sometimes it does not work.

    How can I debug this issue? It is driving me crazy. And I this is ocurring only after I upgraded to 2.1.4. Never had any OVPN issues with 2.1

    Here is my odd test:

    Microsoft Windows [Version 6.1.7601]
    Copyright © 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 2ms, Maximum = 2ms, Average = 2ms

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Users\fdpalma>route print

    Interface List
    26…00 ff 0b 06 3b ea ......TAP-Windows Adapter V9
    14...00 22 58 e8 f0 9f ......Bluetooth Device (Personal Area Network)
    12...00 1e 65 3d 8a 64 ......Intel(R) WiFi Link 5100 AGN
    11...00 1e 33 d0 e7 27 ......Realtek PCIe GBE Family Controller
      1...........................Software Loopback Interface 1
    16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0        10.0.0.1        10.0.0.10    25
            10.0.0.0        255.0.0.0        On-link        10.0.0.10    281
            10.0.0.10  255.255.255.255        On-link        10.0.0.10    281
            10.0.8.1  255.255.255.255        10.0.8.5        10.0.8.6    30
            10.0.8.4  255.255.255.252        On-link          10.0.8.6    286
            10.0.8.6  255.255.255.255        On-link          10.0.8.6    286
            10.0.8.7  255.255.255.255        On-link          10.0.8.6    286
      10.255.255.255  255.255.255.255        On-link        10.0.0.10    281
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.30.0    255.255.255.0        10.0.8.5        10.0.8.6    30
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link        10.0.0.10    281
            224.0.0.0        240.0.0.0        On-link          10.0.8.6    286
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link        10.0.0.10    281
      255.255.255.255  255.255.255.255        On-link          10.0.8.6    286

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
    12    281 fe80::/64                On-link
    26    286 fe80::/64                On-link
    26    286 fe80::4509:afc3:6dd6:9949/128
                                        On-link
    12    281 fe80::6da3:4c32:a11d:853/128
                                        On-link
      1    306 ff00::/8                On-link
    12    281 ff00::/8                On-link
    26    286 ff00::/8                On-link

    Persistent Routes:
      None

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Reply from 192.168.30.10: bytes=32 time=78ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=86ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=3ms TTL=127

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 2ms, Maximum = 86ms, Average = 42ms

    C:\Users\fdpalma>ping bsserver

    Pinging bsserver.bizsys.bizsys.com.br [192.168.30.10] with 32 bytes of data:
    Reply from 192.168.30.10: bytes=32 time=1ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=2ms TTL=127
    Reply from 192.168.30.10: bytes=32 time=25ms TTL=127

    Ping statistics for 192.168.30.10:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 25ms, Average = 7ms



  • @fdpalma:

    I indeed was running as standard user. Raised to admin and it managed to set route. However, on another machine with Windows 7 it was able to connect and route to VPN without admin rights. I think this is odd. It was the first time I had to set the GUI to admin in order to properly connect.

    Could be that UAC was disabled on the machine where you didn't need to run it as admin.

    What I don't quite understand is this:
    Your OpenVPN settings says that 192.168.31.0/24 is to be the network that the OpenVPN clients gets an IP address in, but your routing table displays that 192.168.30.0/24 is located at the gateway 10.0.8.5? In my mind the gateway should have been in the network 192.168.31.0/24.

    Edit: Can you post your client config file?



  • vindenesen,

    Yes, sorry. I changed the tunnel network to the example on the description "eg. 10.0.8.0/24" to test if this scope would work. And I am perfoming tests with the "force all clients generated traffic to tunnel" DISABLED and the Local network set to 192.168.31.0/24.

    Here is attached the most recent settings I used during all day for the posts above. and this is the client config file

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 179.111.XXX.XXX 1194 udp
    lport 0
    auth-user-pass
    ca proxy-udp-1194-ca.crt
    tls-auth proxy-udp-1194-tls.key 1
    ns-cert-type server

    Thank you again.




  • In a quick comparison with my config, I don't have that "lport 0" setting in my clients config.
    Try without (comment it out by prepending #), it should no longer be necessary to tell the client to use a random port.

    Restart the openvpn, establish a connection, and issue a ping -t to your bsserver.

    If it again shows disconnections, check the output from the pfSense log (openvpn)