Client Windows 2.3.4 is not working …

Guldil

Hy,

I have a pfsense 2.1.3 with openvpn server (bridge mode).
Everything is working with latest 2.3.2 client Windows from openvpn.net
Today on a new PC we install the latest 2.3.4 and there is no traffic, the PC can't get IP from DHCP…
We uninstall 2.3.4, reboot, then install 2.3.2 and it's working again !?

Is there any troubleshooting with 2.3.4 client for pfsense 2.1.X ?

Thanks

Guldil

johnpoz

I am running
Thu Sep 25 10:45:39 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May  2 2014
Thu Sep 25 10:45:39 2014 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.05

Which is the latest version on openvpn site that I see for windows.

Not having issues
Thu Sep 25 10:45:55 2014 MANAGEMENT: >STATE:1411659955,CONNECTED,SUCCESS,10.0.200.6,10.56.124.232

My pfsense is
2.1.5-RELEASE (i386)
built on Mon Aug 25 07:44:26 EDT 2014

So what is the error in the connection logs?

Guldil

I reinstalled 2.3.4.

The VPN connect but i cant' ping and it drop after some seconds, trying to reconnect forever…
I can't kill my openvpn process, i can't disconnect, i have to reboot to close it.

Thu Sep 25 21:52:48 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Thu Sep 25 21:52:48 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Thu Sep 25 21:52:49 2014 Control Channel Authentication: using 'VPN-CRN-xxxxxxxxx.key' as a OpenVPN static key file
Thu Sep 25 21:52:49 2014 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:52:49 2014 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:52:49 2014 TCPv4_CLIENT link local (bound): [undef]
Thu Sep 25 21:52:49 2014 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:52:49 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 25 21:52:52 2014 [openvpn.xxxxxxx.xx] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:52:55 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Sep 25 21:52:55 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Thu Sep 25 21:52:55 2014 open_tun, tt->ipv6=0
Thu Sep 25 21:52:55 2014 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{94DE5565-0978-4C52-8152-6C3659185833}.tap
Thu Sep 25 21:52:55 2014 Successful ARP Flush on interface [24] {94DE5565-0978-4C52-8152-6C3659185833}
Thu Sep 25 21:53:00 2014 Initialization Sequence Completed
Thu Sep 25 21:53:55 2014 [openvpn.xxxxxxx.xx] Inactivity timeout (--ping-restart), restarting
Thu Sep 25 21:53:55 2014 SIGUSR1[soft,ping-restart] received, process restarting
Thu Sep 25 21:54:00 2014 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:54:00 2014 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:54:00 2014 TCPv4_CLIENT link local (bound): [undef]
Thu Sep 25 21:54:00 2014 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:54:04 2014 [openvpn.xxxxxxxxx.xxxx] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:443

With 2.3.2 i don't have Inactivity timeout (–ping-restart), restarting :

Thu Sep 25 21:59:23 2014 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug  7 2014
Enter Management Password:
Thu Sep 25 21:59:24 2014 Control Channel Authentication: using 'VPN-CRN-xxxxxxxx.key' as a OpenVPN static key file
Thu Sep 25 21:59:24 2014 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:59:24 2014 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:59:24 2014 TCPv4_CLIENT link local (bound): [undef]
Thu Sep 25 21:59:24 2014 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:59:24 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 25 21:59:27 2014 [openvpn.xxxxxxxx.xx] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:443
Thu Sep 25 21:59:29 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Sep 25 21:59:29 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
Thu Sep 25 21:59:29 2014 open_tun, tt->ipv6=0
Thu Sep 25 21:59:29 2014 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{94DE5565-0978-4C52-8152-6C3659185833}.tap
Thu Sep 25 21:59:29 2014 Successful ARP Flush on interface [22] {94DE5565-0978-4C52-8152-6C3659185833}
Thu Sep 25 21:59:34 2014 Initialization Sequence Completed

It could be a probleme with pfsense 2.1.3 because we tested with 2 differents PC behind different 4G mobile provider.

johnpoz

why are you getting this error

OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0

Where are you getting this download from??  Both of your 2.3.4 and 2.3.2 are showing

built on Aug  7 2014

Which download are you grabbing?
https://openvpn.net/index.php/open-source/downloads.html

Guldil

I use these downloads :

http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I603-x86_64.exe
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.2-I006-x86_64.exe

For the error, i don't know why i have it, but it's working …

johnpoz

"The I603 installers are bundled with a modern, NDIS 6-compatible tap-windows driver which only works on Windows Vista and above."

I had problems with this driver – use the other 2.3.4, listed for xp or above.
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I003-x86_64.exe

Does that work?

Guldil

It's working !

So the version Vista and above is trash ? Why it's not working on Windows 7 ?

johnpoz

that driver has some problems..  Because I have manually updated the driver to that and had issues with using the other install.

jimp

I've had my eye on those new installers for a while but haven't had a chance to try them out. Looks like they aren't quite ready for prime time yet.

In theory those should work better but I'm guessing they haven't got them completely stabilized yet.

jimp

Got a report from a customer that these installers do work so long as you take "persist-tun" out of the client config.