Problem using OpenVPN

starkiller01 · Sep 8, 2015, 7:34 PM

Hello, in the company where I work, I have 3 VPN's. 2 are OPENVPN and the other IPSec.
In the last week the 2 OpenVPN stoped worked, and I don't know the reason. The IPSec VPN are working fine.

This is the log in the VPN Client:

Sep 8 10:30:59 openvpn[21267]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Sep 8 10:30:57 openvpn[21267]: SIGUSR1[soft,ping-restart] received, process restarting
Sep 8 10:30:57 openvpn[21267]: Inactivity timeout (–ping-restart), restarting
Sep 8 10:29:57 openvpn[21267]: UDPv4 link remote: [AF_INET]189.xx.xx.xxx:11630
Sep 8 10:29:57 openvpn[21267]: UDPv4 link local (bound): [AF_INET]186.xxx.xx.xxx:11630
Sep 8 10:29:57 openvpn[21267]: Preserving previous TUN/TAP instance: ovpnc1
Sep 8 10:29:57 openvpn[21267]: Re-using pre-shared static key

And this is the Log in VPN Server

Sep 8 16:20:15 openvpn[42671]: Initialization Sequence Completed
Sep 8 16:20:15 openvpn[42671]: UDPv4 link remote: [undef]
Sep 8 16:20:15 openvpn[42671]: UDPv4 link local (bound): [AF_INET]189.xx.xx.130:11640
Sep 8 16:20:15 openvpn[41285]: /usr/local/sbin/ovpn-linkup ovpns5 1500 1542 10.0.80.1 10.0.80.2 init
Sep 8 16:20:15 openvpn[41285]: /sbin/ifconfig ovpns5 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.255 up
Sep 8 16:20:15 openvpn[41285]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Sep 8 16:20:15 openvpn[41285]: TUN/TAP device /dev/tun5 opened
Sep 8 16:20:15 openvpn[41285]: TUN/TAP device ovpns5 exists previously, keep at program end
Sep 8 16:20:15 openvpn[41285]: Control Channel Authentication: using '/var/etc/openvpn/server5.tls-auth' as a OpenVPN static key file
Sep 8 16:20:15 openvpn[41285]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 8 16:20:15 openvpn[41285]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Sep 8 16:20:15 openvpn[30985]: SIGTERM[hard,] received, process exiting
Sep 8 16:20:15 openvpn[37680]: UDPv4 link remote: [undef]
Sep 8 16:20:15 openvpn[37680]: UDPv4 link local (bound): [AF_INET]189.xx.xxx.xxx:1163
Sep 8 16:20:15 openvpn[30985]: /usr/local/sbin/ovpn-linkdown ovpns5 1500 1542 10.0.80.1 10.0.80.2 init
Sep 8 16:20:15 openvpn[30985]: event_wait : Interrupted system call (code=4)
Sep 8 16:20:15 openvpn[32900]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1544 10.0.2.1 10.0.2.2 init
Sep 8 16:20:15 openvpn[32900]: /sbin/ifconfig ovpns1 10.0.2.1 10.0.2.2 mtu 1500 netmask 255.255.255.255 up
Sep 8 16:20:15 openvpn[32900]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Sep 8 16:20:15 openvpn[32900]: TUN/TAP device /dev/tun1 opened
Sep 8 16:20:15 openvpn[32900]: TUN/TAP device ovpns1 exists previously, keep at program end
Sep 8 16:20:15 openvpn[32900]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 8 16:20:15 openvpn[32900]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Sep 8 16:20:15 openvpn[30985]: Initialization Sequence Completed
Sep 8 16:20:15 openvpn[30985]: UDPv4 link remote: [undef]
Sep 8 16:20:15 openvpn[30985]: UDPv4 link local (bound): [AF_INET]189.xxx.xxx.130:11640
Sep 8 16:20:15 openvpn[26063]: /usr/local/sbin/ovpn-linkup ovpns5 1500 1542 10.0.80.1 10.0.80.2 init
Sep 8 16:20:15 openvpn[26063]: /sbin/ifconfig ovpns5 10.0.80.1 10.0.80.2 mtu 1500 netmask 255.255.255.255 up
Sep 8 16:20:15 openvpn[26063]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Sep 8 16:20:15 openvpn[26063]: TUN/TAP device /dev/tun5 opened
Sep 8 16:20:15 openvpn[26063]: TUN/TAP device ovpns5 exists previously, keep at program end
Sep 8 16:20:15 openvpn[26063]: Control Channel Authentication: using '/var/etc/openvpn/server5.tls-auth' as a OpenVPN static key file
Sep 8 16:20:15 openvpn[20840]: SIGTERM[hard,] received, process exiting
Sep 8 16:20:15 openvpn[20840]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1544 10.0.2.1 10.0.2.2 init
Sep 8 16:20:15 openvpn[20840]: event_wait : Interrupted system call (code=4)
Sep 8 16:20:14 openvpn[26063]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 8 16:20:14 openvpn[26063]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Sep 8 16:20:14 openvpn[44739]: SIGTERM[hard,] received, process exiting
Sep 8 16:20:14 openvpn[44739]: /usr/local/sbin/ovpn-linkdown ovpns5 1500 1542 10.0.80.1 10.0.80.2 init
Sep 8 16:20:14 openvpn[44739]: event_wait : Interrupted system call (code=4)
Sep 8 16:20:14 openvpn[20840]: UDPv4 link remote: [undef]
Sep 8 16:20:14 openvpn[20840]: UDPv4 link local (bound): [AF_INET]189.xx.xxx.130:1163
Sep 8 16:20:14 openvpn[14988]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1544 10.0.2.1 10.0.2.2 init
Sep 8 16:20:14 openvpn[14988]: /sbin/ifconfig ovpns1 10.0.2.1 10.0.2.2 mtu 1500 netmask 255.255.255.255 up
Sep 8 16:20:14 openvpn[14988]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Sep 8 16:20:14 openvpn[14988]: TUN/TAP device /dev/tun1 opened
Sep 8 16:20:14 openvpn[14988]: TUN/TAP device ovpns1 exists previously, keep at program end
Sep 8 16:20:14 openvpn[14988]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 8 16:20:14 openvpn[14988]: OpenVPN 2.3.3 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Sep 8 16:20:14 openvpn[41423]: SIGTERM[hard,] received, process exiting
Sep 8 16:20:13 openvpn[41423]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1544 10.0.2.1 10.0.2.2 init
Sep 8 16:20:13 openvpn[41423]: event_wait : Interrupted system call (code=4)

Anyone can tell me what are wrong with my VPN? I searched on the internet and I saw that maybe it can be a conflict in the openvpn configuration, but they was working for a long time and I never got this kind of trouble.

divsys · Sep 9, 2015, 12:41 AM

Have you tried manually shutting down the OpenVPN server and then restarting it?

What version of pfSense are you running?

starkiller01 · Sep 9, 2015, 11:39 AM

@divsys:

Have you tried manually shutting down the OpenVPN server and then restarting it?

What version of pfSense are you running?

Hello.
Yes, I tried restart the OpenVPN server but I had no success.
The version of my pfsense is 2.1.5

divsys · Sep 9, 2015, 2:11 PM

After you restart the OpenVPN server, restart the client and check the logs on the server to see if you're getting any attempts to connect.
Your log file doesn't show any attempts to establish a connection.

How are you specifying the WAN address of the server on the client - DynDNS, or by physical IP address?

If necessary, you might even turn on logging of the OpenVPN port firewall rule on the server to make sure traffic is arriving at the OpenVPN NIC.

Lastly you might consider an upgrade to 2.2.4 to get on a recent version of pfSense and OpenVPN.

starkiller01 · Sep 9, 2015, 6:53 PM

@divsys:

After you restart the OpenVPN server, restart the client and check the logs on the server to see if you're getting any attempts to connect.
Your log file doesn't show any attempts to establish a connection.

How are you specifying the WAN address of the server on the client - DynDNS, or by physical IP address?

If necessary, you might even turn on logging of the OpenVPN port firewall rule on the server to make sure traffic is arriving at the OpenVPN NIC.

Lastly you might consider an upgrade to 2.2.4 to get on a recent version of pfSense and OpenVPN.

Hello.
I tried restart my OpenVPN Client and server, but nothing changed, they can't connect.
I'm using a physical IP in both sides.
The FW rule about the ports are OK. The VPN was working fine until last week.
I don't know if a upgrade will solve my problem because they was working until last week.
I notice another problem, if I connect at my server and try to PING in my Client, I can't, I lose all the packets, the same happens if I connect at the client, all PING packets are lost. (Yes, ICMP is enabled in both sides). My internet provider are the same in both sides.
But if I connect in another computer outside my network (My Personal Computer) I can ping in both sides (Client and Server).

divsys · Sep 11, 2015, 6:55 AM

OK, if you're using a physical IP, I'm guessing your WAN is setup with a Static address?

Does the current WAN->Interfaces IP address match what's in your OPenVPN client?

I notice another problem, if I connect at my server and try to PING in my Client, I can't, I lose all the packets, the same happens if I connect at the client, all PING packets are lost. (Yes, ICMP is enabled in both sides). My internet provider are the same in both sides.
But if I connect in another computer outside my network (My Personal Computer) I can ping in both sides (Client and Server).

Huh? I don't quite understand, are you trying to connect to your OpenVPN server from the LAN (inside your own network) side of your pfSense box?
That's not going to work properly using OpenVPN, and that's not what the VPN is for in the first place.

If you can connect from outside (using OpenVPN?) then what's the problem with your setup?
I'm getting confused as to what your problem is here.

Can you post a simple diagram explaining your setup and the problem you're trying to solve?