[Solved] : Upgrade to 2.3 broke OpenVPN



  • Hi Guys,

    Hope you can help.

    For the 1st time ever an in-place upgrade broke something.

    I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.

    Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
    Apr 13 18:39:15 openvpn 65339 Exiting due to fatal error

    Unfortunately I was remoted in at the time so lost connection.
    What can be the problem and what is the resolution.

    Many Thanks

    Cheesy



  • I am not an expert, but I have been reading about the update. OpenVPN in particular. Did you read these?

    https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#OpenVPN

    https://doc.pfsense.org/index.php/UpgradeGuide#Note_for_users_of_the_OpenVPN_Status_Package



  • @cheesyboofs:

    What can be the problem and what is the resolution.

    I have seen the same issue, reboot cures it. I see the issue once per x-reboots on my unit. There are a couple of redmine tickets on it.

    I've been told (all credits to pfSense support) it would be fixed by v2.3.1, in a couple of weeks…



  • bennyc & cheesyboofs

    The upgrade just broke my OpenVPN too  :-[

    I am using manual NAT, what Outbound NAT rules to you have, anything specific for OpenVPN?

    Thanks in advance.



  • @cheesyboofs:

    Hi Guys,

    Hope you can help.

    For the 1st time ever an in-place upgrade broke something.

    I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.

    Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
    Apr 13 18:39:15 openvpn 65339 Exiting due to fatal error

    Unfortunately I was remoted in at the time so lost connection.
    What can be the problem and what is the resolution.

    Many Thanks

    Cheesy

    UDP port 500 is https://en.wikipedia.org/wiki/Internet_Key_Exchange. I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

    https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#IPsec

    "Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was unchecked, all Phase 1 entries are disabled individually instead."

    Do you have anything under VPN - IPsec? If so, I'd disable it all or remove them if they're not in use. You can also SSH into your box, choose option 8, and type 'sockstat -4' which will show you what process is listening on port 500.

    I have entries under VPN - IPSec, but noting is listening on UDP/500 because all my IPSec entries have been manually disabled.



  • @mevans336 & bennyc.

    Thanks to you both.
    I will look into both of your suggestions tonight. I needed VPN back in a hurry so dropped back to a snapshot. Lucily I create a VMware snapshot before every upgrade.

    If any of you are interested here is my where my pfsense firewall lives, as a VM under the boiler in my garage.

    http://www.cheesyboofs.co.uk/esxi-vsan-microserver-homelab

    Cheesy



  • @mevans336

    I think you've cracked it mate.
    I did have a Phase 1 entry under IPSec even though disabled. I deleted it and performed an upgrade. So far so good, the OpenVPN service has started this time but I cant test it till I get to work tomorrow but I am confident you have cracked it.

    Cheers, I will have a drink to your good health tonight  ;)

    Cheesy



  • Neat, I'm a VMWare guy too. Studying for my VCP6-DCV right now actually.  :)


  • LAYER 8 Global Moderator

    Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question..  No shit stuff prob going to break when you use non standard odd ball configurations ;)



  • @johnpoz:

    Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question..  No shit stuff prob going to break when you use non standard odd ball configurations ;)

    Its the only port permitted directly out of work due to the antiquated Cisco VPN we use on some of our old customer sites. And yes I just passed my VCP6-DCV exam too  8)



  • @mevans336:

    I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

    Not globally enabled, the global enable/disable checkbox just doesn't exist anymore. If you have any enabled IPsec connections, it's enabled. If you had it globally disabled pre-upgrade, then any enabled P1s will be disabled upon upgrade to retain the existing behavior. No enabled P1s means the same as globally disabled previously.



  • Well I had a Phase 1 entry there but NOT enabled. I performed an upgrade and somehow it became enabled mapping to UDP port 500 preventing the OpenVPN service from starting.
    I rolled back deleted the Phase 1 entry then upgraded and all cooking. Whatever its fixed and I am a happy bunny …


  • LAYER 8 Global Moderator

    "Its the only port permitted directly out of work"

    That sure wouldn't be standard now would it.. Openvpn bounces off a proxy just fine by the way..


Log in to reply