Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] : Upgrade to 2.3 broke OpenVPN

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    13 Posts 7 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cheesyboofs
      last edited by

      Hi Guys,

      Hope you can help.

      For the 1st time ever an in-place upgrade broke something.

      I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.

      Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
      Apr 13 18:39:15 openvpn 65339 Exiting due to fatal error

      Unfortunately I was remoted in at the time so lost connection.
      What can be the problem and what is the resolution.

      Many Thanks

      Cheesy

      Author of pfSense themes:

      DARK-ORANGE

      CODE-RED

      1 Reply Last reply Reply Quote 0
      • J
        jc2it
        last edited by

        I am not an expert, but I have been reading about the update. OpenVPN in particular. Did you read these?

        https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#OpenVPN

        https://doc.pfsense.org/index.php/UpgradeGuide#Note_for_users_of_the_OpenVPN_Status_Package

        1 Reply Last reply Reply Quote 0
        • B
          bennyc
          last edited by

          @cheesyboofs:

          What can be the problem and what is the resolution.

          I have seen the same issue, reboot cures it. I see the issue once per x-reboots on my unit. There are a couple of redmine tickets on it.

          I've been told (all credits to pfSense support) it would be fixed by v2.3.1, in a couple of weeks…

          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
          1x PC Engines APU2C4, 1x PC Engines APU1C4

          1 Reply Last reply Reply Quote 0
          • T
            techytim
            last edited by

            bennyc & cheesyboofs

            The upgrade just broke my OpenVPN too  :-[

            I am using manual NAT, what Outbound NAT rules to you have, anything specific for OpenVPN?

            Thanks in advance.

            1 Reply Last reply Reply Quote 0
            • M
              mevans336
              last edited by

              @cheesyboofs:

              Hi Guys,

              Hope you can help.

              For the 1st time ever an in-place upgrade broke something.

              I use OpenVPN on port UDP 500 but when I upgraded from 2.2.6 to 2.3 the OpenVPN service would not start with the following error.

              Apr 13 18:39:15 openvpn 65339 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
              Apr 13 18:39:15 openvpn 65339 TCP/UDP: Socket bind failed on local address [AF_INET]188.220.73.192:500: Address already in use
              Apr 13 18:39:15 openvpn 65339 Exiting due to fatal error

              Unfortunately I was remoted in at the time so lost connection.
              What can be the problem and what is the resolution.

              Many Thanks

              Cheesy

              UDP port 500 is https://en.wikipedia.org/wiki/Internet_Key_Exchange. I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

              https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#IPsec

              "Removed global IPsec disable flag as it is no longer necessary. On upgrade, if the IPsec enable box was unchecked, all Phase 1 entries are disabled individually instead."

              Do you have anything under VPN - IPsec? If so, I'd disable it all or remove them if they're not in use. You can also SSH into your box, choose option 8, and type 'sockstat -4' which will show you what process is listening on port 500.

              I have entries under VPN - IPSec, but noting is listening on UDP/500 because all my IPSec entries have been manually disabled.

              1 Reply Last reply Reply Quote 0
              • C
                cheesyboofs
                last edited by

                @mevans336 & bennyc.

                Thanks to you both.
                I will look into both of your suggestions tonight. I needed VPN back in a hurry so dropped back to a snapshot. Lucily I create a VMware snapshot before every upgrade.

                If any of you are interested here is my where my pfsense firewall lives, as a VM under the boiler in my garage.

                http://www.cheesyboofs.co.uk/esxi-vsan-microserver-homelab

                Cheesy

                Author of pfSense themes:

                DARK-ORANGE

                CODE-RED

                1 Reply Last reply Reply Quote 0
                • C
                  cheesyboofs
                  last edited by

                  @mevans336

                  I think you've cracked it mate.
                  I did have a Phase 1 entry under IPSec even though disabled. I deleted it and performed an upgrade. So far so good, the OpenVPN service has started this time but I cant test it till I get to work tomorrow but I am confident you have cracked it.

                  Cheers, I will have a drink to your good health tonight  ;)

                  Cheesy

                  Author of pfSense themes:

                  DARK-ORANGE

                  CODE-RED

                  1 Reply Last reply Reply Quote 0
                  • M
                    mevans336
                    last edited by

                    Neat, I'm a VMWare guy too. Studying for my VCP6-DCV right now actually.  :)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question..  No shit stuff prob going to break when you use non standard odd ball configurations ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • C
                        cheesyboofs
                        last edited by

                        @johnpoz:

                        Why would you/anyone run openvpn on the standard IKE port of udp 500 is the bigger question..  No shit stuff prob going to break when you use non standard odd ball configurations ;)

                        Its the only port permitted directly out of work due to the antiquated Cisco VPN we use on some of our old customer sites. And yes I just passed my VCP6-DCV exam too  8)

                        Author of pfSense themes:

                        DARK-ORANGE

                        CODE-RED

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          @mevans336:

                          I believe the upgrade notes said that IPSec is globally enabled after the upgrade to 2.3.

                          Not globally enabled, the global enable/disable checkbox just doesn't exist anymore. If you have any enabled IPsec connections, it's enabled. If you had it globally disabled pre-upgrade, then any enabled P1s will be disabled upon upgrade to retain the existing behavior. No enabled P1s means the same as globally disabled previously.

                          1 Reply Last reply Reply Quote 0
                          • C
                            cheesyboofs
                            last edited by

                            Well I had a Phase 1 entry there but NOT enabled. I performed an upgrade and somehow it became enabled mapping to UDP port 500 preventing the OpenVPN service from starting.
                            I rolled back deleted the Phase 1 entry then upgraded and all cooking. Whatever its fixed and I am a happy bunny …

                            Author of pfSense themes:

                            DARK-ORANGE

                            CODE-RED

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "Its the only port permitted directly out of work"

                              That sure wouldn't be standard now would it.. Openvpn bounces off a proxy just fine by the way..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.