pfSense Support Subscription

Author Topic: OpenVPN Issue with 2.4 upgrade  (Read 1600 times)

0 Members and 1 Guest are viewing this topic.

Offline RHLinux

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
OpenVPN Issue with 2.4 upgrade
« on: October 22, 2017, 09:57:28 am »
I have an issue where after upgrading pfsense to 2.4, it seems to keep the existing dynamic route and fails to connect.

ifconfig fails error 1 

This obviously is correct because the previous route is already there and it cant use it again.

The ip address assigned to me by the VPN server was 10.9.0.1.  After changing the IP address the server was using (DHCP and is now 10.3.0.2), the client connected without a problem.  Below you can see the errant route in the routing table that I can't seem to delete.

10.3.0.0/24   10.3.0.1   UGS   0   1500   ovpnc3   
10.3.0.1   10.3.0.2   UGHS   112937   1500   lo0   
10.3.0.2   link#16   UHS   1419   16384   lo0   
10.9.0.1   10.3.0.2   UGHS   40269480   1500   lo0

Has anyone else had this issue?


Offline cosmoxl

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #1 on: October 26, 2017, 07:20:44 am »
Yes, I had this issue when testing development builds.  I reported it in the 2.4 development builds forum but it was ignored because nobody else was seeing problems.

I reverted back to 2.3.4 and all works well again.  I won't upgrade to 2.4.x until this is fixed.  The non-removal of dynamic routes should be an obvious fix.

Offline RHLinux

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #2 on: October 30, 2017, 03:13:55 pm »
Do you have the link to the issue you reported so I can also link to this issue.

Are you using two openvpn clients by any chance?  I have two separate VPN Clients that are routed to two different VLANs.

 


Offline cosmoxl

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #3 on: October 30, 2017, 03:55:59 pm »
Do you have the link to the issue you reported so I can also link to this issue.

Are you using two openvpn clients by any chance?  I have two separate VPN Clients that are routed to two different VLANs.

I brought up the problems I was seeing in a thread in the 2.4 development subforum.  I didn't submit an official bug report.

When testing I was using two different openvpn clients but I have no VLANs created.

Do you see problems with gateway monitoring with the two openvpn clients running? I did. 

Offline RHLinux

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #4 on: October 30, 2017, 04:21:38 pm »
Do you have the link to the issue you reported so I can also link to this issue.

Are you using two openvpn clients by any chance?  I have two separate VPN Clients that are routed to two different VLANs.

I brought up the problems I was seeing in a thread in the 2.4 development subforum.  I didn't submit an official bug report.

When testing I was using two different openvpn clients but I have no VLANs created.

Do you see problems with gateway monitoring with the two openvpn clients running? I did.

Yes I had issues with the gateway monitoring... then it would not connect at all or would be erratic.  I eventually notice in the openvpn log that the ifconfig command would fail and after looking at the route status in diagnostics noticed it had an old dynamic route that should of been deleted.  I ended up changing the dynamic ip address of the openvpn server and that seemed to fix the problem, however the old route was still there.
 

Offline cosmoxl

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #5 on: October 30, 2017, 05:28:40 pm »
Do you have the link to the issue you reported so I can also link to this issue.

Are you using two openvpn clients by any chance?  I have two separate VPN Clients that are routed to two different VLANs.

I brought up the problems I was seeing in a thread in the 2.4 development subforum.  I didn't submit an official bug report.

When testing I was using two different openvpn clients but I have no VLANs created.

Do you see problems with gateway monitoring with the two openvpn clients running? I did.

Yes I had issues with the gateway monitoring... then it would not connect at all or would be erratic.  I eventually notice in the openvpn log that the ifconfig command would fail and after looking at the route status in diagnostics noticed it had an old dynamic route that should of been deleted.  I ended up changing the dynamic ip address of the openvpn server and that seemed to fix the problem, however the old route was still there.

Yep, at the time I posted everybody insisted that all was good.  Nobody else reported problems.  I feel a little vindicated now.   I won't upgrade to 2.4.x until this problem is fixed.

Offline LeeJohnson

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-1
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #6 on: November 01, 2017, 12:06:40 pm »
I'm having maybe the same problem with the 2.4.1 upgrade (from 2.3.4-RELEASE-P1).  Two sites connected by OpenVPN, each with multi-WAN and Multi-WAN, spanned by OpenVPN. Both sites have a road warrior VPN as well although one is for backup admin access.

VPNs still connects but with the following issues:

1) site 1 primary LAN traffic for site 2 primary LAN doesn't go down the tunnel despite the routing tables being correct. It's routed out the current WAN interface. Site 2 primary LAN traffic for site 1 passes normally.

2) road warrior traffic for site 1 appears to work normally with the caveat of #1 (traffic to site 2 isn't sent down the VPN tunnel despite the routing tables).

3) road warrior traffic for site 2 only reaches the firewall and goes no further.

Complicating matters is that my primary development platform, an ultrabook, is out for warranty repair again because it doesn't power on, I can't access my image backups that are in the file system backup for that from the temporary development platform although I've got config backups handy locally and with autoconfigbackup, these as on Soekris 6501's (Soekris went belly up with means I'm down to dregs for spares), and these 32-bit nano images on USB.

Worse yet, Netgate seems to oddly restrict legacy downloads of an opensource project (see comment above about access to backups; I've got basically all versions there).

And I'm remote. Previously, I had redundant firewalls at both sites but the client made a bad cost cutting move to drop to one (large retail).

Anyone know where legacy downloads are?

Offline LeeJohnson

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-1
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #7 on: November 01, 2017, 12:17:43 pm »
> "I'm having maybe the same problem with the 2.4.1 upgrade (from 2.3.4-RELEASE-P1). "

Correction. Upgrade to 2.3.4-RELEASE-P1 from 2.3.3.

Offline immy

  • Newbie
  • *
  • Posts: 7
  • Karma: +2/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #8 on: November 04, 2017, 05:05:18 am »
I am also having the problem of an old route that doesn't get deleted (also on 2.4.1)

/sbin/ifconfig ovpnc1 10.4.6.92 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
ifconfig fails error 1

From netstat:
10.4.0.1           10.4.3.89          UGHS        lo0

Trying manually:

/sbin/ifconfig ovpnc1 10.4.6.92 10.4.0.1 mtu 1500 netmask 255.255.0.0 up
ifconfig: ioctl (SIOCAIFADDR): File exists

Trying to delete the old route:

 route del 10.4.0.1 10.4.3.89
route: writing to routing socket: Address already in use
del host 10.4.0.1: gateway 10.4.3.89 fib 0: gateway uses the same route

If I reboot or flush the routes it will work again until my ADSL goes down.

Offline cosmoxl

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #9 on: November 04, 2017, 10:12:46 am »
When will the devs pay attention to this?

Offline RHLinux

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #10 on: November 12, 2017, 08:26:10 am »
Who knows... It's defiantly still an issue with multi client/multi WAN.

RHLinux

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #11 on: November 13, 2017, 08:49:26 am »
When will the devs pay attention to this?

When we have some solid evidence other than vague reports that it's broken with barely any detail. I have probably 30-40 OpenVPN instances between my lab and live boxes, a mix of clients, servers, multi-WAN, routing protocols, you name it. I have yet to see this happen. About the only thing I don't have is a connection to an external VPN provider. I have simulated one internally, but I don't subscribe to any public ones.

We're going to need a lot more detail about the specific configurations in play here on both sides when it happens, more details from the logs, OS routing tables, anything that might be relevant.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline cosmoxl

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #12 on: November 13, 2017, 07:29:41 pm »
When will the devs pay attention to this?

When we have some solid evidence other than vague reports that it's broken with barely any detail. I have probably 30-40 OpenVPN instances between my lab and live boxes, a mix of clients, servers, multi-WAN, routing protocols, you name it. I have yet to see this happen. About the only thing I don't have is a connection to an external VPN provider. I have simulated one internally, but I don't subscribe to any public ones.

We're going to need a lot more detail about the specific configurations in play here on both sides when it happens, more details from the logs, OS routing tables, anything that might be relevant.

OK.  In another thread user gave me the tip that solves the problem - that is to stop specifying a different IP address to ping for gateway monitoring.  That fixed the problem for me.

Perhaps that helps you understand the problem.

Offline amires

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #13 on: November 14, 2017, 02:20:22 am »
I have this problem too. Since upgrading to pfSense 2.4.x my OpenVPN client stays connected until a change in WAN is detected (cable disconnect, IP change, etc) after that it starts giving out ifconfig errors and it wont connect anymore unless I reboot my pfsense box. The problem seems to be VPN routes are not being deleted when vpn goes down. I went back to 2.3.4 and the problem is gone. I will stay on 2.3.4 until this is fixed.
« Last Edit: November 14, 2017, 02:32:31 am by amires »

Offline amires

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: OpenVPN Issue with 2.4 upgrade
« Reply #14 on: November 14, 2017, 02:31:10 am »

OK.  In another thread user gave me the tip that solves the problem - that is to stop specifying a different IP address to ping for gateway monitoring.  That fixed the problem for me.

Perhaps that helps you understand the problem.

What different IP should we use? I am using 10.4.0.1 which is gateway of AirVPN provider.