[SOLVED] OpenVPN will not start on 18.1.r1

[elektroinside]

Franco, switched to devel, upgraded to rc1  ;D
Just couldn't wait  ::)

But now.. OpenVPN server will not start:

Code Select Expand


Jan 12 20:46:02 openvpn[56490]: Use --help for more information.
Jan 12 20:46:02 openvpn[56490]: Options error: --verify-client-cert none|optional must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin
Jan 12 20:46:02 openvpn[56490]: DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead

[franco]

Hi there,

Whoops, try this then: https://github.com/opnsense/core/commit/0ec330d7

Apply via console...

# opnsense-patch 0ec330d7


Cheers,
Franco

[elektroinside]

Yep, this did it, fixed.

P.S. The support here is incredible!  :)

Thank you!

[mimugmail]

Also fixed for me, thanks! :)

[franco]

Thanks guys!

@elektroinside

Can you try this patch on top? https://github.com/opnsense/core/commit/d215ab49

# opnsense-patch d215ab49

(rerun again to remove if not working)

@mimugmail

Same error or different one? It's important.

[elektroinside]

Hi Franco,

I did, but cannot tell if it's working because:

• My alias resolution stopped working for some reason
• Every time i reboot, i also need to restart pf in order to get the DNS resolution working

I was investigating this until i saw your post, i'll remove the alias rule to test the VPN patch and get back with the results.

In the meantime, do you have any idea why pf is behaving like this? The alias issue also could be a problem from pf?

Thanks.

[elektroinside]

Confirming that d215ab49 vpn patch works fine:

• VPN clients connected
• Internet connection up & running (my server has "redirect gateway" enabled)
• Local clients browsable (on the vpn server side)

Issues remaining on my side: the alias resolution and the strange need to restart pf after OPNsense reboot...

[elektroinside]

Update:

https://github.com/opnsense/core/commit/60e4e8080 seems to have fixed the alias problem.

I still need to restart pf in order to get the internet working...

[franco]

What kind of WAN link do you use? Does this affect IPv4 and IPv6 or just one of them? Can you ping the Internet from the OPNsense box before restarting pf?


Cheers,
Franco

[elektroinside]

What kind of WAN link do you use? Does this affect IPv4 and IPv6 or just one of them? Can you ping the Internet from the OPNsense box before restarting pf?


Cheers,
Franco

It's a PPPoE link. Disabling IPv6 on the WAN didn't help, so IPv4 for sure is affected. I can reproduce every time.

I can ping from the OPNsense box, i can't from the LAN clients, not until i restart pf. This was not an issue with 17.7.11 (latest stable from the 17 branch, i guess this is it).

[franco]

Can you try flipping this patch to see if it helps?

https://github.com/opnsense/core/commit/50e53ab4


Cheers,
Franco

[elektroinside]

So..

Code Select Expand


Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 50e53ab4a0698f08c21f1b8efefb10622224483a Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Sat, 16 Sep 2017 17:57:46 +0200
|Subject: [PATCH] interfaces: reload filter before reloading plugins for
| connectivity
|
|PR: https://forum.opnsense.org/index.php?topic=4727.0
|PR: https://github.com/opnsense/core/issues/1403
|---
| src/etc/rc.newwanip   | 7 ++++---
| src/etc/rc.newwanipv6 | 7 ++++---
| 2 files changed, 8 insertions(+), 6 deletions(-)
|
|diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip
|index 8271b8476..486d3e2a5 100755
|--- a/src/etc/rc.newwanip
|+++ b/src/etc/rc.newwanip
--------------------------
Patching file etc/rc.newwanip using Plan A...
Reversed (or previously applied) patch detected!  Assuming -R.Hunk #1 succeeded                                                                                                                                                              at 162.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6
|index 6d1259713..1438c4f51 100755
|--- a/src/etc/rc.newwanipv6
|+++ b/src/etc/rc.newwanipv6
--------------------------
Patching file etc/rc.newwanipv6 using Plan A...
Reversed (or previously applied) patch detected!  Assuming -R.Hunk #1 succeeded                                                                                                                                                              at 143.
done
All patches have been applied successfully.  Have a nice day.



After applying the patch, i logged in the GUI. After ~30secs got logged out automatically (something has restarted/reloaded stuff which logged me out) from the GUI, but on the other hand, on the LAN side things started to work again without pf restart.

And so i reapplied the patch, and back to the issue, reproduced again.

[elektroinside]

And so i removed the patch once again (basically trying again what you previously asked me, removing the patch).
It didn't work this time. I did not got logged out from the GUI and i still needed to restart pf...

[franco]

Sounds like a timing issue, your PPPoE could be slow to receive an IP initially. I don't think the GUI logout is related.

Are you using OpenVPN, IPsec or Dynamic DNS?

If you don't mind, from just having fixed the non-working state, I would like to inspect the diff of the generated rules:

# diff -u /tmp/rules.debug{.old,}


Cheers,
Franco

[franco]

PS: Meh, this thread started with talk about OpenVPN... Are you using OpenVPN to push LAN traffic elsewhere?