Text only | Text with Images

OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Palthron on May 02, 2018, 12:17:00 PM

Title: [SOLVED] OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 12:17:00 PM
Hi all. First post here, asking for directions.


So I have a very basic network, with 1 WAN and the router acting as VPN client for provider Express VPN (2 actually, but I believe the number is irrelevant to the case).
My VPN kept disconnecting with the following notice :
Code Select
[ There were error(s) loading the rules: no IP address found for ovpnc2:0 - The line in question reads [0]: ]
I copied the VPN log and it came up with these :



16:48:45   openvpn[58525]   auth_user_pass_verify_script_via_file = DISABLED
16:48:45   openvpn[58525]   auth_token_generate = DISABLED
16:48:45   openvpn[58525]   auth_token_lifetime = 0
16:48:45   openvpn[58525]   port_share_host = '[UNDEF]'
16:48:45   openvpn[58525]   port_share_port = '[UNDEF]'
16:48:45   openvpn[58525]   client = ENABLED
16:48:45   openvpn[58525]   pull = ENABLED
16:48:45   openvpn[58525]   auth_user_pass_file = '/var/etc/openvpn/client2.up'
16:48:45   openvpn[58525]   OpenVPN 2.4.5 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 20 2018
16:48:45   openvpn[58525]   library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
16:48:45   openvpn[59061]   MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
16:48:45   openvpn[59061]   WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
16:48:45   openvpn[59061]   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
16:48:45   openvpn[59061]   Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
16:48:45   openvpn[59061]   Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
16:48:45   openvpn[59061]   LZO compression initializing
16:48:45   openvpn[59061]   Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
16:48:46   openvpn[59061]   Data Channel MTU parms [ L:1626 D:1450 EF:126 EB:407 ET:0 EL:3 ]
16:48:46   openvpn[59061]   Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
16:48:46   openvpn[59061]   Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
16:48:46   openvpn[59061]   Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
16:48:46   openvpn[59061]   TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
16:48:46   openvpn[59061]   Socket Buffers: R=[42080->524288] S=[57344->524288]
16:48:46   openvpn[59061]   UDP link local (bound): [AF_INET]My_Public_WAN_IP:0
16:48:46   openvpn[59061]   UDP link remote: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
16:48:46   openvpn[59061]   TLS: Initial packet from [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port, sid=47918575 aca364c4
16:48:46   openvpn[59061]   WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
16:48:46   openvpn[59061]   VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
16:48:46   openvpn[59061]   VERIFY OK: nsCertType=SERVER
16:48:46   openvpn[59061]   VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-385-1a, emailAddress=support@expressvpn.com
16:48:46   openvpn[59061]   VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-385-1a, emailAddress=support@expressvpn.com
16:48:47   openvpn[59061]   Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
16:48:47   openvpn[59061]   [Server-385-1a] Peer Connection Initiated with [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
16:48:48   openvpn[59061]   SENT CONTROL [Server-385-1a]: 'PUSH_REQUEST' (status=1)
16:48:48   openvpn[59061]   PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.1.110 10.167.1.109'
16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   OPTIONS IMPORT: timers and/or timeouts modified
16:48:48   openvpn[59061]   OPTIONS IMPORT: --ifconfig/up options modified
16:48:48   openvpn[59061]   Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:407 ET:0 EL:3 ]
16:48:48   openvpn[59061]   Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
16:48:48   openvpn[59061]   Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
16:48:48   openvpn[59061]   Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
16:48:48   openvpn[59061]   Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
16:48:48   openvpn[59061]   TUN/TAP device ovpnc2 exists previously, keep at program end
16:48:48   openvpn[59061]   TUN/TAP device /dev/tun2 opened
16:48:48   openvpn[59061]   do_ifconfig, tt->did_ifconfig_ipv6_setup=0
16:48:48   openvpn[59061]   /sbin/ifconfig ovpnc2 10.167.1.110 10.167.1.109 mtu 1500 netmask 255.255.255.255 up
16:48:48   openvpn[59061]   /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc2 1500 1606 10.167.1.110 10.167.1.109 init

Other than some misconfigurations, I can not find what was causing the disconnections. Or did I took the wrong log?

Any pointers would be greatly appreciated, thank you.
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: guest15389 on May 02, 2018, 01:13:41 PM
Can you share more of the VPN Client setup? I actually use ExpressVPN and haven't had any issues. I've been running it for 4-5 months now.
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 08:27:37 PM
Thanks for the reply!

Here's my config (Minus CA and Client certificate, or are they necessary for troubleshooting?)

Interface
(https://i.imgur.com/3YsYPAP.png)
Gateway
(https://i.imgur.com/7zZfiA2.png)
Client configurations
(https://i.imgur.com/TgVHfc4.png)
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 08:43:12 PM
Apparently even though the Dashboard displays the error message Unable to contact daemon. Service not running?, I can still use the connection. This is different from my previous experience : the status says the same thing and the connection was actually cut off.

The process is there for me to see using SSH
Code Select
11763  0.0  0.1 1080528 2832  0  R+   01:46   0:00.00 grep openvpn
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: guest15389 on May 03, 2018, 03:26:27 PM
It doesn't seem like it's connecting but when I compared through, I can't see anything that looks off to me based on how to setup ExpressVPN. I don't think you ever make a connection at all and it just keeps spinning as it's not connecting at all.

The cert looks ok and it's authenticating on the connection.

There are some options errors:
16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

Maybe try to yank the advanced stuff and I have the dont/add remove routes clicked on my config as well. See if we can get the option errors to go away.

You are able to test with another client and user name / password and the IP you are connecting to all works to rule out the simple checks?
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 03, 2018, 08:42:54 PM
I should have mention this in the original post, but I have made it so that the DHCP clients using the VPN gateway should not fallback to WAN connection on VPN failure.

Another thing I crossed off the list is the VPN provider stability. I used its desktop client on my workstation, pinging a remote server on the background while downloading some ISOs, and leave it for about 30 minutes. I found no disconnection at all. Immediately afterwards, I reconnect the VPN through OPNSense and it disconnects within 5 minutes (Along with the same traffic tests on the background).

Quote from: Animosity022 on May 03, 2018, 03:26:27 PMIt doesn't seem like it's connecting but when I compared through, I can't see anything that looks off to me based on how to setup ExpressVPN.
I am glad I can cross misconfigurations off the list.

Quote from: Animosity022 on May 03, 2018, 03:26:27 PMI don't think you ever make a connection at all and it just keeps spinning as it's not connecting at all.
I see, but I believe it actually connects at router's boot. It's just that after a while (About 5-10 minutes after the router boots) they disconnects. If this is somehow caused by the WAN dropping (maybe), the VPN connection should have fail but immediately retry getting itself back.

Actually while I was writing the reply above, I decided to just test that theory :
1. I reboot the router
2. Confirm that all VPN connections has been established, used them for browsing and all
3. Yanked the physical WAN cable
4. Wait 10 seconds
5. Reconnected the physical WAN cable
6. Wait maybe 1 minute
7. Check all interface : All up and usable.
8. The VPN connection dropped once more within maybe 10 minutes.

At least I can cross off WAN dropping as a cause.

Quote from: Animosity022 on May 03, 2018, 03:26:27 PMThe cert looks ok and it's authenticating on the connection.

There are some options errors:


16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

Maybe try to yank the advanced stuff and I have the dont/add remove routes clicked on my config as well. See if we can get the option errors to go away.
I will do that and report back as soon as I am able.

Quote from: Animosity022 on May 03, 2018, 03:26:27 PMYou are able to test with another client and user name / password and the IP you are connecting to all works to rule out the simple checks?
Did you mean another VPN provider? If so, I don't have one at the moment but I could spin up a trial. If what you meant was another account on the same VPN provider (ExpressVPN), I think I can borrow someone's account. The address that I am connecting to was a domain(singapore-cbd-ca-version-2.expressnetw.com), but I did test them using an IP I got from resolving the domain (There was 2 IP and I  tried them both with no effect).




Apparently the router got scared of being replaced, the VPN connection (both of them, I have two) has been stable for the last 9 hours and 20 minutes. While this is weird (And might point to a VPN server side problem), I still hope I can pinpoint the problem or at least replicate them for future reference.

Thank you!
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 03, 2018, 09:47:23 PM
Now this might be interesting. I just got this on my log on disconnection :
Code Select
auth_token_lifetime = 0
port_share_host = '[UNDEF]'
port_share_port = '[UNDEF]'
client = ENABLED
pull = ENABLED
auth_user_pass_file = '/var/etc/openvpn/client2.up'
OpenVPN 2.4.5 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 20 2018
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1626 D:1450 EF:126 EB:407 ET:0 EL:3 ]
Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
Socket Buffers: R=[42080->524288] S=[57344->524288]
UDP link local (bound): [AF_INET]My_Public_WAN_IP:0
UDP link remote: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
TLS: Initial packet from [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port, sid=bea62638 56c83ace
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
MANAGEMENT: CMD 'state all'
MANAGEMENT: Client disconnected
VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
VERIFY OK: nsCertType=SERVER
VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-384-2a, emailAddress=support@expressvpn.com
VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-384-2a, emailAddress=support@expressvpn.com
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[Server-384-2a] Peer Connection Initiated with [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
SENT CONTROL [Server-384-2a]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.188.0.1,route 10.188.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.188.0.126 10.188.0.125'
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:407 ET:0 EL:3 ]
Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
TUN/TAP device ovpnc2 exists previously, keep at program end
Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
Exiting due to fatal error
ENT CONTROL [Server-668-1a]: 'PUSH_REQUEST' (status=1)


It happened when the WAN (Not VPN) traffic was under high load.
Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on October 21, 2018, 11:15:04 PM
Really sorry that I forgot to close my issue. A backup of all configuration, OPNSense reinstall, and full config restore fixes this when I was migrating my installation.
Text only | Text with Images