OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: Joergen on February 04, 2019, 03:08:37 pm
-
Hey there
I am a very happy user of OPN for aprox 2 years now. However, I am not a programmer. I am using the firewall via the webguide. I have set up VPN according to the guide “Setup SSL VPN Road Warrior” and use Visocity to connect from remote locations. I use two factor login with google Autentificering as described in the guide.
Until now it has worked fantastic. I could stay online on VPN for hours without problems. The Firewall is an A10 from Deciso.
After the latest updates – the VNP connection have started to drop. Its not at a specific time some times after 5 min other times after 20 minutes or more.
I have checked Renegoation time on the server side – its still set to 0. I have not changed anything in the setup the last 6 month - everything is how it used to be.
The logs looks like this
____
Viscosity
feb 04 13:49:25: [SSLVPN Server Certificate 2018] Inactivity timeout (--ping-restart), restarting
feb 04 13:49:25: SIGUSR1[soft,ping-restart] received, process restarting
feb 04 13:49:26: Tilstand ændret til Forbinder
Opnsense
Feb 4 13:49:28 openvpn[89317]: XX.XX.XX.XX:43026 [USERXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:43026
Feb 4 13:49:28 openvpn[89317]: XX.XX.XX.XX:43026 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 4 13:49:28 openvpn[89317]: XX.XX.XX.XX:43026 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
Feb 4 13:49:28 openvpn: user 'USERXX' could not authenticate.
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_GUI_VER=Viscosity_1.7.14_1595
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_TCPNL=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_COMP_STUBv2=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_COMP_STUB=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZO=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZ4v2=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZ4=1
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_NCP=2
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_PROTO=2
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_PLAT=win
Feb 4 13:49:27 openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_VER=2.4.6
Feb 4 13:48:32 openvpn[89317]: Initialization Sequence Completed
Feb 4 13:48:32 openvpn[89317]: UDPv4 link remote: [AF_UNSPEC]
Feb 4 13:48:32 openvpn[89317]: UDPv4 link local (bound): [AF_INET]5.103.15.154:1194
Feb 4 13:48:32 openvpn[89317]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Feb 4 13:48:31 openvpn[89317]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1622 10.10.0.1 10.10.0.2 init
Feb 4 13:48:31 openvpn[89317]: /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up
________
Any ideas what could be wrong.
I doubt there is anything with my connections. I have a very stabil fiber in both ends.
Best regards
Joergen
-
Hi,
Same here, added some options. I can do this because I have only one road user. This does not work with more users I think.
- Fase1:
- Dead Peer Detection: 20/5
- enabled: Disable Rekey
- enabled: Disable Reauth
- Fase2:
- Automatically ping host: to host on other side
Hope it will be fixed soon.
Herwin Jan
-
Any other solutions for more users. Is it something that will be fixed in 19.1.1?
Joergen
-
Same here...
The VPN connection drops latest after 20 minutes.
The logs from the web gui are looking like this:
Feb 5 13:00:55 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Success) No change in IP address
Feb 5 13:00:55 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_wan_bg-net.dyndns.org_0.cache: ***
Feb 5 13:00:50 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Feb 5 13:00:50 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns2'
Feb 5 13:00:49 kernel: ovpns2: link state changed to UP
Feb 5 13:00:44 kernel: ovpns2: link state changed to DOWN
Feb 5 13:00:44 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '***'
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to ***
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Feb 5 13:00:39 opnsense: /usr/local/etc/rc.newwanip: On (IP address: ***) (interface: WAN[wan]) (real interface: re1_vlan10).
Feb 5 13:00:39 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 're1_vlan10'
This is realy annoying if you are using TOTP for your vpn user account.
My Viscosity logs looks the same as Joergen's
Is it an opnsense 19.1 thing?
I am running opnsense with an apu1d from pc-engines since multiple years without any issues (thanks for that!!)
-
Hi all, I don't have an answer here just a heads up :P
The server is setup to use 2FA.
My connection drops after one hour, nothing changed with 19.1, it has always done this because standard renegotiation time is 3600 secs.
I'm connecting (CLI , no manager) with my (Arch) machine and it has 'auth-nocache', so I need to authenticate after.. 3600 secs. because it doesn't cache these credentials for better security of course...
You could to set renegotiation time to a higher number, however keep in mind they are there for a reason (3600 secs.) If you do change it both server & client need to be 'aware'
Greetings, mark
-
thanks. Both server and client have renegotiation time of 0 (so it should be disabled).
I set up my server and client like it is described in https://docs.opnsense.org/manual/how-tos/sslvpn_client.html (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html)
-
Maybe try ' keepalive reneg-sec 0' ...
-
This client setting didn't change anything.
The interface on the serverside gets its state changed every 20 minute.
The script that is running before (and while) the state changes is opnsense: /usr/local/etc/rc.newwanip
I just upgraded from 18.7.10_4 to 19.1 and 19.1.1.
This is the only config change...
Could this be something with the change to HardenedBSD? I stayd connected with the 18.7.x version over hours
-
Just updated to the new 19.1.1 version
The connection still drop after maximum 30 minuttes. Typical after around 22 minutes.
The logs still shows like in my first post over here.
I even tried to make a new export to Viscosity to see if it would help with a new export. Its the same problem.
The connection just drop.
Any solutions out there
Joergen
-
Hi, I would say there's something with the config, I don't know what is different on you guys side but there must be something
Because I would like to know if I could get beyond one hour I tried it, though, the easy way with NetworkManager & openvpn plugin which I installed for this test (ArchLinux), also without OTP because far as I can tell there's no working patch for that, anyway, no problem here it just keeps on running...
Using OTP will always drop the connection btw., I haven't tried but a reset of the connection may be necessary ;)
Greetings, mark
-
Hey Mark
If you take the time to read my first post you would see it has been working fine with OTP.
I made the setup in march 2017.
Only change since then is an update of the cerfificates in March 2018.
I use the vpn quite often and it has always been with OTP for the ekstra security.
In oktober 2018 I was away from my country and was working remotely via VPN. That time i had sessions up to 10 hours via VPN - there was no proplem at all - it just worked perfekt.
Just to see if there was a problem with Viscosity I tried to connect from my android device via open vnp to android.
Its the same problem the connection drops after some time because of inactivity in the certificate. Same message as when connecting via Viscosity. You can see the log in my first post.
So there most clearly be a bug in opnsense
Joergen
-
I have the same VPN issue with link DOWN/UP like tbandixen but in my case every 30 seconds with 19.1.1
Here it seams to be the WAN IP renewal sccript:
opnsense: /usr/local/etc/rc.newwanip
...
opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
kernel: ovpns1: link state changed to DOWN
kernel: ovpns1: link state changed to UP
opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
In my case I think first of all it's a DHCP issue of my ISP... it looks like IP lease time of 60s and renew time of 30s. But nevertheless, this ISP usse was probalby also present with 18.7 and it's no real public IP change. So why is a Resyncing of OpenVPN needed without real public IP change?
Regards
Adrian
-
Ok, I need to update my case... It is not just the VPN connection that drops, the whole WAN connection gets disconnected every 20 minutes (I watch TV over the internet and every 20 minutes the stream hangs, i have to rewind to build up the new stream).
It has to be something with DHCP and the rc.newwanip script that runs every 20 minutes...
How can I help to debug this issue?
-
After 10-20 minutes of uptime all incoming connections are blocked!
So, OpenVPN tunnels are dropped too, it was fine on 18.7.10 is it possible to downgrade may be?
19.1 seems to be very unstable
-
That is exactly what I also have monitored.
-
I can trigger the connection drop by manually executing /usr/local/etc/rc.newwanip
-
In my case (confirmed by ISP that WAN IP Renewal Time = 30 seconds) I get 2 VPN drops per minute.
Also the NTP service is not running: it get's a SIGTERM 15 every 30 seconds because of the rc.newwanip script.
-
I can confirm that it has something to do with automaticly renewal of WAN. Here on my box 19.1.1 it happens every 30 minutes. (13:00, 13:30 etc) And the same time all VPN connections are lost.
Thats why the VPN drops after 0 to 30 minutes - its depending on what time you connect.
It most be someting new in 19.1.
here is my log from the box
_______
Feb 6 13:00:06 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Feb 6 13:00:06 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Feb 6 13:00:06 kernel: ovpns1: link state changed to UP
Feb 6 13:00:04 kernel: ovpns1: link state changed to DOWN
Feb 6 13:00:04 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway X.XXX.XX.XXX'
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to X.XXX.XX.XXX
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv4 default gateway set, assuming wan
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: On (IP address: X.XXX.XX.XXX) (interface: WAN[wan]) (real interface: em1).
Feb 6 13:00:02 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'em1'
______
Any idears for solutions??
Joergen
-
Is there an easy and fast way to return to 18.7
Joergen
-
I think you are onto something here.
Upon renewing the WAN IP, connections get dropped, and VPN as well as dpinger and sometimes NTP die :-/
-
I think you are onto something here.
Upon renewing the WAN IP, connections get dropped, and VPN as well as dpinger and sometimes NTP die :-/
It's strange, for example i have static IP from my ISP, but! It should be requested over DHCP, and it works fine over the year on 18.* series.
I'll try to check newwanip script today evening...
-
According to github, the last changes where 5 month ago.
I think it has something to do with the switch to HardenedBSD, but I am absolutly not a unix guy...
-
Hey Mark
If you take the time to read my first post you would see it has been working fine with OTP.
I made the setup in march 2017.
Only change since then is an update of the cerfificates in March 2018.
I use the vpn quite often and it has always been with OTP for the ekstra security.
In oktober 2018 I was away from my country and was working remotely via VPN. That time i had sessions up to 10 hours via VPN - there was no proplem at all - it just worked perfekt.
Just to see if there was a problem with Viscosity I tried to connect from my android device via open vnp to android.
Its the same problem the connection drops after some time because of inactivity in the certificate. Same message as when connecting via Viscosity. You can see the log in my first post.
So there most clearly be a bug in opnsense
Joergen
Hi Joergen,
I know you were using OTP all that time, I was merely trying to find a cause/solution but I don't see drops in any way on my network.
I'm not able to track anything further besides what I tried already, hope you guys find a solution soon...
About it being a bug On OPNsense, could be, but I leave that for the devs to decide. ;)
Have a nice day, mark
-
Hey Mark
Thanks for the help.
Hope somebody find out. I am not a technician
Best regards
Joergen
-
What is the easiest way to downgrade?
New install of 18.x and restore config Backup?
-
What is the easiest way to downgrade?
New install of 18.x and restore config Backup?
Hi subivoodoo,
There is 'opnsense-revert' have a look at https://wiki.opnsense.org/manual/opnsense_tools.html
Greetings, mark
-
I was just going to reply the same as Mark
https://wiki.opnsense.org/manual/opnsense_tools.html?highlight=reverse
The only thing is I dont know if its possible to reverse from 19 to 18?? or its only possible inside the same series??
Regards
Joergen
-
I opened an issue on github:
https://github.com/opnsense/core/issues/3197
-
I was just going to reply the same as Mark
https://wiki.opnsense.org/manual/opnsense_tools.html?highlight=reverse
The only thing is I dont know if its possible to reverse from 19 to 18?? or its only possible inside the same series??
Regards
Joergen
On my box the downgrade fails, i.e. doesn't even start properly :(
Running on Intel CPU and NIC btw.
Update:
So far the patch seems to have fixed the issue with dropping connections and dead VPN/Dpinger/NTP. Will update tomorrow to report if it was stable throughout the night.
Update II:
Still no issues. Great! 8)
-
Finally... Fresh 18.7.10 setup, restore configs from backup, and i have working router...
-
The patch worked for me and I know now why the connection dropped every time.
I had "Firewall: Settings: Advanced: Dynamic state reset" active (Reset all states when a dynamic IP address changes.This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.)
But the IP didn't change, so this trigger shouldn't have been triggered.
# opnsense-patch c83bb8d
-
The patch works also for me!
-
The patch worked for me and I know now why the connection dropped every time.
I had "Firewall: Settings: Advanced: Dynamic state reset" active (Reset all states when a dynamic IP address changes.This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.)
But the IP didn't change, so this trigger shouldn't have been triggered.
# opnsense-patch c83bb8d
I have tried this patch. But without success, i have incoming connection block, not just drop, after every "IP change".
-
Hey All
I can confirm
# opnsense-patch c83bb8d
works. I have been online on VPN more than 2 hours now.
Just for info I have a fixed IP from my provider.
For my setup it seems to work fine again now. Hope there is some smart people who makes sure it will be included in the next update.
Thanks to all for helping solving the problem.
Regards
Joergen
-
We found the thing that causes this issue. For a temp solution until it gets included in 19.1.2 use this patch:
# opnsense-patch 90c0c395
-
Yep, seems to have solved the disconnects here. VPN stable since connection initiation for 8 hours now.
Thanks !
-
Thanks for the feedback. Well wrap this up in 19.1.2 and sorry for the trouble.
Cheers,
Franco