OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Palthron on May 02, 2018, 12:17:00 pm

Title: [SOLVED] OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 12:17:00 pm

Hi all. First post here, asking for directions.


So I have a very basic network, with 1 WAN and the router acting as VPN client for provider Express VPN (2 actually, but I believe the number is irrelevant to the case).
My VPN kept disconnecting with the following notice :

Code: [Select]

[ There were error(s) loading the rules: no IP address found for ovpnc2:0 - The line in question reads [0]: ]I copied the VPN log and it came up with these :

16:48:45   openvpn[58525]   auth_user_pass_verify_script_via_file = DISABLED 16:48:45   openvpn[58525]   auth_token_generate = DISABLED 16:48:45   openvpn[58525]   auth_token_lifetime = 0 16:48:45   openvpn[58525]   port_share_host = '[UNDEF]' 16:48:45   openvpn[58525]   port_share_port = '[UNDEF]' 16:48:45   openvpn[58525]   client = ENABLED 16:48:45   openvpn[58525]   pull = ENABLED 16:48:45   openvpn[58525]   auth_user_pass_file = '/var/etc/openvpn/client2.up' 16:48:45   openvpn[58525]   OpenVPN 2.4.5 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 20 2018 16:48:45   openvpn[58525]   library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10 16:48:45   openvpn[59061]   MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock 16:48:45   openvpn[59061]   WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. 16:48:45   openvpn[59061]   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 16:48:45   openvpn[59061]   Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 16:48:45   openvpn[59061]   Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 16:48:45   openvpn[59061]   LZO compression initializing 16:48:45   openvpn[59061]   Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ] 16:48:46   openvpn[59061]   Data Channel MTU parms [ L:1626 D:1450 EF:126 EB:407 ET:0 EL:3 ] 16:48:46   openvpn[59061]   Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ] 16:48:46   openvpn[59061]   Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client' 16:48:46   openvpn[59061]   Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' 16:48:46   openvpn[59061]   TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port 16:48:46   openvpn[59061]   Socket Buffers: R=[42080->524288] S=[57344->524288] 16:48:46   openvpn[59061]   UDP link local (bound): [AF_INET]My_Public_WAN_IP:0 16:48:46   openvpn[59061]   UDP link remote: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port 16:48:46   openvpn[59061]   TLS: Initial packet from [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port, sid=47918575 aca364c4 16:48:46   openvpn[59061]   WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 16:48:46   openvpn[59061]   VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com 16:48:46   openvpn[59061]   VERIFY OK: nsCertType=SERVER 16:48:46   openvpn[59061]   VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-385-1a, emailAddress=support@expressvpn.com 16:48:46   openvpn[59061]   VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-385-1a, emailAddress=support@expressvpn.com 16:48:47   openvpn[59061]   Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 16:48:47   openvpn[59061]   [Server-385-1a] Peer Connection Initiated with [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port 16:48:48   openvpn[59061]   SENT CONTROL [Server-385-1a]: 'PUSH_REQUEST' (status=1) 16:48:48   openvpn[59061]   PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.1.110 10.167.1.109' 16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) 16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) 16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) 16:48:48   openvpn[59061]   OPTIONS IMPORT: timers and/or timeouts modified 16:48:48   openvpn[59061]   OPTIONS IMPORT: --ifconfig/up options modified 16:48:48   openvpn[59061]   Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:407 ET:0 EL:3 ] 16:48:48   openvpn[59061]   Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 16:48:48   openvpn[59061]   Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 16:48:48   openvpn[59061]   Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 16:48:48   openvpn[59061]   Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 16:48:48   openvpn[59061]   TUN/TAP device ovpnc2 exists previously, keep at program end 16:48:48   openvpn[59061]   TUN/TAP device /dev/tun2 opened 16:48:48   openvpn[59061]   do_ifconfig, tt->did_ifconfig_ipv6_setup=0 16:48:48   openvpn[59061]   /sbin/ifconfig ovpnc2 10.167.1.110 10.167.1.109 mtu 1500 netmask 255.255.255.255 up 16:48:48   openvpn[59061]   /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc2 1500 1606 10.167.1.110 10.167.1.109 init

Other than some misconfigurations, I can not find what was causing the disconnections. Or did I took the wrong log?

Any pointers would be greatly appreciated, thank you.

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: guest15389 on May 02, 2018, 01:13:41 pm

Can you share more of the VPN Client setup? I actually use ExpressVPN and haven't had any issues. I've been running it for 4-5 months now.

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 08:27:37 pm

Thanks for the reply!

Here's my config (Minus CA and Client certificate, or are they necessary for troubleshooting?)

Interface
(https://i.imgur.com/3YsYPAP.png)
Gateway
(https://i.imgur.com/7zZfiA2.png)
Client configurations
(https://i.imgur.com/TgVHfc4.png)

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 02, 2018, 08:43:12 pm

Apparently even though the Dashboard displays the error message Unable to contact daemon. Service not running?, I can still use the connection. This is different from my previous experience : the status says the same thing and the connection was actually cut off.

The process is there for me to see using SSH

Code: [Select]

11763  0.0  0.1 1080528 2832  0  R+   01:46   0:00.00 grep openvpn

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: guest15389 on May 03, 2018, 03:26:27 pm

It doesn't seem like it's connecting but when I compared through, I can't see anything that looks off to me based on how to setup ExpressVPN. I don't think you ever make a connection at all and it just keeps spinning as it's not connecting at all.

The cert looks ok and it's authenticating on the connection.

There are some options errors:
16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

Maybe try to yank the advanced stuff and I have the dont/add remove routes clicked on my config as well. See if we can get the option errors to go away.

You are able to test with another client and user name / password and the IP you are connecting to all works to rule out the simple checks?

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 03, 2018, 08:42:54 pm

I should have mention this in the original post, but I have made it so that the DHCP clients using the VPN gateway should not fallback to WAN connection on VPN failure.

Another thing I crossed off the list is the VPN provider stability. I used its desktop client on my workstation, pinging a remote server on the background while downloading some ISOs, and leave it for about 30 minutes. I found no disconnection at all. Immediately afterwards, I reconnect the VPN through OPNSense and it disconnects within 5 minutes (Along with the same traffic tests on the background).

Quote from: Animosity022 on May 03, 2018, 03:26:27 pm

It doesn't seem like it's connecting but when I compared through, I can't see anything that looks off to me based on how to setup ExpressVPN.

I am glad I can cross misconfigurations off the list.

Quote from: Animosity022 on May 03, 2018, 03:26:27 pm

I don't think you ever make a connection at all and it just keeps spinning as it's not connecting at all.

I see, but I believe it actually connects at router's boot. It's just that after a while (About 5-10 minutes after the router boots) they disconnects. If this is somehow caused by the WAN dropping (maybe), the VPN connection should have fail but immediately retry getting itself back.

Actually while I was writing the reply above, I decided to just test that theory :
1. I reboot the router
2. Confirm that all VPN connections has been established, used them for browsing and all
3. Yanked the physical WAN cable
4. Wait 10 seconds
5. Reconnected the physical WAN cable
6. Wait maybe 1 minute
7. Check all interface : All up and usable.
8. The VPN connection dropped once more within maybe 10 minutes.

At least I can cross off WAN dropping as a cause.

Quote from: Animosity022 on May 03, 2018, 03:26:27 pm

The cert looks ok and it's authenticating on the connection.

There are some options errors:

16:48:48   openvpn[59061]   Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) 16:48:48   openvpn[59061]   Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) 16:48:48   openvpn[59061]   Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

Maybe try to yank the advanced stuff and I have the dont/add remove routes clicked on my config as well. See if we can get the option errors to go away.

I will do that and report back as soon as I am able.

Quote from: Animosity022 on May 03, 2018, 03:26:27 pm

You are able to test with another client and user name / password and the IP you are connecting to all works to rule out the simple checks?

Did you mean another VPN provider? If so, I don't have one at the moment but I could spin up a trial. If what you meant was another account on the same VPN provider (ExpressVPN), I think I can borrow someone's account. The address that I am connecting to was a domain(singapore-cbd-ca-version-2.expressnetw.com), but I did test them using an IP I got from resolving the domain (There was 2 IP and I  tried them both with no effect).




Apparently the router got scared of being replaced, the VPN connection (both of them, I have two) has been stable for the last 9 hours and 20 minutes. While this is weird (And might point to a VPN server side problem), I still hope I can pinpoint the problem or at least replicate them for future reference.

Thank you!

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on May 03, 2018, 09:47:23 pm

Now this might be interesting. I just got this on my log on disconnection :

Code: [Select]

auth_token_lifetime = 0
port_share_host = '[UNDEF]'
port_share_port = '[UNDEF]'
client = ENABLED
pull = ENABLED
auth_user_pass_file = '/var/etc/openvpn/client2.up'
OpenVPN 2.4.5 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 20 2018
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1626 D:1450 EF:126 EB:407 ET:0 EL:3 ]
Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
Socket Buffers: R=[42080->524288] S=[57344->524288]
UDP link local (bound): [AF_INET]My_Public_WAN_IP:0
UDP link remote: [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
TLS: Initial packet from [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port, sid=bea62638 56c83ace
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
MANAGEMENT: CMD 'state all'
MANAGEMENT: Client disconnected
VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
VERIFY OK: nsCertType=SERVER
VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-384-2a, emailAddress=support@expressvpn.com
VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-384-2a, emailAddress=support@expressvpn.com
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[Server-384-2a] Peer Connection Initiated with [AF_INET]VPN_Interface_IP_Address:VPN_Interface_Port
SENT CONTROL [Server-384-2a]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.188.0.1,route 10.188.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.188.0.126 10.188.0.125'
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:407 ET:0 EL:3 ]
Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
TUN/TAP device ovpnc2 exists previously, keep at program end
Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
Exiting due to fatal error
ENT CONTROL [Server-668-1a]: 'PUSH_REQUEST' (status=1)

It happened when the WAN (Not VPN) traffic was under high load.

Title: Re: OPNSense as OpenVPN Client kept disconnecting
Post by: Palthron on October 21, 2018, 11:15:04 pm

Really sorry that I forgot to close my issue. A backup of all configuration, OPNSense reinstall, and full config restore fixes this when I was migrating my installation.