OPNsense Forum

English Forums => 18.7 Production Series => Topic started by: DanMc85 on July 12, 2018, 02:02:20 am

Title: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on July 12, 2018, 02:02:20 am
I decided to give the 18.7 r1 a try...

My OpenVPN servers are working perfectly....
However, my OpenVPN Client for Private Internet Access is not.

It will not connect, no configuration has changed and was working in 18.1.11.

The OpenVPN log shows the following:
Options error: --client-connect requires --mode server


client2.conf

dev ovpnc2
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-client
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php client2"
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote us-newyorkcity.privateinternetaccess.com 501
auth-user-pass /var/etc/openvpn/client2.up
ca /var/etc/openvpn/client2.ca
comp-lzo no
passtos
route-nopull
resolv-retry infinite
reneg-sec 0
disable-occ
pull-filter ignore "auth-token"
topology net30


Any suggestions on how to resolve this?
- Dan
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on July 12, 2018, 02:50:48 am
I figured out a temporary fix...
Made a OPNSense Configuration Backup File.
I deleted my OpenVPN Client for Private Internet Access


I commented out these lines in /usr/local/etc/inc/plugins.inc.d/openvpn.inc after chmod 777 of the file in the shell using the file edit feature in WinSCP. Then rebooted my OPNSense box. These lines started around line 620.

//        case 'p2p_tls':
//            // For non user auth types setup client specific overrides, user authenticated ones are commissioned
//            // using the auth script in option auth-user-pass-verify
//            $conf .= "client-connect \"/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php {$mode_id}\"\n";
//            break;

Then reloaded my backup OpenVPN configuration. It then connected.
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on July 12, 2018, 11:47:43 am
Hi there,

Ah, thanks for testing and spotting this. The following should help: https://github.com/opnsense/core/commit/24f1d05c

# opnsense-patch 24f1d05c

Please confirm so we can fast-track this to RC2. :)


Thanks,
Franco
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on July 12, 2018, 01:59:44 pm
Hi there,

Ah, thanks for testing and spotting this. The following should help: https://github.com/opnsense/core/commit/24f1d05c

# opnsense-patch 24f1d05c

Please confirm so we can fast-track this to RC2. :)


Thanks,
Franco

I reverted my // changes and tested your patch. All seems to be working for the moment! I will let you know if anything changes!

Now I just need to figure out why suricata.log hasn't been working in a long time...  always says operation is not supported by device or something like that.

- Dan

Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on July 12, 2018, 02:31:15 pm
Clear the log file once from the log file page and it should be back then. There were incompatible changes early in 18.1.x.


Cheers,
Franco
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on July 12, 2018, 02:46:13 pm
Clear the log file once from the log file page and it should be back then. There were incompatible changes early in 18.1.x.


Cheers,
Franco
That worked! Thanks!

Sent from my SM-G892A using Tapatalk

Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on July 12, 2018, 09:53:17 pm
:)
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: swingline on July 29, 2018, 05:02:53 pm
I figured out a temporary fix...
Made a OPNSense Configuration Backup File.
I deleted my OpenVPN Client for Private Internet Access


I commented out these lines in /usr/local/etc/inc/plugins.inc.d/openvpn.inc after chmod 777 of the file in the shell using the file edit feature in WinSCP. Then rebooted my OPNSense box. These lines started around line 620.

//        case 'p2p_tls':
//            // For non user auth types setup client specific overrides, user authenticated ones are commissioned
//            // using the auth script in option auth-user-pass-verify
//            $conf .= "client-connect \"/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php {$mode_id}\"\n";
//            break;

Then reloaded my backup OpenVPN configuration. It then connected.

I have been Down for weeks because of this I'm so grateful that you found this. I was pulling my hair out rerolled my VPS like 200 times thinking it was missing something with applying tunnelblick's xor patch.


Hi there,

Ah, thanks for testing and spotting this. The following should help: https://github.com/opnsense/core/commit/24f1d05c

# opnsense-patch 24f1d05c

Please confirm so we can fast-track this to RC2. :)


Thanks,
Franco

Thanks for pushing this change. I implemented this, and it works just fine.
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on July 31, 2018, 09:20:52 pm
Yup, all sorted in 18.7. Thanks for testing!


Cheers,
Franco
Title: Re: OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on August 08, 2018, 09:48:25 pm
Yup, all sorted in 18.7. Thanks for testing!


Cheers,
Franco

Could these two error messages be related to this change we made?

Whenever I reset start my OPNSense box... it hangs on loading firewall rules.

I see these alert notices in the OPNSense GUI once it loads after like 15 minutes from reboot.

There were error(s) loading the rules: no IP address fround for ovpn3:network
There were error(s) loading the rules: no IP address fround for ovpn4:network

Unless there is somewhere I should look to edit a file to resolve this?  Might be a migration glitch as well.

- Dan
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on August 09, 2018, 11:03:04 am
When the firewall comes up but OpenVPN is not yet active this can happen.

Can you grep for me to be sure?

# grep 'ovpn[0-9].*:network' /tmp/rules.debug


Thanks,
Franco
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on August 14, 2018, 03:22:08 pm
When the firewall comes up but OpenVPN is not yet active this can happen.

Can you grep for me to be sure?

# grep 'ovpn[0-9].*:network' /tmp/rules.debug


Thanks,
Franco

Is it normal for that command to give no output (unless I am typing it wrong)?
18.7.1 - issue remains.
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on August 15, 2018, 01:55:41 pm
Can't be both oO

Let's widen the grep then...

# grep :network /tmp/rules.debug


Cheers,
Franco
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on August 15, 2018, 09:28:17 pm
Can't be both oO

Let's widen the grep then...

# grep :network /tmp/rules.debug


Cheers,
Franco

I found the grep command issue... anyways here is the output if it helps resolve this issue or maybe I have rules that I do not need.


nat on ovpns3 inet proto {tcp udp} from ovpns3:network to {PRIVATE IP ADDRESS OMITTED} port {53} -> ovpns3 port 1024:65535 # Redirect All Unknown DNS Servers to Internal DNS

nat on ovpns3 inet proto {tcp udp} from ovpns3:network to {127.0.0.1} port {123} -> ovpns3 port 1024:65535 # Redirect All Time Inquires to This Firewall

pass in quick on hn0 inet from {PRIVATE IP ADDRESS OMITTED} to {(ovpns3:network)} keep state label "USER_RULE: Allow Clients Access to Domain Controller on Remo..." # e459891a011793b7e3cb4f5070b1082b

pass in quick on hn0 inet from {(ovpns3:network)} to {(hn0:network)} keep state label "USER_RULE" # aa280ba13da6a0070fc7dff60ae496da


nat on ovpns4 inet proto {tcp udp} from ovpns4:network to {PRIVATE IP ADDRESS OMITTED} port {53} -> ovpns4 port 1024:65535 # Redirect All Unknown DNS Servers to Internal DNS

nat on ovpns4 inet proto {tcp udp} from ovpns4:network to {127.0.0.1} port {123} -> ovpns4 port 1024:65535 # Redirect All Time Inquires to This Firewall

pass in quick on hn0 inet from {PRIVATE IP ADDRESS OMITTED} to {(ovpns4:network)} keep state label "USER_RULE: Allow Clients Access to Domain Controller on Site..." # 9dbe6a70da2a9a5461f6f3e4e532ccde

pass in quick on hn0 inet from {(ovpns4:network)} to {(hn0:network)} keep state label "USER_RULE" # ffa36a87892035d410807c749bd6a3b9


pass out log route-to ( ovpnc2 PRIVATE IP ADDRESS OMITTED ) from {ovpnc2} to {!(ovpnc2:network)} keep state allow-opts label "let out anything from firewall host itself"

pass in log quick on hn1 route-to ( ovpnc2 PRIVATE IP ADDRESS OMITTED ) inet from {(hn1:network)} to {any} keep state label "USER_RULE" # 0618b11751c2e8b2eb0f3d4807c00856

pass in quick on ovpnc2 route-to ( ovpnc2 PRIVATE IP ADDRESS OMITTED ) inet from {(ovpnc2:network)} to {any} keep state label "USER_RULE" # ce37ac04bdf4e549df26c96894cc3b60
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on August 16, 2018, 08:15:06 am
Ok, we're working on this issue here. There is a patch for your issue that should work already:

https://github.com/opnsense/core/issues/2625


Cheers,
Franco
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on August 16, 2018, 01:44:00 pm
Ok, we're working on this issue here. There is a patch for your issue that should work already:

https://github.com/opnsense/core/issues/2625


Cheers,
Franco

I ran patch 71043f1

I still see "Configuring Firewall... failed" during the boot sequence. However, it passes right by, instead of hanging there for 5-10 minutes as it was doing before.

Also it may be unrelated but it also stays at "Configuring Dynamic DNS" for a few minutes, as well.

I still have 5 Notices in the GUI. Two of them are new after running the patch. (I acknowledged notices before redoing a reboot)

New:
There were error(s) loading the rules: /tmp/rules.debug:84: no translation address with matching address family found. - The line in question reads [84]: nat on ovpns3 inet proto {tcp udp} from (ovpns3:network) to {PRIVATE IP} port {53} -> ovpns3 port 1024:65535 #

The other notices are the same no IP address found for ovpns3, ovpns4, and ovpnc2:0
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on August 16, 2018, 02:31:59 pm
The hangs and error messages point to traffic being pushed over OpenVPN links that are not yet set up / active.

 The line in question reads [84]: nat on ovpns3 inet proto {tcp udp} from (ovpns3:network) to {PRIVATE IP} port {53} -> ovpns3 port 1024:65535 #

Points to "ovpns3" causing the error, again, because it's being configured without being up/configured itself. I've added more () magic here in subsequent commits but testing is difficult and we need to give it some time on -devel.


Cheers,
Franco
Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: DanMc85 on August 16, 2018, 03:01:00 pm


The hangs and error messages point to traffic being pushed over OpenVPN links that are not yet set up / active.

 The line in question reads [84]: nat on ovpns3 inet proto {tcp udp} from (ovpns3:network) to {PRIVATE IP} port {53} -> ovpns3 port 1024:65535 #

Points to "ovpns3" causing the error, again, because it's being configured without being up/configured itself. I've added more () magic here in subsequent commits but testing is difficult and we need to give it some time on -devel.


Cheers,
Franco

If I switch from Production to Development build. Are those changes part of the update download or would another patch be needed to test?

Sent from my SM-N950U using Tapatalk

Title: Re: [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
Post by: franco on August 16, 2018, 03:53:47 pm
Most went in after the latest devel version was built. You should stay on production for now.


Cheers,
Franco