Messages

Hi Franco,

I can't really say if killing the process would correct the issue because I deleted the openvpn server to reconfigure as stopping / starting or rebooting did not correct the issue. After reconfiguration I was getting the error in the subject. I deleted the config again so no servers were present in the console and was still able to connect with a local account.
When I looked at processes it would show openvpn --server1 (if I remember correctly) even though the openvpn server was deleted. Looking at the the processes in run I noticed the pid. Deleting the pid and killing the process I could configure a new openvpn server to use tun1 again.

This is not an occasional occurrence, but as soon as a few users attempt to connect this happens. As mentioned before we thought this was an issue with the VM we had deployed, but the same is happening on a dedicated device.
It appears the issues start after this error: WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255, but can't say for sure.

I have posted a few times about issues we are seeing with using Openvpn when using radius authentication and it seems there is a major issue.

Again we are unable to restart openvpn I can delete it, recreate it, reboot the device nothing helps. This is the same issue we had with running it as a VM thinking it was isolated to that. Well now a device we purchased that shipped with Opnsense is doing the same thing.

In this state it still accepts connections that can authenticate locally, but looking at the connection status I see this: "[error]   Unable to contact daemon   Service not running?"  You can't tell who is still connected. Disabling OpenVPN still allows connections.

I think this is a pretty major concern that a few users unable to connect for whatever reason can get the service into this state, especially since it shows the service is down and it still allows connections even after a reboot.

2021-06-03T18:47:22   openvpn[11088]   Exiting due to fatal error   
2021-06-03T18:47:22   openvpn[11088]   Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)   
2021-06-03T18:47:22   openvpn[11088]   TUN/TAP device ovpns1 exists previously, keep at program end

Looks like there is a process pid left behind once deleted and then kill the process with config for server1 in my case allowed the newly configured openvpn server to start.

I was using a VM, but have since purchased a device that shipped with OPNsense and connected it directly to the internet. I also did not restore the config and manually configured the device, but I have the same result.
I can be connected for days, as soon as another user try to connect, it disconnects and try to reconnect (not always however, I would say 60% of the time.)

I can connect from multiple devices and it seems to work fine, but as soon as a different user tries to connect is when the issue occur. Many times it takes 5+ attempts to reconnect after that happens. 

Radius authentication is being used that also requires a MFA prompt so connections cannot reestablish automatically.

This is the client config: (not sure if you wanted the server config, I don't know how to export that from command line)

client
dev tun
reneg-sec 0
proto udp
remote <*.*.*.*> 1194
nobind
persist-key
persist-tun
ca MyCA.crt
cert User.crt
key User.key
remote-cert-tls server
cipher AES-256-GCM
auth SHA224
auth-user-pass
auth-nocache
verb 3
reneg-sec 0

It is being used for a small company.
I did use the same cert for all the users and allow duplicate connections, but even changing one user to their own cert still have the same issues. I am sending all the logs to a syslog server and it there is no indication of any issues other than the VPN server saying the client connection timed out and it then kicks the user off. After that happens it can take a number of tries to actually get connected where traffic is passed. It is using radius authentication with 2FA.
I will have to look at a commercial offering to test.

I am having a tough time with OpenVPN.

I posted about issues before with no response so I assume I am the only one with these issues.

When I posted before I was using a VM for Opnsense behind a NAT using a single interface. Since then I purchased a device from Protectli and now have an interface directly on the internet and still experience strange behavior.

As soon as users connect other connected will get disconnected and then they are not able to reconnect, or it will get connected but then not pass any traffic and then be disconnected after 1 min and then its a struggle to get reconnected with multiple attempts.
I had one machine connected for 5 days and also continued to connect / disconnect with my laptop periodically without any issues.
I asked one user to switch to this VPN again and boom I got disconnected and then unable to get reconnected, well I get connected buy the no traffic is passed and after a min it disconnected me and then I have to try again and again as mentioned.

It really does not seem right that another user trying to connect can disconnect other connected users.   

What could be causing this behavior? 

OPNsense 21.1.5

I have been struggling with strange OpenVPN behavior

1. The service will stop responding, but I can still see the port is available doing a nmap scan.
Client will get TLS handshake failure and I don't see anything being logged server side.
Restarting the service or rebooting does not help.
The only way to get it to respond again is to delete the openvpn service entirely and then recreate it, but I have to use a different tunnel address range. Using the same tunnel address again will cause the same result where it does not respond to client requests.


2. After a 1/2 day - 1 day connections will be dropped all at the same time and the server logs indicate this is due to client inactivity. This will start to become more frequent until I am back to the what's described above.


3. If I recreate the service and forget to set one setting for example forget to set renegotiate to zero, going in after again and changing it, it does not seem to take effect; restating or rebooting it still now disconnects the clients after 3600 seconds which prompts a MFA request to authenticate.


I have used OPNsense in the past successful as an openvpn server, but never as a primary openvpn server for users community but only 12 users uses this server.

Few things I do want to note:

1. I am using the same cert for all the users and allowing duplicate connections. Since a password and MFA approval is required, I don't see the need for cert management as this is a break-fix customer.

2. NAT to external.
I would like to add that even trying to connect to the internal interface inside the network, I still see the same TLS handshake failures until I delete the openvpn service and recreate it.

3. Its a virtual appliance


Any ideas here would be appreciated.