Messages

FYI issue is still occurring on 19.1.6

[Seeing the same with DynDNS:]

Yes, nice catch. Fixed the original post.

Seeing the same with DynDNS:
[05-Apr-2019 19:05:22 America/New_York] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 754

Exactly, it was trying to use the firewall IP (firewall hostname shown) as the source network in the tcpdump. Instead of the VPN client IP as the source.

I did. As I mentioned there are no OpenVPN interface NAT rules.  Those are gone and were added during testing.  It doesnt work. 

Look at the last screenshot on github link.


Sent from my SM-G973U using Tapatalk

Do you have only one client config or more?
Do you have also a server config?
When assigning interface don't use "OpenVPN" interface in NAT rules.
Why do you have don't pull routes ticked? Do you use policy based routing via gateway in firewall rules?

- 1 OpenVPN Client Config
- 3 OpenVPN Server Configs
- Yes, all traffic is not going over VPN Client. Only traffic from VLAN 100 is going over the VPN Client - Private Internet Access Gateway.

- Screenshot of NAT rules
- tcpdump on ovpnc interface while pinging your monitor IP
- Routing table showing your open vpn routes
- I'd tick "Lock" in interface assignments

Information you requested:
https://github.com/opnsense/core/issues/3381#issuecomment-479684767

Hey all,

I'm about to lose it soon throwing my firewall out the building.
I've done everything the guide says. The vpn connection works fine but I can not get any internet out or through the vpn.

Can someone please have a look at the screenshots and tell my if something is wrong?

Version: 19.1

Thanks

I opened up a bug report for this... I am having similar issues as you since going from 18.7.10 to 19.1.x

https://github.com/opnsense/core/issues/3381

https://github.com/opnsense/core/issues/3381

Attached is a screenshot of the gateway offline/down on 19.1.4. Same VPN connection, direct upgrade with no configuration changes.

[Reference Topics:]

Has anyone else noticed issues with utilizing an OpenVPN client in a multi-gateway setup (not redirecting all traffic) on any 19.1.x build of OPNSense? I have tried both a clean reinstall/rebuild and the usual upgrade with existing configuration with same result. There is a bug somewhere.

So here is my basic setup...
I have a VLAN 100 on my LAN... any device in this subnet goes out a Private Internet Access VPN Client GATEWAY that is running on OPNSense as a client.  Others do this with a simple Alias for specific devices, regardless the principal setup is the same.

So from what I can tell on any build of 19.1.x (tried them all) and currently 19.1.4 this setup stops working.
  Here is what I can see so far:

  - OpenVPN client connects perfectly
  - OpenVPN client obtains DHCP IP Address from VPN Server (Private Internet Access) and assigns an IP address to the OPNSense Firewall.
- There is an active interface on the firewall (OVPNC1) which then activates a DYNAMIC IPv4 Gateway for this connection... Monitor IP is set to Private Internet Access DNS Server: 209.222.18.218
- There are firewall rules for OpenVPN to allow Any Any
- There are firewall rules for the VLAN 100 interface to allow any traffic out Private Internet Access VPN Gateway.
- There are manual Outbound NAT Rules created

Somehow something is broken somewhere.  If I go to ping interface diagnostics, chose the VLAN 100 or Private Internet Access Interfaces. Ping any address. It fails.

On the home screen dashboard, dpinger shows the gateway as down/offline.  VPN connection is up perfectly.
- Makes no sense.

I feel this is an outbound NAT issue, but I am not sure where to dig deeper for troubleshooting other than modifying NAT rules, firewall rules, etc... which I have already played around with.

I attached some screenshots of it working perfectly on 18.7.10_4




Reference Topics:

https://forum.opnsense.org/index.php?topic=4979.msg52493#msg52493

https://forum.opnsense.org/index.php?topic=11843.msg53785#msg53785

https://blog.networkprofile.org/pia-vpn-on-pfsense-2-4-4/

https://forum.opnsense.org/index.php?topic=12249.0

Not sure what you mean by "the outbound NAT or any OpenVPN issues". I don't know of any outstanding issues that impact operational behaviour where patches exist but which are not in 19.1.4.


Cheers,
Franco

Thanks... this was one example that came to mind:
https://forum.opnsense.org/index.php?topic=12002.0

Sounds good. Thanks. On a side note: If I was to install 19.1.4 later today, do you happen to know, off the top of your head (or where I can find), the necessary patch commits for all the fixes necessary for the outbound NAT or any OpenVPN issues? If I decide not to wait for 19.1.5?  I am still on 18.7.

Downloads for OPNsense are *always* available from here: https://pkg.opnsense.org/releases/

19.1.4 is not in there yet because of sickness-related delays on my end. Apologies. Things are looking up. ;)


Cheers,
Franco

Hope all is well now... is 19.1.5 still slated for this week?

I noticed this same issue on my Hyper-V setup. I have since swapped back to 18.7
One other thing that oddly stood out is that after upgrading to any 19.1.x version, which may be directly related to this exact issue you mentioned. I noticed the default deny rule going crazy on the firewall. I saw way more red traffic on my firewall logs live view than on 18.7 without changing a single thing other than upgrading.  Something is blocking traffic that shouldn't be. A lot of it was regular LAN to WAN outbound when there is specifically a allow LAN to any default rule on the LAN network in the firewall rules. I was confused and didn't want to waste time troubleshooting, so I just swapped back the VHDX backup I made of the virtual hard disk before I did the 19.1.x upgrade.  Note: this is my second time trying... saw same issue on 19.1.0 and on 19.1.3. Haven't tried .4 yet.

On a side note: I also noticed an issue with my Private Internet Access VPN client being assigned to a secondary LAN network (own IP scope different from primary LAN, a DMZ if you will). The default gateway was not working for that VPN connection. It would show VPN up, but dpinger would show the gateway as down 100% on the dashboard, and no clients in that subnet had any internet access. So I am sure something is going on with the firewall somewhere someway. 

It's the modem that's an odd, not Opnsense. :)


Script attached, you'll need to create your Cron event to call it.

Curious, How often do you have your script run?

Did you also make a .conf file to be able to use it via GUI / Cron in:
/usr/local/opnsense/service/conf/actions.d/ 

Thanks!

I have to agree... I am seeing some weird OpenVPN issues since upgrading. Some clients not staying connected.

I have 3 OpenVPN servers and 1 OpenVPN client (this client is Private Internet Access) which is being used as its own VLAN on the firewall for any devices on that VLAN network.

I keep seeing the red connection down icons in the main Portal Dashboard.

None of these issues were present before upgrading on 18.7.10_3

It is like all the OpenVPN connections keep restarting for whatever reason.

I am seeing errors like this in the OpenVPN logs:

Jan 31 16:15:07   openvpn[86050]: Restart pause, 5 second(s)
Jan 31 16:15:07   openvpn[86050]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Jan 31 16:15:07   openvpn[86050]: TCP: connect to [AF_INET] "IP:PORT"  failed: Address already in use

Jan 31 16:15:01   openvpn[47396]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 16:15:01   openvpn[47396]: Inactivity timeout (--ping-restart), restarting