[Solved] OpenVPN stopped working after latest upgrade

cyrus104 · September 17, 2020, 06:24:28 PM

I just upgraded from 20.7.1 to 20.7.2, after a reboot my openvpn stopped working. I've included some of the logs that I can find. Willing to grab other logs as needed to help troubleshoot the issue. It looks like the connection is partially successful but then fails with error codes and shows as down in the gateways. I am using expressvpn and have change the endpoint and validated what configurations are needed in the client config.

I see a section that shows cannot assign address and I've confirmed that nothing in my network is in that range either.

Client Instance Status:
ExpressVPN UDP4 Unable to contact daemon Service not running?

Code Select

2020-09-17T23:23:50	openvpn[28094]	Exiting due to fatal error
2020-09-17T23:23:50	openvpn[28094]	TCP/UDP: Socket bind failed on local address [AF_INET]10.151.0.98:0: Can't assign requested address (errno=49)
2020-09-17T23:23:50	openvpn[28094]	Socket Buffers: R=[42080->524288] S=[57344->524288]
2020-09-17T23:23:50	openvpn[28094]	TCP/UDP: Preserving recently used remote address: [AF_INET]70.39.102.162:1195
2020-09-17T23:23:50	openvpn[28094]	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-17T23:23:50	openvpn[28094]	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-17T23:23:50	openvpn[28094]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-09-17T23:23:50	openvpn[28094]	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2020-09-17T23:23:50	openvpn[74407]	library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2020-09-17T23:23:50	openvpn[74407]	OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 28 2020
2020-09-17T23:23:50	openvpn[74407]	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
2020-09-17T23:23:50	openvpn[96840]	SIGTERM[hard,] received, process exiting
2020-09-17T23:23:50	openvpn[96840]	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpnc1 1500 1557 10.151.0.98 10.151.0.97 init
2020-09-17T23:23:50	openvpn[96840]	Closing TUN/TAP interface
2020-09-17T23:21:49	openvpn[96840]	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1557 10.151.0.98 10.151.0.97 init
2020-09-17T23:21:49	openvpn[96840]	/sbin/ifconfig ovpnc1 10.151.0.98 10.151.0.97 mtu 1500 netmask 255.255.255.255 up
2020-09-17T23:21:49	openvpn[96840]	TUN/TAP device /dev/tun1 opened
2020-09-17T23:21:49	openvpn[96840]	TUN/TAP device ovpnc1 exists previously, keep at program end
2020-09-17T23:21:49	openvpn[96840]	ROUTE_GATEWAY 101.108.0.1/255.255.255.255 IFACE=pppoe0 HWADDR=00:00:00:00:00:00
2020-09-17T23:21:49	openvpn[96840]	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-17T23:21:49	openvpn[96840]	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: data channel crypto options modified
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: adjusting link_mtu to 1629
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: peer-id set
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: route options modified
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: --ifconfig/up options modified
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: compression parms modified
2020-09-17T23:21:49	openvpn[96840]	OPTIONS IMPORT: timers and/or timeouts modified
2020-09-17T23:21:49	openvpn[96840]	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.151.0.1,comp-lzo no,route 10.151.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.151.0.98 10.151.0.97,peer-id 25,cipher AES-256-GCM'
2020-09-17T23:21:49	openvpn[96840]	SENT CONTROL [Server-6883-0a]: 'PUSH_REQUEST' (status=1)
2020-09-17T23:21:48	openvpn[96840]	[Server-6883-0a] Peer Connection Initiated with [AF_INET]70.39.102.170:1195
2020-09-17T23:21:48	openvpn[96840]	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-09-17T23:21:48	openvpn[96840]	WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
2020-09-17T23:21:48	openvpn[96840]	WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
2020-09-17T23:21:48	openvpn[96840]	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1606'
2020-09-17T23:21:48	openvpn[96840]	VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-6883-0a, emailAddress=support@expressvpn.com
2020-09-17T23:21:48	openvpn[96840]	VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-6883-0a, emailAddress=support@expressvpn.com
2020-09-17T23:21:48	openvpn[96840]	VERIFY EKU OK
2020-09-17T23:21:48	openvpn[96840]	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-09-17T23:21:48	openvpn[96840]	Validating certificate extended key usage
2020-09-17T23:21:48	openvpn[96840]	VERIFY KU OK
2020-09-17T23:21:48	openvpn[96840]	VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
2020-09-17T23:21:48	openvpn[96840]	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-09-17T23:21:48	openvpn[96840]	TLS: Initial packet from [AF_INET]70.39.102.170:1195, sid=f859e7f5 bcbb7064
2020-09-17T23:21:48	openvpn[96840]	MANAGEMENT: Client disconnected
2020-09-17T23:21:48	openvpn[96840]	MANAGEMENT: CMD 'state all'
2020-09-17T23:21:48	openvpn[96840]	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
2020-09-17T23:21:47	openvpn[96840]	UDPv4 link remote: [AF_INET]70.39.102.170:1195
2020-09-17T23:21:47	openvpn[96840]	UDPv4 link local: (not bound)
2020-09-17T23:21:47	openvpn[96840]	Socket Buffers: R=[42080->524288] S=[57344->524288]
2020-09-17T23:21:47	openvpn[96840]	TCP/UDP: Preserving recently used remote address: [AF_INET]70.39.102.170:1195
2020-09-17T23:21:47	openvpn[96840]	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-17T23:21:47	openvpn[96840]	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-17T23:21:47	openvpn[96840]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-09-17T23:21:47	openvpn[96840]	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2020-09-17T23:21:47	openvpn[82953]	library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2020-09-17T23:21:47	openvpn[82953]	OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 28 2020
2020-09-17T23:21:47	openvpn[82953]	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

cyrus104 · September 18, 2020, 05:35:57 PM

Even though I didn't change anything in the configuration besides updating from 10.7.1 to 10.7.2, there must have been a configuration change or corruption during the upgrade.

I found the previous cipher issue below but could not make the required change because I get an error when I click apply. I can not make any changes to the openvpn configuration because: An IPv4 protocol was selected, but the selected interface has no IPv4 address. Which is how Nord and ExpressVPN require their openvpn configs to be setup.

I exported the configuration and made changes to the cipher type and restored the configuration. This fixed the cipher issues but the connection still does not work.

I would like to stress that this was working for weeks with a reboot or two and only broke when I upgrade from 10.7.1 to 10.7.2. This could be a fluke but I need to get openvpn working.

Code Select

2020-09-18T22:28:07	openvpn[76917]	/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpnc1 1500 1557 10.171.0.34 10.171.0.33 init
2020-09-18T22:28:07	openvpn[76917]	/sbin/ifconfig ovpnc1 10.171.0.34 10.171.0.33 mtu 1500 netmask 255.255.255.255 up
2020-09-18T22:28:07	openvpn[76917]	TUN/TAP device /dev/tun1 opened
2020-09-18T22:28:07	openvpn[76917]	TUN/TAP device ovpnc1 exists previously, keep at program end
2020-09-18T22:28:07	openvpn[76917]	ROUTE_GATEWAY 101.108.0.1/255.255.255.255 IFACE=pppoe0 HWADDR=00:00:00:00:00:00
2020-09-18T22:28:07	openvpn[76917]	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-18T22:28:07	openvpn[76917]	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-09-18T22:28:07	openvpn[76917]	Data Channel: using negotiated cipher 'AES-256-GCM'
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: data channel crypto options modified
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: adjusting link_mtu to 1629
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: peer-id set
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: route options modified
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: --ifconfig/up options modified
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: compression parms modified
2020-09-18T22:28:07	openvpn[76917]	OPTIONS IMPORT: timers and/or timeouts modified
2020-09-18T22:28:07	openvpn[76917]	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.171.0.1,comp-lzo no,route 10.171.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.171.0.34 10.171.0.33,peer-id 7,cipher AES-256-GCM'
2020-09-18T22:28:07	openvpn[76917]	SENT CONTROL [Server-6885-0a]: 'PUSH_REQUEST' (status=1)
2020-09-18T22:28:06	openvpn[76917]	[Server-6885-0a] Peer Connection Initiated with [AF_INET]174.128.240.186:1195
2020-09-18T22:28:06	openvpn[76917]	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-09-18T22:28:05	openvpn[76917]	VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-6885-0a, emailAddress=support@expressvpn.com
2020-09-18T22:28:05	openvpn[76917]	VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-6885-0a, emailAddress=support@expressvpn.com
2020-09-18T22:28:05	openvpn[76917]	VERIFY EKU OK
2020-09-18T22:28:05	openvpn[76917]	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-09-18T22:28:05	openvpn[76917]	Validating certificate extended key usage
2020-09-18T22:28:05	openvpn[76917]	VERIFY KU OK
2020-09-18T22:28:05	openvpn[76917]	VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
2020-09-18T22:28:05	openvpn[76917]	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-09-18T22:28:05	openvpn[76917]	TLS: Initial packet from [AF_INET]174.128.240.186:1195, sid=7d9bc67d 848b5e8a
2020-09-18T22:28:05	openvpn[76917]	MANAGEMENT: Client disconnected
2020-09-18T22:28:05	openvpn[76917]	MANAGEMENT: CMD 'state all'
2020-09-18T22:28:05	openvpn[76917]	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
2020-09-18T22:28:05	openvpn[76917]	UDPv4 link remote: [AF_INET]174.128.240.186:1195
2020-09-18T22:28:05	openvpn[76917]	UDPv4 link local: (not bound)
2020-09-18T22:28:05	openvpn[76917]	Socket Buffers: R=[42080->524288] S=[57344->524288]
2020-09-18T22:28:05	openvpn[76917]	TCP/UDP: Preserving recently used remote address: [AF_INET]174.128.240.186:1195
2020-09-18T22:28:04	openvpn[76917]	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-18T22:28:04	openvpn[76917]	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2020-09-18T22:28:04	openvpn[76917]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-09-18T22:28:04	openvpn[76917]	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2020-09-18T22:28:04	openvpn[45976]	library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2020-09-18T22:28:04	openvpn[45976]	OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 28 2020
2020-09-18T22:28:04	openvpn[45976]	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

Fright · September 21, 2020, 10:21:05 AM

Quote
Code Select Expand
2020-09-17T23:23:50 openvpn[28094] Exiting due to fatal error 2020-09-17T23:23:50 openvpn[28094] TCP/UDP: Socket bind failed on local address [AF_INET]10.151.0.98:0: Can't assign requested address (errno=49) 2020-09-17T23:23:50 openvpn[28094] Socket Buffers: R=[42080->524288] S=[57344->524288] 2020-09-17T23:23:50 openvpn[28094] TCP/UDP: Preserving recently used remote address: [AF_INET]70.39.102.162:1195 2020-09-17T23:23:50 openvpn[28094] Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-09-17T23:23:50 openvpn[28094] Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2020-09-17T23:23:50 openvpn[28094] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2020-09-17T23:23:50 openvpn[28094] MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock 2020-09-17T23:23:50 openvpn[74407] library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 2020-09-17T23:23:50 openvpn[74407] OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 28 2020 2020-09-17T23:23:50 openvpn[74407] WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible 2020-09-17T23:23:50 openvpn[96840] SIGTERM[hard,] received, process exiting 2020-09-17T23:23:50 openvpn[96840] /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpnc1 1500 1557 10.151.0.98 10.151.0.97 init

I do not understand why openvpn is trying to bind to IP that already not present.
may be some wrong reaction to SIGTERM[hard,]?
can you change verb to 4, reproduce errors and share logs?

mimugmail · September 21, 2020, 10:30:13 AM

Screenshot of server config please

Fright · September 21, 2020, 10:49:58 AM

and client config also, please)
and what if you set wan interface in client config insted of "any"?

cyrus104 · September 21, 2020, 04:03:37 PM

I have attached the client config options that are used. I haven't changed these since the upgrade and all of these used to work. The server config is hosted by ExpressVPN and I only have the ovpn file that they provide with the settings provided for pfSense that also work fairly well for OPNSense.

I currently have verb set to 7 and can't change it back to 4 because I get the error in the first picture when I try to save anything.

I've also tried to reboot the router to see if something is stuck.

Thanks

mimugmail · September 21, 2020, 04:11:31 PM

Interface should be WAN?

cyrus104 · September 21, 2020, 04:37:07 PM

Will give that a shot.

mimugmail · September 21, 2020, 04:39:49 PM

Sure, if it's what I'm thinking you say OpenVPN to establish the VPN via the VPN which can't work for obvious reasons ..

Fright · September 21, 2020, 04:42:34 PM

and also look at "Advanced" options.
some of them are redundant (persist-), some of them are in the GUI (verb 3), some for windows (route-method exe)

cyrus104 · September 21, 2020, 04:54:25 PM

Ok, so the changing of the Interface worked. I also used the very handy configuration diff feature (just found it) and looked back for changes in the openvpn config and it was over a month ago that the Interface was changed from WAN to ExpressVPN. It must have been a typo but I'm not sure why it didn't mess up until now. previously it hadn't been rebooted in over 45 days.

I have also removed some of the windows and redundant options. I'm going to have to do some googling to see which ones are redundant

I'm a little shocked those are in there because this was the config from Express for pfSense. They do have a disclaimer that it was community developed and Express doesn't provided support for routers like pfSense and OPNSense at this time.

Thank you both for the help!

Fright · September 21, 2020, 05:00:51 PM

Quotedo some googling to see

not necessary
just loook at '/var/etc/openvpn/client1.conf' for actual client config
persist-* options already there by default
"advanced options" inserted at the end

cyrus104 · September 21, 2020, 05:21:18 PM

Thanks, I was also able to

Code Select

cat /var/etc/openvpn/client1.conf | sort to get an idea of duplicates.

Was able to remove 3-4 options, to bad none of those will really speed it up. Express recommends that comp-lzo be turned off, I think it was on in the advanced settings but it was just listed as "comp-lzo" and not "comp-lzo no". Anyways the tunnel is still coming up and it more closely matches the .ovpn from Express.

[Solved] OpenVPN stopped working after latest upgrade

cyrus104

September 17, 2020, 06:24:28 PM Last Edit: September 21, 2020, 06:01:56 PM by cyrus104

cyrus104

September 18, 2020, 05:35:57 PM #1 Last Edit: September 18, 2020, 05:44:13 PM by cyrus104

Fright

September 21, 2020, 10:21:05 AM #2

mimugmail

September 21, 2020, 10:30:13 AM #3

Fright

September 21, 2020, 10:49:58 AM #4

cyrus104

September 21, 2020, 04:03:37 PM #5

mimugmail

September 21, 2020, 04:11:31 PM #6

cyrus104

September 21, 2020, 04:37:07 PM #7

mimugmail

September 21, 2020, 04:39:49 PM #8

Fright

September 21, 2020, 04:42:34 PM #9

cyrus104

September 21, 2020, 04:54:25 PM #10

Fright

September 21, 2020, 05:00:51 PM #11

cyrus104

September 21, 2020, 05:21:18 PM #12