Pfsense Update 2.5.0 - Unrecognized option or missing or extra parameter(s

[kanetoad 1]

Hi Everyone

Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5..

However i'm getting the following error when starting up openvpn.

Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0)

I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?

 

[Wolke68 5]

With no config who should help you?
Do you mean the Extra Option?
 

[go558a83nk 362]

Remove anything that isn't actually needed in the custom options, or anything that you didn't actually put there.  I had the same problem and there were lines in custom options that I were not something I put in.

[go558a83nk 362]

Also, now that pfsense has openvpn 2.5 you might try a switch to chacha20 as "data encryption algorithm" as it might be faster for you than what you were using.

Even on my system that was fast with AES-256-GCM because of AES-NI, chacha20 is for some reason faster.  I think it has more to do with networking and not CPU ease.

[sun_day 0]

I have the same issue. Not able to connect to the servers after upgrade to Pfsense 2.5

Feb 19 18:19:32    openvpn    69215    [UNDEF] Inactivity timeout (--ping-restart), restarting
Feb 19 18:19:32    openvpn    69215    SIGUSR1[soft,ping-restart] received, process restarting
Feb 19 18:19:32    openvpn    69215    Restart pause, 5 second(s)
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: CMD 'status 2'
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: Client disconnected
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: Client disconnected
Feb 19 18:19:37    openvpn    69215    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 19 18:19:37    openvpn    69215    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 18:19:37    openvpn    69215    Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:37    openvpn    69215    Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:37    openvpn    69215    Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:37    openvpn    69215    Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:37    openvpn    69215    TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Feb 19 18:19:37    openvpn    69215    Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 19 18:19:37    openvpn    69215    UDPv4 link local (bound): [AF_INET]192.168.1.101:0
Feb 19 18:19:37    openvpn    69215    UDPv4 link remote: [AF_INET]x.x.x.x:443
Feb 19 18:19:38    openvpn    69215    event_wait : Interrupted system call (code=4)
Feb 19 18:19:38    openvpn    69215    SIGTERM[hard,] received, process exiting
Feb 19 18:19:38    openvpn    91313    OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 5 2021
Feb 19 18:19:38    openvpn    91313    library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
Feb 19 18:19:38    openvpn    91424    MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2/sock
Feb 19 18:19:38    openvpn    91424    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 19 18:19:38    openvpn    91424    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 18:19:38    openvpn    91424    Initializing OpenSSL support for engine 'rdrand'
Feb 19 18:19:38    openvpn    91424    WARNING: experimental option --capath /var/etc/openvpn/client2/ca
Feb 19 18:19:38    openvpn    91424    Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:38    openvpn    91424    Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:38    openvpn    91424    Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:38    openvpn    91424    Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:39    openvpn    91424    TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Feb 19 18:19:39    openvpn    91424    Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 19 18:19:39    openvpn    91424    UDPv4 link local (bound): [AF_INET]192.168.1.101:0
Feb 19 18:19:39    openvpn    91424    UDPv4 link remote: [AF_INET]x.x.x.x:443
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: CMD 'status 2'
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: Client disconnected
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: Client disconnected

[Staff 9972]

22 hours ago, kanetoad said:

Hi Everyone

Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5..

However i'm getting the following error when starting up openvpn.

Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0)

I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?

 

Hello!

key-method directive is no more supported in OpenVPN 2.5. Delete it. If you connect with TLS Crypt (entry-IP addresses 3 or 4) you don't need any replacement.

If you connect with TLS Auth, enter the directive:
key-direction 1

Kind regards
 

[sun_day 0]

Can someone post some screen shot guides on how to configure the latest update on Pfsense 2.5 version, as to how to configure Airvpn ? Please I am unable to understand the above explanation. 

[kanetoad 1]

21 hours ago, go558a83nk said:

Remove anything that isn't actually needed in the custom options, or anything that you didn't actually put there.  I had the same problem and there were lines in custom options that I were not something I put in.

Hello

You were right, i had the following custom options in the Advanced config:

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Clearing these out , so my custom =

client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;

Thank you! Edited ... by kanetoad

[kanetoad 1]

21 hours ago, go558a83nk said:

Also, now that pfsense has openvpn 2.5 you might try a switch to chacha20 as "data encryption algorithm" as it might be faster for you than what you were using.

Even on my system that was fast with AES-256-GCM because of AES-NI, chacha20 is for some reason faster.  I think it has more to do with networking and not CPU ease.

Yes i'm testing this at the moment, prehaps the preformance gains are hardware specfic, depending on the pfsense socket, intel/amd?
  Edited ... by kanetoad

[kanetoad 1]

20 hours ago, Staff said:

Hello!

key-method directive is no more supported in OpenVPN 2.5. Delete it. If you connect with TLS Crypt (entry-IP addresses 3 or 4) you don't need any replacement.

If you connect with TLS Auth, enter the directive:
key-direction 1

Kind regards
 

Hello

This was already in my custom option, what's your view on removing these custom options from:

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;
to...

client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;

Thank you! Edited ... by kanetoad
update

[kanetoad 1]

1 hour ago, kanetoad said:

Yes i'm testing this at the moment, prehaps the preformance gains are hardware specfic, depending on the pfsense socket, intel/amd?
 

AMD64  - CPU usage is flapping around a bit more using the chacha20 ciper.

but there is gains for sure!

[kanetoad 1]

7 hours ago, Sunilc said:

Can someone post some screen shot guides on how to configure the latest update on Pfsense 2.5 version, as to how to configure Airvpn ? Please I am unable to understand the above explanation. 

This is pretty much my config, pfsense people in these parts will have used the excellent guide at some point for their setup.
#
https://nguvu.org/pfsense/pfsense-baseline-setup/


 

[sun_day 0]

kanetoad: Thanks a lot. Your " custom option edit- client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;" has worked. 

[lasta3 0]

I had this issue with Open VPN 2.4.4, and replaced some lines of code in the .ovpn file...

REPLACE:
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512
<ca>

WITH:
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
<ca>