Jump to content
Not connected, Your IP: 3.227.252.87
kanetoad

Pfsense Update 2.5.0 - Unrecognized option or missing or extra parameter(s

Recommended Posts

Hi Everyone

Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5..

However i'm getting the following error when starting up openvpn.

Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0)

I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?

 

Share this post


Link to post

Remove anything that isn't actually needed in the custom options, or anything that you didn't actually put there.  I had the same problem and there were lines in custom options that I were not something I put in.

Share this post


Link to post

Also, now that pfsense has openvpn 2.5 you might try a switch to chacha20 as "data encryption algorithm" as it might be faster for you than what you were using.

Even on my system that was fast with AES-256-GCM because of AES-NI, chacha20 is for some reason faster.  I think it has more to do with networking and not CPU ease.

Share this post


Link to post

I have the same issue. Not able to connect to the servers after upgrade to Pfsense 2.5

Feb 19 18:19:32    openvpn    69215    [UNDEF] Inactivity timeout (--ping-restart), restarting
Feb 19 18:19:32    openvpn    69215    SIGUSR1[soft,ping-restart] received, process restarting
Feb 19 18:19:32    openvpn    69215    Restart pause, 5 second(s)
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: CMD 'status 2'
Feb 19 18:19:36    openvpn    46383    MANAGEMENT: Client disconnected
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:36    openvpn    69215    MANAGEMENT: Client disconnected
Feb 19 18:19:37    openvpn    69215    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 19 18:19:37    openvpn    69215    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 18:19:37    openvpn    69215    Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:37    openvpn    69215    Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:37    openvpn    69215    Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:37    openvpn    69215    Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:37    openvpn    69215    TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Feb 19 18:19:37    openvpn    69215    Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 19 18:19:37    openvpn    69215    UDPv4 link local (bound): [AF_INET]192.168.1.101:0
Feb 19 18:19:37    openvpn    69215    UDPv4 link remote: [AF_INET]x.x.x.x:443
Feb 19 18:19:38    openvpn    69215    event_wait : Interrupted system call (code=4)
Feb 19 18:19:38    openvpn    69215    SIGTERM[hard,] received, process exiting
Feb 19 18:19:38    openvpn    91313    OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 5 2021
Feb 19 18:19:38    openvpn    91313    library versions: OpenSSL 1.1.1i-freebsd 8 Dec 2020, LZO 2.10
Feb 19 18:19:38    openvpn    91424    MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2/sock
Feb 19 18:19:38    openvpn    91424    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 19 18:19:38    openvpn    91424    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 18:19:38    openvpn    91424    Initializing OpenSSL support for engine 'rdrand'
Feb 19 18:19:38    openvpn    91424    WARNING: experimental option --capath /var/etc/openvpn/client2/ca
Feb 19 18:19:38    openvpn    91424    Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:38    openvpn    91424    Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:38    openvpn    91424    Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb 19 18:19:38    openvpn    91424    Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 19 18:19:39    openvpn    91424    TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Feb 19 18:19:39    openvpn    91424    Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 19 18:19:39    openvpn    91424    UDPv4 link local (bound): [AF_INET]192.168.1.101:0
Feb 19 18:19:39    openvpn    91424    UDPv4 link remote: [AF_INET]x.x.x.x:443
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: CMD 'status 2'
Feb 19 18:19:43    openvpn    46383    MANAGEMENT: Client disconnected
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: CMD 'state 1'
Feb 19 18:19:43    openvpn    91424    MANAGEMENT: Client disconnected

Share this post


Link to post
22 hours ago, kanetoad said:

Hi Everyone

Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5..

However i'm getting the following error when starting up openvpn.

Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0)

I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?

 


Hello!

key-method directive is no more supported in OpenVPN 2.5. Delete it. If you connect with TLS Crypt (entry-IP addresses 3 or 4) you don't need any replacement.

If you connect with TLS Auth, enter the directive:
key-direction 1

Kind regards
 

Share this post


Link to post

Can someone post some screen shot guides on how to configure the latest update on Pfsense 2.5 version, as to how to configure Airvpn ? Please I am unable to understand the above explanation. 

Share this post


Link to post
Posted ... (edited)
21 hours ago, go558a83nk said:

Remove anything that isn't actually needed in the custom options, or anything that you didn't actually put there.  I had the same problem and there were lines in custom options that I were not something I put in.

Hello

You were right, i had the following custom options in the Advanced config:

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;

Clearing these out , so my custom =

client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;

Thank you! Edited ... by kanetoad

Share this post


Link to post
Posted ... (edited)
21 hours ago, go558a83nk said:

Also, now that pfsense has openvpn 2.5 you might try a switch to chacha20 as "data encryption algorithm" as it might be faster for you than what you were using.

Even on my system that was fast with AES-256-GCM because of AES-NI, chacha20 is for some reason faster.  I think it has more to do with networking and not CPU ease.


Yes i'm testing this at the moment, prehaps the preformance gains are hardware specfic, depending on the pfsense socket, intel/amd?
  Edited ... by kanetoad

Share this post


Link to post
Posted ... (edited)
20 hours ago, Staff said:

Hello!

key-method directive is no more supported in OpenVPN 2.5. Delete it. If you connect with TLS Crypt (entry-IP addresses 3 or 4) you don't need any replacement.

If you connect with TLS Auth, enter the directive:
key-direction 1

Kind regards
 
Hello

This was already in my custom option, what's your view on removing these custom options from:

client;remote-cert-tls server;persist-key;persist-tun;keysize 256;key-method 2;key-direction 1;explicit-exit-notify 5;mlock;keepalive 5 30;prng sha512 64;
to...

client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;

Thank you! Edited ... by kanetoad
update

Share this post


Link to post
1 hour ago, kanetoad said:

Yes i'm testing this at the moment, prehaps the preformance gains are hardware specfic, depending on the pfsense socket, intel/amd?
 
AMD64  - CPU usage is flapping around a bit more using the chacha20 ciper.

but there is gains for sure!

Share this post


Link to post
7 hours ago, Sunilc said:

Can someone post some screen shot guides on how to configure the latest update on Pfsense 2.5 version, as to how to configure Airvpn ? Please I am unable to understand the above explanation. 


This is pretty much my config, pfsense people in these parts will have used the excellent guide at some point for their setup.
#
https://nguvu.org/pfsense/pfsense-baseline-setup/


 

Share this post


Link to post

kanetoad: Thanks a lot. Your " custom option edit- client;persist-key;persist-tun;remote-cert-tls server;prng sha256 64;mlock;auth-nocache;" has worked. 

Share this post


Link to post

I had this issue with Open VPN 2.4.4, and replaced some lines of code in the .ovpn file...

REPLACE:
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512
<ca>

WITH:
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
<ca>


 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...