49W4JR9tkJbTG3EGr3cq5na5Zd 0 Posted ... Hi, I have four pfSense routers (installed on Netgate hardware) that I use in different circumstances. Two of these four routers are configured to use AirVPN. Today, I updated my older router using AirVPN to the latest version of pfSense, which is pfSense Plus 21.02.2-RELEASE. This update includes the latest version of the OpenVPN client. Upon completing the pfSense update, it was necessary for me to fix some of the deprecated settings. To do so, I went through the latest AirVPN guide provided for pfSense (https://nguvu.org/pfsense/pfsense-baseline-setup/) and followed the OpenVPN settings section exactly (using the recommended UDP settings rather than the TCP I prefer). Now, when I boot up either of my AirVPN routers running pfSense from being powered off or, if I do a reboot from the user interface, AirVPN will not connect. Upon startup (and logging into pfSense), the pfSense Dashboard displays that the OpenVPN client interface statistics widget has a green arrow icon pointing up, but I am unable to send/receive any information to/from the Internet. The Interface Statistics widget within the pfSense dashboard shows a lot of of activity within the AirVPN_LAN interface, but very little (if any) activity within the AirVPN_WAN interface (only 0 - 30 packets in/out even after long periods of time). In order to get the OpenVPN service working, I have to restart it manually three to four times using the pfSense Dashboard controls. While doing so, the unbound DNS Resolver service crashes with each startup, forcing me to also start that manually each time. In case it is helpful, I have looked through the OpenVPN logs and noticed a recurring error "ioctl(TUNSIFMODE): Device busy (errno=16)". After repeatedly restarting these services, the OpenVPN WAN interface will finally begin to work, connecting me to AirVPN successfully. This is true for both my older and newer pfSense routers using AirVPN services. To anticipate possible questions that may arise: I use my AirVPN routers frequently but not consistently, making it necessary to turn them on and off. I prefer TCP because: TCP is said by some to be more stable than UDP (less dropped packets). TCP is said by others to be more secure than UDP. Regardless of whether either of the statements immediately above are true, for my needs, the slight drop in speed is not noticeable. My third and fourth pfSense routers, that connect via OpenVPN using VPN services from other providers, do not have this issue when powered off then on again. Thank you in advance for your guidance in fixing this problem. Quote Share this post Link to post
Air4141841 25 Posted ... I have used Airvpn on Pfsense with practically zero issues since my account was created on here. I am using a sg3100 on the latest Pfsense. using a TCP using Entry IP 3. with NO issues like you are describing everyone I've seen post that link you have for nguvu.org. clearly can't read instructions, because they ALL have issues. start with a fresh config, create a new tunnel, and you should not have any issues. Quote Share this post Link to post
lordlukan 3 Posted ... If you post some openvpn client logs from pfsense, someone maybe able to help. Quote Share this post Link to post
49W4JR9tkJbTG3EGr3cq5na5Zd 0 Posted ... Thank you lordlukan, for your helpful response. I am attaching logs as you suggested, but with my internal network IP addresses obfuscated for privacy. I am also providing a detailed description of what happens when I start up my router below: 1. I started up my router from being powered off. 2. I waited a few minutes, then logged into the pfSense user interface. 3. I waited around 5 minutes and had no internet connectivity, even though the pfSense Dashboard OpenVPN widget has a green arrow indicating the VPN is UP. 4. I restarted the OpenVPN service, and waited another few minutes, refreshing the pfSense dashboard several times. -- The pfSense router dashboard reads : "Unable to check for updates" consistently, each time the dashboard is refreshed. 5. I noticed that the unbound DNS Resolver service crashed, and there was a red X icon next to the service. 6. I restarted the unbound DNS Resolver service manually. I am also including logs from that service. 7. After manually starting the unbound DNS Resolver service and waiting a few minutes, AirVPN began working, and I can get out to the internet. Thank you in advance for your efforts to help AirVPN_Unbound_Logs.txt AirVPN_OpenVPN_Logs.txt Quote Share this post Link to post
Air4141841 25 Posted ... can I ask why you do not have chacha20 listed under data encryption algorithms? once connected if you click status, filter reload. does it cause it to pass traffic/ work normally? May 13 16:55:26 openvpn 33730 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Dimidium, emailAddress=info@airvpn.org May 13 16:55:26 openvpn 33730 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org May 13 16:55:26 openvpn 33730 VERIFY WARNING: depth=1, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org May 13 16:55:26 openvpn 33730 VERIFY WARNING: depth=0, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Dimidium, emailAddress=info@airvpn.org May 13 16:07:31 openvpn 31623 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA May 13 16:07:31 openvpn 31623 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key May 13 16:07:31 openvpn 31623 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key Quote Share this post Link to post
49W4JR9tkJbTG3EGr3cq5na5Zd 0 Posted ... Hello Air4141841, In the guide for which I posted the URL earlier in this thread, the instructions were to use AES-256-GCM with AES-256-CBC as the fallback algorithm. Should I be using ChaCha20 instead of either of these two? Unexpectedly, today when I turned on my AirVPN router without changing any settings, it worked without any manual intervention. I have no explanation for this change in behavior. Clicking Status > Filter Reload did not change anything. After reading your comment, I then tried to add CHACHA20 as an allowed algorithm and pfSense responded with the following input error, "One or more of the selected Data Encryption Algorithms is not valid." Quote Share this post Link to post
Air4141841 25 Posted ... it is personal preference really Chacha is newer and faster depending on. your processor. I have an ARM (sg3100). so I am trying it currently I only have a 100Mb fiber connection, so I can't really max out this CPU... never heard of that issue. as many users including myself, I did a fresh install of Pfsense to remedy other issues faced during an upgrade of 2.4.5 Quote Share this post Link to post
49W4JR9tkJbTG3EGr3cq5na5Zd 0 Posted ... Hi Air4141841, I have two SG-5100's and two SG-4860's. I did an upgrade from 2.5 to 21.02.2-RELEASE on both SG-4860's and one of the SG-5100's. Now I am seeing the unbound DNS resolver crash issue on both SG-5100's, One of the SG-5100's has AirVPN, while the other one is running a different VPN service. I am also experiencing the DNS resolver crash issue on one of the SG-4860's. As for the second SG-4860, apparently the upgrade was not as successful as it initially appeared because as of this morning it will not even boot due to not being able to find a critical system file. I expect to be contacting Netgate about that shortly. I had rebooted the second SG-4860 several times successfully after the update, but not from being powered off. I am now starting to see posts in the Netgate community board describing this same unbound DNS resolver issue, but none of the posts have cited a likely root cause. Quote Share this post Link to post
Air4141841 25 Posted ... from the console run: pkg update; pkg upgrade if there are any unbound updates (there probably will be). I recall installing one type the command again with. Y so it will install. are you forwarding or just resolving? I am just using the resolver standard out of the box, and not have any crashes Quote Share this post Link to post
49W4JR9tkJbTG3EGr3cq5na5Zd 0 Posted ... (edited) Hi Air4141841, I am just resolving, as I didn't do anything fancy to unbound so it should be standard out of the box. I will try your suggestion to upgrade, thanks. Edited to add: I ran the command you suggested on the upgraded routers that are operational, and on both of them got this: Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (0 candidates): . done Processing candidates (0 candidates): . done Checking integrity... done (0 conflicting) Your packages are up to date. Looks like I am all up-to-date. Edited ... by 49W4JR9tkJbTG3EGr3cq5na5Zd Executed suggestion - editing to add Quote Share this post Link to post