Jump to content
Not connected, Your IP: 18.191.200.114
overmorrow

ANSWERED pfSense just disconnects after cert upgrade

Recommended Posts

I'm using pfsense to connect, and today it had suddenly stopped working. I suspected that the reason was that I hadn't updated the certs in many years as others seemed to have issues with that too, so I downloaded some new config files and updated the CA and the cert. I also updated the cipher, digest algorithm and tls key to match the new file. Unfortunately I still can't connect. The client tries, and immediately disconnects. The logs do not provide much insight into what's going on... Any suggestions? My config is based on the old pfsense 2.3 -guide available in the forum, (and basically stems from a time when pfsense 2.3 was state of the art).

Apr 8 22:09:19  openvpn         86390   Server poll timeout, restarting
Apr 8 22:09:19  openvpn         86390   SIGUSR1[soft,server_poll] received, process restarting
Apr 8 22:09:19  openvpn         86390   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 8 22:09:19  openvpn         86390   TCP/UDP: Preserving recently used remote address: [AF_INET]128.127.104.82:443
Apr 8 22:09:19  openvpn         86390   Socket Buffers: R=[42080->262144] S=[57344->262144]
Apr 8 22:09:19  openvpn         86390   UDPv4 link local (bound): [AF_INET]XXX.XXX.XXX.XXX:0
Apr 8 22:09:19  openvpn         86390   UDPv4 link remote: [AF_INET]128.127.104.82:443
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: CMD 'state 1'
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: Client disconnected

Share this post


Link to post

same/similar issue here, used the same guide...
pfsense was not updated in several years, and it is just not connecting today.
updated with new config data(ca/cert/tls key), but not sure i did it correctly...

Share this post


Link to post
12 hours ago, overmorrow said:

I'm using pfsense to connect, and today it had suddenly stopped working. I suspected that the reason was that I hadn't updated the certs in many years as others seemed to have issues with that too, so I downloaded some new config files and updated the CA and the cert. I also updated the cipher, digest algorithm and tls key to match the new file. Unfortunately I still can't connect. The client tries, and immediately disconnects. The logs do not provide much insight into what's going on... Any suggestions? My config is based on the old pfsense 2.3 -guide available in the forum, (and basically stems from a time when pfsense 2.3 was state of the art).


Apr 8 22:09:19  openvpn         86390   Server poll timeout, restarting
Apr 8 22:09:19  openvpn         86390   SIGUSR1[soft,server_poll] received, process restarting
Apr 8 22:09:19  openvpn         86390   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 8 22:09:19  openvpn         86390   TCP/UDP: Preserving recently used remote address: [AF_INET]128.127.104.82:443
Apr 8 22:09:19  openvpn         86390   Socket Buffers: R=[42080->262144] S=[57344->262144]
Apr 8 22:09:19  openvpn         86390   UDPv4 link local (bound): [AF_INET]XXX.XXX.XXX.XXX:0
Apr 8 22:09:19  openvpn         86390   UDPv4 link remote: [AF_INET]128.127.104.82:443
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: CMD 'state 1'
Apr 8 22:09:19  openvpn         86390   MANAGEMENT: Client disconnected

1) management: client disconnected is not the VPN client disconnecting.  it's pfsense's openvpn management client that's disconnecting from...managing it I guess.

2) otherwise the log shows very little.  after the line
UDPv4 link remote: [AF_INET]128.127.104.82:443
usually you'd see something about initial TLS packet.  If you're not getting any response from the VPN server then perhaps something's blocking it, like a local firewall or your ISP.

Share this post


Link to post

Okay... I can't claim to have solved the issue, but at least I've worked around it. I could. not. get. OpenVPN to work on pfsense - not the old version (2.4.5) that I was using, nor the new one (2.7.2). What I instead did was use this guide to install WireGuard and use that instead. There are still some oddities that would be nice to work out (for example duckduckgo no longer responds even though every other site does) and changing the country I'm in by running Hummingbird on a machine (and thus running a VPN connection through a VPN connection) seems to have issues that I haven't worked out yet, but for people who have issues with getting OpenVPN to play ball on pfsense, I recommend looking at the WireGuard option. You need pfsense 2.6.0 or greater for it to be an option, though.

The OpenVPN issue seemed to be with the internal workings of pfsense. SSH:ing into the pfsense box and just straigth up running openvpn with one of the config files, worked fine, but setting up the ovpn1 interface and commanding it via the GUI didn't work no matter what I tried.

Share this post


Link to post
1 hour ago, overmorrow said:

Okay... I can't claim to have solved the issue, but at least I've worked around it. I could. not. get. OpenVPN to work on pfsense - not the old version (2.4.5) that I was using, nor the new one (2.7.2). What I instead did was use this guide to install WireGuard and use that instead. There are still some oddities that would be nice to work out (for example duckduckgo no longer responds even though every other site does) and changing the country I'm in by running Hummingbird on a machine (and thus running a VPN connection through a VPN connection) seems to have issues that I haven't worked out yet, but for people who have issues with getting OpenVPN to play ball on pfsense, I recommend looking at the WireGuard option. You need pfsense 2.6.0 or greater for it to be an option, though.

The OpenVPN issue seemed to be with the internal workings of pfsense. SSH:ing into the pfsense box and just straigth up running openvpn with one of the config files, worked fine, but setting up the ovpn1 interface and commanding it via the GUI didn't work no matter what I tried.


Did you complete the guide's instructions on setting MSS on the LAN interface?

Share this post


Link to post
22 minutes ago, go558a83nk said:

Did you complete the guide's instructions on setting MSS on the LAN interface?
Yes. I also set the MTU to 1320, because that's what the AirVPN conf file said.

Share this post


Link to post
1 hour ago, overmorrow said:
1 hour ago, go558a83nk said:

Did you complete the guide's instructions on setting MSS on the LAN interface?
Yes. I also set the MTU to 1320, because that's what the AirVPN conf file said.

Hello!

Please lower it even more to 1280 bytes and test again. Cases requiring the minimum possible MTU accepted by WireGuard are rare but not impossible.
EDIT: ONLY through WireGuard directive, the small MTU is needed on the VPN interface. Do NOT touch the MTU of the physical interface.

Kind regards
 

Share this post


Link to post
52 minutes ago, overmorrow said:
1 hour ago, go558a83nk said:

Did you complete the guide's instructions on setting MSS on the LAN interface?
Yes. I also set the MTU to 1320, because that's what the AirVPN conf file said.

if that isn't working or the 1280 as Staff suggests you can also try setting MTU and MSS directly on the wireguard interface instead of the LAN interface.  I'd suggest 1280 for both MTU and MSS on the wireguard interface and test the sites that aren't working for you.  Then try higher values and see if there's a value at which sites stop working again.

Share this post


Link to post
2 hours ago, Staff said:
Please lower it even more to 1280 bytes and test again.
That seems to have done the trick! Thank you.

Share this post


Link to post
On 4/14/2024 at 8:27 AM, overmorrow said:

changing the country I'm in by running Hummingbird on a machine (and thus running a VPN connection through a VPN connection) seems to have issues that I haven't worked out yet,


Replying to myself in case anyone else runs into the same issue: The problem is apparently that WireGuard uses a lower MTU (1320) than OpenVPN does by default (1500). The solution is to add the line
tun-mtu 1320
to the OpenVPN config. (This also works with Eddie.)

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...