[pfSense] OpenVPN problems after upgrading to 2.0.1

Gordon Russell grussell at clarkecounty.gov
Tue Feb 14 09:12:53 EST 2012 


----- Original Message -----
> From: "Udo Müller" <debian at cs-ol.de>
> To: list at lists.pfsense.org
> Sent: Tuesday, February 14, 2012 8:58:46 AM
> Subject: Re: [pfSense] OpenVPN problems after upgrading to 2.0.1
> Am 14.02.12 14:43, schrieb Jim Pingle:
> > On 2/14/2012 8:38 AM, Udo Müller wrote:
> >> I just installed the fix, redited my openvpn configuration and ...
> >> tatata... nothing changes :(
> >>
> >> The ifconfig command still fails to execute because of a missing
> >> destination.
> >
> > What other advanced options do you have specified? The behavior of
> > the
> > ifconfig command is controlled by the tun/tap mode and the contents
> > of
> > the tunnel network box.
> 
> This is the current (new created config):
> 
> dev ovpns2
> dev-type tap
> dev-node /dev/tap2
> writepid /var/run/openvpn_server2.pid
> #user nobody
> #group nobody
> script-security 3
> daemon
> keepalive 10 60
> ping-timer-rem
> persist-tun
> persist-key
> proto udp
> cipher AES-128-CBC
> up /usr/local/sbin/ovpn-linkup
> down /usr/local/sbin/ovpn-linkdown
> local 87.128.223.162
> tls-server
> server 10.22.2.0 255.255.255.0
> client-config-dir /var/etc/openvpn-csc
> username-as-common-name
> auth-user-pass-verify /var/etc/openvpn/server2.php via-env
> tls-verify /var/etc/openvpn/server2.tls-verify.php
> lport 1198
> management /var/etc/openvpn/server2.sock unix
> push "dhcp-option DOMAIN openknowledge.de"
> push "dhcp-option DNS 192.168.221.203"
> push "dhcp-option NTP 192.168.221.203"
> push "dhcp-option WINS 192.168.221.203"
> ca /var/etc/openvpn/server2.ca
> cert /var/etc/openvpn/server2.cert
> key /var/etc/openvpn/server2.key
> dh /etc/dh-parameters.1024
> comp-lzo
> passtos
> persist-remote-ip
> float
> push "route 192.168.221.0 255.255.255.0"
> push "route 192.168.71.0 255.255.255.0"
> push "route 10.21.22.0 255.255.255.0"
> push "route 10.21.24.0 255.255.255.0"
> push "route 10.21.40.0 255.255.255.0"
> push "route 10.21.50.0 255.255.255.0"
> push "route 172.20.48.0 255.255.255.0"
> tun-mtu 1500
> fragment 1400
> mssfix
> 
> means:
> 
> Device mode is tap
> Tunnel network is 10.22.2.0/24
> Compression is enabled
> Type-of-service is enabled
> 
> 
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

In my case of upgrade 1.2.3 >> 2.0.1, (peer-to-peer tun shared-key),openvpn looked perfect in terms of configuration in GUI on both ends;  routing was added as expected, but no traffic would pass. Comp-lzo was flagged as enabled on both ends. I disabled compression on both ends, restarted the service manually on both ends, and everything worked. Then I re-enabled comp-lzo on both ends, restarted services, and traffic successfully passes. I chalked it up to some upgrade quirk as mentioned prior, where the GUI was not actually enabling comp-lzo (but telling me it was), or the process wasn't obeying. Nevertheless, toggling it off/on on both ends worked for me.,



Gordon Russell
Clarke County IT

More information about the List mailing list