Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untanglit
    Join Date
    Jan 2009
    Posts
    19

    Unhappy OpenVPN on 15.1.0.20200826

    I had Untangle as an OpenVPN client to a pfSense server working just fine. The Untangle box updated to 15.1.0.20200826 and now the connection from Untangle -> pfSense comes up briefly - maybe 10 seconds (Untangle shows connected:true) and I see the connection on the pfSense side as well but no packets will traverse the connection on the OpenVPN tunnel network and I never see a tun adapter created on the Untangle side after the 10 seconds the connection will drop and retry about 45 seconds later. Is there anything that changed in this version that could have broken it? I have several Untangle boxes acting as clients and the affected Untangle is the server and those are fine. I've tried looking on the Untangle server (via SSH) for an OpenVPN log but /var/log/openvpn exists but is empty. Any suggestions would be appreciated.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    at that location where openvpn is a directory,
    look at openvpn.log

    the date version changelog doesn't indicate any changes. do you happen to know what version you upgraded from?
    Last edited by Jim.Alles; 08-29-2020 at 08:59 PM.

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    there are other things to look at in /etc/opnvpn

  4. #4
    Untanglit
    Join Date
    Jan 2009
    Posts
    19

    Default

    On the Untangle server /var/log/openvpn is empty. I don't know the version I updated from but it was definitely a 15.1.xxxx version. The server is set to update automatically so I assume it was probably the immediately previous version.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,013

    Default

    Look at the compress option on the server and client to make sure they are the same. The 15.1.0 openvpn client in UT was changed since compress is no longer safe to use.
    Jim.Alles likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    Quote Originally Posted by WizADSL View Post
    On the Untangle server /var/log/openvpn is empty.
    Correct.
    /var/log/openvpn.log is the log file.

    But what John Coffin said is more important.
    If you think I got Grumpy

  7. #7
    Untanglit
    Join Date
    Jan 2009
    Posts
    19

    Default

    This is a site-to-site VPN and the server (pfSense is using UDP 1195)

    On the Untangle side (client) the config I found in /etc/openvpn contains:
    Code:
    client
    resolv-retry 20
    keepalive 10 60
    nobind
    mute-replay-warnings
    ns-cert-type server
    comp-lzo
    max-routes 500
    verb 1
    persist-key
    persist-tun
    explicit-exit-notify 1
    dev tun1
    proto udp
    port 1195
    cipher AES-128-CBC
    cert keys/xxx.crt
    key keys/xxx.key
    ca keys/xxx-ca.crt
    On the pfSense side (server) the config file contains (this is generated based on what is entered in the web interface):

    Code:
    dev ovpns2
    verb 4
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.xxx
    engine cryptodev
    tls-server
    ifconfig 173.22.1.1 173.22.1.2
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.22.0 255.255.255.0"
    route 192.168.0.0 255.255.240.0
    route 10.0.0.0 255.254.0.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.2048
    ncp-disable
    comp-lzo adaptive
    persist-remote-ip
    float

  8. #8
    Untanglit
    Join Date
    Jan 2009
    Posts
    19

    Default

    From SSH:

    ls: cannot access '/var/log/openvpn.log': No such file or directory

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    the comp-lzo directive is what has to go.

    On the Untangle client side:
    complzo.png

  10. #10
    Untanglit
    Join Date
    Jan 2009
    Posts
    19

    Default

    I realize that the image should make what I should do next very obvious but I'm afraid it doesn't for me (plus I don't want to break something). My Untangle server (in the Client Configuration) currently has "Option Name" set to "comp-lzo" and no Option Value set. If I understand correctly I should check "Exclude" in order to omit the setting from the client configuration? Will this affect the client that is already set up or does this only control the client created from this server? In order to make this server connect as a client to PfSense I exported a mock OpenVPN client from this server and edited the resulting ZIP file with the certificates and info for the PfSense box. If editing the ZIP file I used to import the client config is all I need to do then I can do that instead.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2