openvpn clients stopped working

Sparkee

Member

Reaction score: 7
Messages: 33

I have an OpenVPN server running on FreeBSD 11.2, it was working fine for a few years, recently I can connect to the server but I can't reach anything. I can't even ping my gateway IP
I set up another OpenVPN server on FreeBSD 12.0, same problem. I can connect without any issues but nothing is reachable. I also tried multiple clients/computers. No errors in server or client log

Here is the config:

Code:
sysctl.conf:
sysctl net.inet.ip.forwarding=1

rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
gateway_enable="YES"
openvpn_enable="YES"
openvpn_config="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tun"

pf.conf:
vpnclients = "10.8.0.0/24"
vpn_if = "tun0"
nat on $ext_if inet from $vpnclients to any -> $ext_ip
pass in quick on $vpn_if from any to any


openvpn.conf:
local EXT_IP
port 1194
proto udp
dev tun
ca ca.crt
cert cert.crt
key key.key
dh dh4096.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS DNS_IP"
push "dhcp-option DNS DNS_IP2"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
ifconfig-noexec
sndbuf 0
rcvbuf 0
status      /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 3

One thing I'm auspicious about is that on the server tun0 has no IP address, while another OpenVPN server of mine running on Linux has an IP for tun0 interface
FreeBSD
Code:
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    groups: tun
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Linux
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1969 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1843 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
 

driesm

Active Member
Developer

Reaction score: 46
Messages: 123

Your tun interface does indeed need an IP to function correctly which it does not have. But that is to be expected as you set in openvpn.conf: ifconfig-noexec.
Which means OpenVPN wont set up the IP's for you on the tunnel interface, so you would have to do that manually in rc.conf with ifconfig_tun0 and cloned_interfaces="tun0" directives .

My advice; remove ifconfig-noexec from openvpn.conf and restart the OpenVPN service.
 
OP
Sparkee

Sparkee

Member

Reaction score: 7
Messages: 33

Removing ifconfig-noexec did the trick, thank you Duffyx!
 
Top