# OpenVPN  tun0 is down



## hzdtony (Jul 17, 2014)

My FreeBSD version is FreeBSD 8.4-RELEASE-p14, I install OpenVPN 2.3.4 via ports. The Makefile file is:

```
$FreeBSD: head/security/openvpn/Makefile 361977 2014-07-15 16:57:39Z adamw $
```
 But I encounter a issue, as follows:


which results in OpenVPN going down.

Please help me! Thanks a lot.


----------



## SirDice (Jul 17, 2014)

Please post the configuration file you used.


----------



## hzdtony (Jul 18, 2014)




----------



## SirDice (Jul 18, 2014)

That's the port's Makefile. Please post your OpenVPN configuration.


----------



## hzdtony (Jul 21, 2014)

My OpenVPN configuration file is as follows:

```
port 8899
proto tcp
dev tun
topology subnet
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0 
plugin keys/openvpn-plugin-auth-pam.so login
server 172.16.0.0 255.255.255.0
route 202.121.86.0 255.255.255.0
client-config-dir fixedip
ccd-exclusive
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push "route 192.168.200.0 255.255.255.0"
push "route 192.168.202.0 255.255.255.0"
push "route 192.168.201.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
```


----------



## SirDice (Jul 21, 2014)

The errors don't seem to have any relation with the configuration you posted. The errors show issues with IPv6 addresses and there are none in your configuration file.


----------



## hzdtony (Jul 22, 2014)

Thanks a lot. But with OpenVPN 2.3.2, there is not such a problem. I use the PF firewall. But PF cannot automatically _[cannot what? -- mod.]_ at the system boot time. Every time I manually start PF via: `pfctl -f /etc/pf.conf` then, currently connecting SSH sessions are closed. Occasionally OpenVPN shuts down during such a problem. After OpenVP has been running for a while, this problem occurs. But it's uncertain exactly when.

I want the PF firewall to automatically start at the system boot time. But PF doesn't start. The /etc/rc.conf file is as follows:

But when I manually start the PF firewall, it prompts as follows:

Maybe this problem resulted from PF not automatically starting, in case of not compiling the kernel, How to solve the problem?

Thanks a lot again.


----------



## SirDice (Jul 22, 2014)

There is no problem with PF. The message you see is normal. Only the ALTQ part doesn't work and you don't use it. In order to get ALTQ working you must compile a custom kernel.


----------



## hzdtony (Jul 23, 2014)

Thanks a lot. But why does PF not start automatically at boot time? How to solve this is problem?


----------



## SirDice (Jul 23, 2014)

Add to /etc/rc.conf

```
pf_enable="YES"
```

Handbook: 29.3. PF


----------



## hzdtony (Jul 23, 2014)

I have added  
	
	



```
pf_enable="YES"
```
 to /etc/rc.conf, but pf does not yet load pf.conf rules. I _do_ not understand*.*


----------



## SirDice (Jul 23, 2014)

Please post your /etc/pf.conf. It's possible there's a syntax error in it. That would prevent the rules from being loaded. Also post the output of `pfctl -nf /etc/pf.conf` (this will load the rules and check for errors but won't apply them).


----------



## gkbsd (Jul 23, 2014)

How do you know `pf` did not automatically start? Do you have an error message? After a reboot, upon the first login does `pfctl -sr` return no rules loaded?

Guillaume.


----------



## hzdtony (Jul 24, 2014)

Yes,after a reboot, when I login to the system, issuing `pf -sa` returns 
	
	



```
no rules loaded
```
 I must manually load the rules via  `pfctl -nf /etc/pf.conf`

My pf.conf content is as follows:


----------



## gkbsd (Jul 24, 2014)

As @SirDice said, the command `pfctl -nf /etc/pf.conf` will not load the rules, but only check the syntax of /etc/pf.conf and shows an output. Can you show us this output ? Also, at which securelevel are you running?  

Guillaume.


----------



## hzdtony (Jul 25, 2014)

I am sorry! I use `pfctl -f /etc/pf.conf` to load rules. *W*hen running `pfctl -nf /etc/pf.conf`, I get output as follows:



There is no output.

The system's securelevel is as follows:



Thanks a lot everyone!


----------



## gkbsd (Jul 26, 2014)

Although not necessary at securelevel -1, you could try to load pf kernel modules in /boot/loader.conf:

```
pf_load="YES"
pflog_load="YES"
```

This way they will be loaded before your /etc/pf.conf file is accessed. Does it change anything?


----------



## hzdtony (Jul 28, 2014)

Thanks a lot. I should be as follow content:

```
pf_load="YES"
pflog_load="YES"
```
Add to  /boot/loader.conf file.
After rebooting, pf rules still do not load as shown in screenshot:


----------



## gkbsd (Jul 28, 2014)

I see no reason as to why it does not load at boot. May be check your /etc/pf.conf permissions, and take a look at /var/log/messages just after a reboot. Check the moment pf should load, if there is any error message.

Guillaume


----------



## hzdtony (Jul 29, 2014)

Thanks a lot everyone.I found out PF why not automatically load at the system boot. Reason is PF rules include a rule as follows:

```
pass in on tun0 from tun0:network to !192.168.200.208  keep state
```
when PF starting. OpenVPN yet started. Therefore, tun0 interface inexistence.as follows screenshot:

Meanwhile, I encounter a problem, it is OpenVPN starts two times:

I can't understand why.
Now, how to change pf start order, let pf at `openvpn` start after start?


----------



## gkbsd (Jul 29, 2014)

May be try to modify your rule that way:

```
pass in on tun0 from (tun0:network) to !192.168.200.208 keep state
```

Does it work?


----------



## hzdtony (Jul 30, 2014)

I modified my pf.conf according to your suggestion, but the problem persists. See the screenshot.



How do I change the starting order?


----------



## gkbsd (Jul 30, 2014)

I do not know if it's possible to modify the order in which services start. The rule syntax I suggested you is close to the one I'm using on my router, where I use also OpenVPN. I'm using more exactly (extracts):

```
vpn="tun0"
nat on $vpn from ($lan:network) to any -> ($vpn:0)
```

That is not the same rule as you, but I do not have the problem you encounter at start. In my /etc/rc.conf pf is written first, and OpenVPN at the end of the file. However I don't know if it modifies the boot order. Can you check this last point? Then I'm afraid I'm out of ideas.

EDIT: I noticed your forgot one rule, modify also the other rule using "(tun0:network)":

```
pass in on tun0 from (tun0:network) to !192.168.200.208 keep state
pass in on tun0 proto udp from (tun0:network) to any keep state
```

Guillaume


----------



## SirDice (Jul 30, 2014)

Use the up and down options in your configuration file to (re)load the PF ruleset.


```
--up cmd
	      Run command cmd after successful TUN/TAP device open (pre	--user
	      UID change).

	      cmd  consists  of	 a  path  to  script  (or executable program),
	      optionally followed by arguments.	The path and arguments may  be
	      single-  or  double-quoted and/or	escaped	using a	backslash, and
	      should be	separated by one or more spaces.

	      The up command is	useful for  specifying	route  commands	 which
	      route IP traffic destined	for private subnets which exist	at the
	      other end	of the VPN connection into the tunnel.

	      For --dev	tun execute as:

	      cmd   tun_dev   tun_mtu	link_mtu   ifconfig_local_ip	ifcon-
	      fig_remote_ip [ init | restart ]

	      For --dev	tap execute as:

	      cmd  tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask
	      [	init | restart ]

	      See the "Environmental Variables"	section	below  for  additional
	      parameters passed	as environmental variables.

	      Note that	if cmd includes	arguments, all OpenVPN-generated argu-
	      ments will be appended to	them to	build an  argument  list  with
	      which the	executable will	be called.

	      Typically, cmd will run a	script to add routes to	the tunnel.

	      Normally	the  up	 script	 is called after the TUN/TAP device is
	      opened.  In this context,	the last command line parameter	passed
	      to  the script will be init.  If the --up-restart	option is also
	      used, the	up script will be called  for  restarts	 as  well.   A
	      restart  is considered to	be a partial reinitialization of Open-
	      VPN where	the TUN/TAP instance is	preserved  (the	 --persist-tun
	      option  will enable such preservation).  A restart can be	gener-
	      ated by a	SIGUSR1	signal,	a --ping-restart timeout, or a connec-
	      tion  reset  when	 the  TCP protocol is enabled with the --proto
	      option.  If a restart occurs, and	--up-restart has  been	speci-
	      fied,  the  up  script  will  be called with restart as the last
	      parameter.

	      The following standalone example shows how the --up  script  can
	      be called	in both	an initialization and restart context.	(NOTE:
	      for security reasons, don't run the following example unless UDP
	      port  9999  is blocked by	your firewall.	Also, the example will
	      run indefinitely,	so you should abort with control-c).

	      openvpn --dev tun	--port 9999 --verb 4  --ping-restart  10  --up
	      'echo up'	--down 'echo down' --persist-tun --up-restart

	      Note  that  OpenVPN also provides	the --ifconfig option to auto-
	      matically	ifconfig the  TUN  device,  eliminating	 the  need  to
	      define  an --up script, unless you also want to configure	routes
	      in the --up script.

	      If --ifconfig is also specified, OpenVPN will pass the  ifconfig
	      local  and  remote  endpoints  on	 the  command line to the --up
	      script so	that they can be used to configure routes such as:

	      route add	-net 10.0.0.0 netmask 255.255.255.0 gw $5
```


----------



## SirDice (Jul 30, 2014)

gkbsd said:
			
		

> In my /etc/rc.conf pf is written first, and OpenVPN at the end of the file.


The order in rc.conf is totally irrelevant.


----------



## hzdtony (Jul 31, 2014)

I according to @gkbsd suggestion,once again modify I miss out PF rule "(tun0:network)", reboot I system, after PF can be load PF rules. Thanks a lot.
I have a problem,why OpenVPN at the system boot process, starts two time. The last time is failed while do not affect system run. But after all not well.


----------



## gkbsd (Jul 31, 2014)

I'm glad it's finally working   For clarity, the parentheses is used for interfaces that can change of IP address, without the need to reload pf. About OpenVPN starting twice I don't know however.


----------

