After upgrade to 11.0-RELEASE something blocks connections between openvpn-client and openvpn-server etc. I mean traffic after openvpn connection is established, so user can connect but has no traffic. Only one connected user is forwarded/routed to destinations/other hosts etc. When the second and more users are connected there is no traffic for them. Works: 10.3-RELEASE and openvpn-2.3.12_1 Doesn't work: 11.0-RELEASE and openvpn-2.3.12_1 I've disabled PF and it's not helped. Client got vpn IP, dns, gateways etc. Problem occured on two upgraded servers. When I disconenct the first client, the second has no immediately traffic I have to reconnect. It means only one client which first established connection is able to forward packets. listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes 2016-10-22 19:53:53.391140 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 0, length 64 2016-10-22 19:53:53.392093 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 0, length 64 2016-10-22 19:53:54.418406 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 1, length 64 2016-10-22 19:53:54.418755 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 1, length 64 2016-10-22 19:53:55.407177 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 2, length 64 2016-10-22 19:53:55.407986 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 2, length 64 2016-10-22 19:54:00.114782 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1200, length 40 2016-10-22 19:54:04.993728 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1201, length 40 2016-10-22 19:54:09.991531 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1202, length 40 10.10.10.2-3 clients 10.0.0.16 destination listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes 2016-10-22 20:10:30.375394 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 0, length 64 2016-10-22 20:10:30.375737 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 0, length 64 2016-10-22 20:10:31.345897 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 1, length 64 2016-10-22 20:10:31.346183 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 1, length 64 2016-10-22 20:10:32.353331 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 2, length 64 2016-10-22 20:10:32.353659 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 2, length 64 2016-10-22 20:10:33.386036 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 3, length 64 2016-10-22 20:10:33.386448 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 3, length 64 2016-10-22 20:10:34.375291 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 4, length 64 2016-10-22 20:10:34.375935 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 4, length 64 2016-10-22 20:10:35.374819 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 5, length 64 2016-10-22 20:10:35.375371 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 5, length 64 2016-10-22 20:11:07.936758 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1208, length 40 2016-10-22 20:11:07.937176 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1208, length 40 2016-10-22 20:11:07.937250 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.671143 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.671239 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.671690 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.671708 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.694139 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.694168 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:09.695613 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:10.388725 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:12.508085 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1209, length 40 2016-10-22 20:11:12.508361 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1209, length 40 2016-10-22 20:11:12.508439 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:13.575831 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:13.608864 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:13.608944 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:13.609062 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:13.609082 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:15.297036 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.235472 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.514191 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1210, length 40 2016-10-22 20:11:17.514610 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1210, length 40 2016-10-22 20:11:17.514707 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.609568 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.609662 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.609684 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.609694 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:17.609728 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:21.129764 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:21.608993 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 2016-10-22 20:11:21.829625 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36 vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE> ether 00:a0:98:68:86:08 inet 10.0.0.10 netmask 0xfffffe00 broadcast 10.0.1.255 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::2a0:98ff:fe68:8608%tun0 prefixlen 64 scopeid 0x3 inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffff00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: tun Opened by PID 690
Sounds like the same problem as in bug 207831 Check if the vpn network route on the server leads to lo0 instead of tun0.
Yes, that's the same problem. BEFORE upgrade: Internet: Destination Gateway Flags Netif Expire default 10.0.0.2 UGS vtnet0 10.0.0.0/23 link#1 U vtnet0 10.0.0.10 link#1 UHS lo0 ---> 10.10.10.0/24 10.10.10.1 UGS tun0 10.10.10.1 link#4 UHS lo0 10.10.10.2 link#4 UH tun0 10.10.11.0/24 10.0.1.10 UGS vtnet0 127.0.0.1 link#2 UH lo0 AFTER upgrade: Internet: Destination Gateway Flags Netif Expire default 10.0.0.2 UGS vtnet0 10.0.0.0/23 link#1 U vtnet0 10.0.0.10 link#1 UHS lo0 ---> 10.10.10.0/24 10.10.10.1 UGS lo0 10.10.10.1 link#4 UHS lo0 10.10.10.2 link#4 UH tun0 10.10.11.0/24 10.0.1.10 UGS vtnet0 127.0.0.1 link#2 UH lo0
*** This bug has been marked as a duplicate of bug 207831 ***