pfSense

If there are multiple IP addresses and VIPs on an interface, OpenVPN can unintentionally select the wrong address.

In the OpenVPN code when it attempts to find the interface address it first does this:

$interface = get_failover_interface($settings['interface']);

Then a bit below that:

$iface_ip=get_interface_ip($interface);

There are multiple problems with that arrangement:

• It is redundant (get_interface_ip() checks the failover interface on its own)
• The check for "any" can never succeed because if $settings['interface'] was 'any' then by the time it's checked the variable would be NULL as that would be returned by get_failover_interface()
• get_failover_interface() returns the real OS interface (e.g. igb1, vtnet0) and get_interface_ip() works best when given the friendly config interface ('wan', 'lan', 'opt1') otherwise it falls through to a less reliable method of determining the interface address (find_interface_ip()) even if the IP address is hardcoded on the interface in config.xml

It would appear that this one change would be a minimal diff to eliminate the problematic behavior:

diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 0281a094cb..1e63e3dfbf 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -899,7 +899,7 @@ function openvpn_reconfigure($mode, $settings) {
     // OpenVPN defaults to SHA1, so use it when unset to maintain compatibility.
     $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1";

-    $interface = get_failover_interface($settings['interface']);
+    $interface = $settings['interface'];
     // The IP address in the settings can be an IPv4 or IPv6 address associated with the interface
     $ipaddr = $settings['ipaddr'];

That change works here in some local testing though I don't have a lab system which exhibits the problem behavior observed by customers in the field.