Project

General

Profile

Actions
Copy link

Regression #14833

open

OpenVPN client process in bridged tap mode fails after 2.7.0 CE upgrade

Added by Bob Weybrecht 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

Have a P2P OpenVPN tunnel that bridges 2 physical interfaces for the purpose of passing multicast traffic. Has been running since prior to 2.6.0. Updated to 2.7.0,and tunnel came up and passes traffic without issue. Found that if process on client side box is restarted, the OpenVPN process dies,and and cannot be restarted. Rebooting client side box recovers the tunnel. Specific last lines in Ovpn log are:
openvpn 60082 /sbin/ifconfig ovpnc1 172.16.10.2/24 mtu 1500 up
openvpn 60082 FreeBSD ifconfig failed: external program exited with error status: 1
openvpn 60082 Exiting due to fatal error

Server and client side are P2P SSL/TLS. Device Mode tap. Server side (only) has IPV4 Tunnel Network of 172.16.10.0/24. Both sides have Intel 4 port NICs for LAN and and the physical port (IGB1) that is bridged to the Ovpn tunnel. Wan is on motherboard nic (em0). For the purposes of testing, the client and server were rebuilt from scratch on different machines to see each other over private IPs on a LAN via the WAN port vs. public IPs.
Upon client machine restart, tunnel comes up without issue. If the client Ovpn process is restarted, the gui reports:
down 0 (pending) Service not running? Unable to contact daemon:

I have also found that if I reconfigure tunnel to use shared keys rather than SSL/TLS certs, the tunnel will establish. Also, if I remove the client Ovpn tunnel from the bridge - with SSL/TLS - and restart the client process, the tunnel will establish. If client side Ovpn tunnel establishes, I can then re-add it to the bridge with the physical interface, and the client tunnel process stays up and established.

The files I am attaching show client tunnel establish on 2.6.0, what happened upon restart after update to 2.7.0. What happens after client process restart while on 2.7.0. And then what happened after client reboot while on 2.7.0. Verbosity set to 7. Also, I include the complete client config while on 2.6.0 including cert and CA. Nothing in file is sensitive as it is all private IPs and built from scratch. Cert and CA is only used for the example uploaded and will never be used again. Password for the config is "Password" Server side config not included, but you just need the server side tunnel built and accessible. Bridge or not makes no difference.

Files

Download all files
1695949795557-tunnel-establish-after-270-reboot.txt (15.4 KB) 1695949795557-tunnel-establish-after-270-reboot.txt Bob Weybrecht, 10/03/2023 04:31 AM
1695949795570-tunnel-fail-after-270-service-restart.txt (15.6 KB) 1695949795570-tunnel-fail-after-270-service-restart.txt Bob Weybrecht, 10/03/2023 04:31 AM
1695949795530-post-upgrade-to-270-initial-reboot.txt (5.46 KB) 1695949795530-post-upgrade-to-270-initial-reboot.txt Bob Weybrecht, 10/03/2023 04:31 AM
1695949795521-ovpn-establish-on-260.txt (17.2 KB) 1695949795521-ovpn-establish-on-260.txt Bob Weybrecht, 10/03/2023 04:31 AM
1695949795509-config-testpfsense.mydomain.net-20230928181948.xml (24.6 KB) 1695949795509-config-testpfsense.mydomain.net-20230928181948.xml Client side config - Saved while 2.6.0 Bob Weybrecht, 10/03/2023 04:31 AM

No data to display

Actions
Copy link

Also available in: Atom PDF