Project

General

Profile

Actions

Bug #12102

closed

Prevent using OpenVPN "Exit Notify" option with point-to-point modes

Added by Kris Phillips over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
07/03/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.x
Affected Architecture:

Description

When establishing an OpenVPN client/server site to site in 21.05, if the OpenVPN client (on another box) makes any changes that causes a link down/up event, the OpenVPN server (on 21.05) service has to be restarted in a Peer to Peer Shared Key mode because the link down event shuts down the service with a SIGTERM.

Jul 3 16:48:38 openvpn 85989 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1572 192.168.250.1 192.168.250.2 init
Jul 3 16:48:38 openvpn 85989 SIGTERM[soft,exit-with-notification] received, process exiting

This means that once the OpenVPN client tries to re-establish, it fails to do so until the service is manually started back up. This can be worked around by setting up Service Watchdog to automatically "kick" the service back on, but I don't think this is intentional.


Related issues

Related to Bug #6718: openvpn server exits if client has explicit-exit-notify 2 specifiedNot a Bug08/16/2016

Actions
Actions #1

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Feedback

What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.

Actions #2

Updated by Kris Phillips over 3 years ago

Jim Pingle wrote:

What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.

Jim,

If the Exit Notify setting should be different, we probably should update that field when a user selects Site to Site like we do for the other fields. I used the default settings for Exit Notify when I built the Site to Site tunnel.

Actions #3

Updated by Jim Pingle over 3 years ago

  • Subject changed from Changes on OpenVPN Client in Peer to Peer Shared Key shuts down OpenVPN server on 21.05 to Prevent using OpenVPN Exit Notify option with point-to-point modes
  • Status changed from Feedback to Confirmed

Was just looking at this on a forum thread and this is not site-to-site vs RA but point-to-multipoint (client/server) vs point-to-point, so Shared Key or SSL/TLS with a /30 subnet. Exit notify doesn't work as users expect with point-to-point mode so it should be prevented there.

Using Exit Notify with SSL/TLS as either RA or Site-to-Site is fine so long as it uses a tunnel network larger than /30.

So we need to:

  • Hide the GUI option for shared key entirely
  • Fire off an input validation warning if someone tries to set it on a /30 or smaller SSL/TLS setup
  • Prevent the option from being added to the OpenVPN config in both these cases for users who already have the setting on a tunnel
  • Probably a good idea to detect this case and strip it out in upgrade code, too
Actions #4

Updated by Jim Pingle over 3 years ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from OpenVPN to OpenVPN
  • Target version set to 2.6.0
  • Affected Plus Version deleted (21.05)
  • Plus Target Version set to 21.09
  • Affected Version set to 2.5.x
Actions #5

Updated by Jim Pingle over 3 years ago

  • Related to Bug #6718: openvpn server exits if client has explicit-exit-notify 2 specified added
Actions #6

Updated by Kris Phillips over 3 years ago

This default option problem is still present in 21.05.1.

Actions #7

Updated by Jim Pingle over 3 years ago

  • Status changed from Confirmed to In Progress
  • Assignee set to Jim Pingle
Actions #8

Updated by Jim Pingle over 3 years ago

  • Status changed from In Progress to Pull Request Review
Actions #9

Updated by Jim Pingle over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #10

Updated by Jim Pingle over 3 years ago

  • Subject changed from Prevent using OpenVPN Exit Notify option with point-to-point modes to Prevent using OpenVPN "Exit Notify" option with point-to-point modes
Actions #11

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

Works as expected on current snapshot.

Actions #12

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF