Bug #12102
closed
Prevent using OpenVPN "Exit Notify" option with point-to-point modes
100%
Description
When establishing an OpenVPN client/server site to site in 21.05, if the OpenVPN client (on another box) makes any changes that causes a link down/up event, the OpenVPN server (on 21.05) service has to be restarted in a Peer to Peer Shared Key mode because the link down event shuts down the service with a SIGTERM.
Jul 3 16:48:38 openvpn 85989 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1572 192.168.250.1 192.168.250.2 init
Jul 3 16:48:38 openvpn 85989 SIGTERM[soft,exit-with-notification] received, process exiting
This means that once the OpenVPN client tries to re-establish, it fails to do so until the service is manually started back up. This can be worked around by setting up Service Watchdog to automatically "kick" the service back on, but I don't think this is intentional.
Related issues
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Feedback
What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.
Updated by Kris Phillips almost 3 years ago
Jim Pingle wrote:
What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.
Jim,
If the Exit Notify setting should be different, we probably should update that field when a user selects Site to Site like we do for the other fields. I used the default settings for Exit Notify when I built the Site to Site tunnel.
Updated by Jim Pingle almost 3 years ago
- Subject changed from Changes on OpenVPN Client in Peer to Peer Shared Key shuts down OpenVPN server on 21.05 to Prevent using OpenVPN Exit Notify option with point-to-point modes
- Status changed from Feedback to Confirmed
Was just looking at this on a forum thread and this is not site-to-site vs RA but point-to-multipoint (client/server) vs point-to-point, so Shared Key or SSL/TLS with a /30 subnet. Exit notify doesn't work as users expect with point-to-point mode so it should be prevented there.
Using Exit Notify with SSL/TLS as either RA or Site-to-Site is fine so long as it uses a tunnel network larger than /30.
So we need to:
- Hide the GUI option for shared key entirely
- Fire off an input validation warning if someone tries to set it on a /30 or smaller SSL/TLS setup
- Prevent the option from being added to the OpenVPN config in both these cases for users who already have the setting on a tunnel
- Probably a good idea to detect this case and strip it out in upgrade code, too
Updated by Jim Pingle almost 3 years ago
- Project changed from pfSense Plus to pfSense
- Category changed from OpenVPN to OpenVPN
- Target version set to 2.6.0
- Affected Plus Version deleted (
21.05) - Plus Target Version set to 21.09
- Affected Version set to 2.5.x
Updated by Jim Pingle over 2 years ago
- Related to Bug #6718: openvpn server exits if client has explicit-exit-notify 2 specified added
Updated by Kris Phillips over 2 years ago
This default option problem is still present in 21.05.1.
Updated by Jim Pingle over 2 years ago
- Status changed from Confirmed to In Progress
- Assignee set to Jim Pingle
Updated by Jim Pingle over 2 years ago
- Status changed from In Progress to Pull Request Review
Updated by Jim Pingle over 2 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 0a70f90aff9cc2fc7fc5f5dc551a708ee349ea07.
Updated by Jim Pingle over 2 years ago
- Subject changed from Prevent using OpenVPN Exit Notify option with point-to-point modes to Prevent using OpenVPN "Exit Notify" option with point-to-point modes
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
Works as expected on current snapshot.
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 21.09 to 22.01