Bug #12102
closed
Prevent using OpenVPN "Exit Notify" option with point-to-point modes
Added by Kris Phillips over 3 years ago.
Updated about 3 years ago.
Plus Target Version:
22.01
Description
When establishing an OpenVPN client/server site to site in 21.05, if the OpenVPN client (on another box) makes any changes that causes a link down/up event, the OpenVPN server (on 21.05) service has to be restarted in a Peer to Peer Shared Key mode because the link down event shuts down the service with a SIGTERM.
Jul 3 16:48:38 openvpn 85989 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1572 192.168.250.1 192.168.250.2 init
Jul 3 16:48:38 openvpn 85989 SIGTERM[soft,exit-with-notification] received, process exiting
This means that once the OpenVPN client tries to re-establish, it fails to do so until the service is manually started back up. This can be worked around by setting up Service Watchdog to automatically "kick" the service back on, but I don't think this is intentional.
- Status changed from New to Feedback
What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.
Jim Pingle wrote:
What is "Exit Notify" set to on both ends when this happens? From the log, that is why it terminated. Odds are the settings in place on both ends aren't ideal for this situation.
Jim,
If the Exit Notify setting should be different, we probably should update that field when a user selects Site to Site like we do for the other fields. I used the default settings for Exit Notify when I built the Site to Site tunnel.
- Subject changed from Changes on OpenVPN Client in Peer to Peer Shared Key shuts down OpenVPN server on 21.05 to Prevent using OpenVPN Exit Notify option with point-to-point modes
- Status changed from Feedback to Confirmed
Was just looking at this on a forum thread and this is not site-to-site vs RA but point-to-multipoint (client/server) vs point-to-point, so Shared Key or SSL/TLS with a /30 subnet. Exit notify doesn't work as users expect with point-to-point mode so it should be prevented there.
Using Exit Notify with SSL/TLS as either RA or Site-to-Site is fine so long as it uses a tunnel network larger than /30.
So we need to:
- Hide the GUI option for shared key entirely
- Fire off an input validation warning if someone tries to set it on a /30 or smaller SSL/TLS setup
- Prevent the option from being added to the OpenVPN config in both these cases for users who already have the setting on a tunnel
- Probably a good idea to detect this case and strip it out in upgrade code, too
- Project changed from pfSense Plus to pfSense
- Category changed from OpenVPN to OpenVPN
- Target version set to 2.6.0
- Affected Plus Version deleted (
21.05)
- Plus Target Version set to 21.09
- Affected Version set to 2.5.x
- Related to Bug #6718: openvpn server exits if client has explicit-exit-notify 2 specified added
This default option problem is still present in 21.05.1.
- Status changed from Confirmed to In Progress
- Assignee set to Jim Pingle
- Status changed from In Progress to Pull Request Review
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
- Subject changed from Prevent using OpenVPN Exit Notify option with point-to-point modes to Prevent using OpenVPN "Exit Notify" option with point-to-point modes
- Status changed from Feedback to Resolved
Works as expected on current snapshot.
- Plus Target Version changed from 21.09 to 22.01
Also available in: Atom
PDF
Updated by 
Updated by