Project

General

Profile

Actions

Feature #12407

closed

Use deferred client connections in OpenVPN

Added by Marcos M about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

New in OpenVPN 2.5 is the ability to use deferred client-connect. See Deferred client-connect:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-250
"The --client-connect option and the connect plugin API allow asynchronous/deferred return of the configuration file in the same way as the auth-plugin."

This eliminates micro-outages on new client connections by deferring the connect script to another process. See:
https://community.openvpn.net/openvpn/ticket/1244

Details to implement this new functionality are outlined here; see --client-connect:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst

Actions #2

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Viktor Gurov about 3 years ago

Marcos Mendoza wrote in #note-1:

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402

#12321 and #12316 must be re-tested after this MR is merged

Actions #4

Updated by Marcos M about 3 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle about 3 years ago

  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
Actions #6

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to New

The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.

Actions #7

Updated by Jim Pingle almost 3 years ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05

Commit reverted. We can revisit this in the next release.

Actions #8

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Feedback
Actions #9

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to New
Actions #11

Updated by Marcos M almost 3 years ago

  • Status changed from New to Pull Request Review
Actions #12

Updated by Ryan Coleman over 2 years ago

Marcos Mendoza wrote in #note-10:

New MR, see: https://redmine.pfsense.org/issues/12267#note-16

Tested this with 22.01 and verified it resolved traffic passing between client 1 and the firewall.

Mar 29 22:38:42 firewall openvpn[56228]: 123.45.67.89:45804 [username] Peer Connection Initiated with [AF_INET]123.45.67.89:45804
Mar 29 22:38:42 firewall openvpn[45546]: user 'username' authenticated
Mar 29 22:38:42 firewall openvpn[56228]: username/123.45.67.89:45804 MULTI_sva: pool returned IPv4=10.199.1.3, IPv6=(Not enabled)
Mar 29 22:38:42 firewall openvpn[46638]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:45804' - connecting
Mar 29 22:38:42 firewall openvpn[50146]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:45804' - connected

Actions #13

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #14

Updated by Jim Pingle over 2 years ago

  • Target version changed from CE-Next to 2.7.0
Actions #15

Updated by Jens Groh over 2 years ago

Just as a quick question: should that also help with

https://redmine.pfsense.org/issues/12382

or does that issue remain with the CGI binary used?

Actions #16

Updated by Marcos M over 2 years ago

This fix would not affect that issue given it uses a different script. See https://redmine.pfsense.org/issues/12382#note-6

Actions #17

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved

This has been back in place for a while. No problems with auth that I've seen, local or RADIUS.

Actions

Also available in: Atom PDF