Feature #12407
closed
Use deferred client connections in OpenVPN
100%
Description
New in OpenVPN 2.5 is the ability to use deferred client-connect. See Deferred client-connect:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-250
"The --client-connect option and the connect plugin API allow asynchronous/deferred return of the configuration file in the same way as the auth-plugin."
This eliminates micro-outages on new client connections by deferring the connect script to another process. See:
https://community.openvpn.net/openvpn/ticket/1244
Details to implement this new functionality are outlined here; see --client-connect:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst
Updated by Marcos M about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov about 3 years ago
Marcos Mendoza wrote in #note-1:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/402
Updated by Marcos M about 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 7aaa20d95a345c4688e8786c755c7d0433451688.
Updated by Jim Pingle almost 3 years ago
- Target version changed from CE-Next to 2.6.0
- Plus Target Version changed from Plus-Next to 22.01
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to New
The commit for this, 7aaa20d95a345c4688e8786c755c7d0433451688 , broke static IP address assignments from RADIUS.
Updated by Jim Pingle almost 3 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
Commit reverted. We can revisit this in the next release.
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Feedback
Applied in changeset 1f3baf61c1647ffcfbc6b6e26132d3ce56abeb96.
Updated by Marcos M almost 3 years ago
New MR, see: https://redmine.pfsense.org/issues/12267#note-16
Updated by Marcos M almost 3 years ago
- Status changed from New to Pull Request Review
Updated by Ryan Coleman over 2 years ago
Marcos Mendoza wrote in #note-10:
New MR, see: https://redmine.pfsense.org/issues/12267#note-16
Tested this with 22.01 and verified it resolved traffic passing between client 1 and the firewall.
Mar 29 22:38:42 firewall openvpn[56228]: 123.45.67.89:45804 [username] Peer Connection Initiated with [AF_INET]123.45.67.89:45804 Mar 29 22:38:42 firewall openvpn[45546]: user 'username' authenticated Mar 29 22:38:42 firewall openvpn[56228]: username/123.45.67.89:45804 MULTI_sva: pool returned IPv4=10.199.1.3, IPv6=(Not enabled) Mar 29 22:38:42 firewall openvpn[46638]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:45804' - connecting Mar 29 22:38:42 firewall openvpn[50146]: openvpn server 'ovpns2' user 'username' address '123.45.67.89:45804' - connected
Updated by Jim Pingle over 2 years ago
- Target version changed from CE-Next to 2.7.0
Updated by Jens Groh over 2 years ago
Just as a quick question: should that also help with
https://redmine.pfsense.org/issues/12382
or does that issue remain with the CGI binary used?
Updated by Marcos M over 2 years ago
This fix would not affect that issue given it uses a different script. See https://redmine.pfsense.org/issues/12382#note-6
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
This has been back in place for a while. No problems with auth that I've seen, local or RADIUS.