Bug #13031


Openvpn Float bug

Added by Sam Jay 3 months ago. Updated 3 months ago.

Not a Bug
Target version:
Start date:
Due date:
% Done:


Estimated time:
Release Notes:
Affected Plus Version:
Affected Architecture:


We have notice that There is a bug with the pfSense CE version: 2.6.0-RELEASE. When there is a two tunnels are initiation to the same vpn gateway with different ports, Openvpn shows as the same source IP address for both the tunnels. This was working perfectly on previous versions. Packet capture and some related screenshots are attached herewith.

Platform: Netgate 1537


28.jpeg (158 KB) 28.jpeg Sam Jay, 04/05/2022 09:26 PM
old_uat_ip_floated.jpg (1.26 MB) old_uat_ip_floated.jpg Sam Jay, 04/05/2022 09:28 PM
Diagram.png (15.2 KB) Diagram.png Sam Jay, 04/05/2022 09:29 PM
Actions #1

Updated by Azamat Khakimyanov 3 months ago

  • Priority changed from High to Low

I think it's important: Sam uses the same certificate for these 2 different OpenVPN tunnels (2 different OpenVPN Servers) so my thought was that OpenVPN widget on a Dashboad uses username or common name from certificate to show active connections. So when it's the same certificate, it shows the identical info for these OpenVPN connections.

Actions #2

Updated by Jim Pingle 3 months ago

  • Status changed from New to Not a Bug
  • Target version deleted (2.7.0)

Looks like it's doing what you're telling it to do and what the server allows you to do.

We just report the status reported by OpenVPN -- using the same exact cert/keys and such to two servers will allow the same client on both, and if the server(s) have "Dynamic IP" checked then it has trouble figuring out which is which because it allows the peer to renegotiate freely.

So either way there is no bug here that we can do anything for -- it's either expected behavior for the configuration (uncheck "Dynamic IP" on both servers) or it's OpenVPN itself misreporting the status, so it's a bug that OpenVPN would have to fix.

Actions #3

Updated by Sam Jay 3 months ago

Hi Jim,

This "Dynamic IP" feature on both the tunnels are already un-checked. Please advice.

Actions #4

Updated by Jim Pingle 3 months ago

If it's the same on the widget and status page, then it's likely being misreported by OpenVPN itself.

You can try connecting to the management sockets and looking yourself:

nc -U /var/etc/openvpn/server<id>/sock
status 3

Do that on both servers and see what it shows. You might try status 2 instead if the format on that one doesn't look right. 3 is supposed to be more human-readable, 2 is easier for scripts to parse.


Also available in: Atom PDF