Bug #13031
closed
Openvpn Float bug
0%
Description
We have notice that There is a bug with the pfSense CE version: 2.6.0-RELEASE. When there is a two tunnels are initiation to the same vpn gateway with different ports, Openvpn shows as the same source IP address for both the tunnels. This was working perfectly on previous versions. Packet capture and some related screenshots are attached herewith.
Platform: Netgate 1537
Files
| 28.jpeg (158 KB) 28.jpeg | |||
| old_uat_ip_floated.jpg (1.26 MB) old_uat_ip_floated.jpg | |||
| Diagram.png (15.2 KB) Diagram.png |
Updated by Azamat Khakimyanov about 2 years ago
- Priority changed from High to Low
I think it's important: Sam uses the same certificate for these 2 different OpenVPN tunnels (2 different OpenVPN Servers) so my thought was that OpenVPN widget on a Dashboad uses username or common name from certificate to show active connections. So when it's the same certificate, it shows the identical info for these OpenVPN connections.
Updated by Jim Pingle about 2 years ago
- Status changed from New to Not a Bug
- Target version deleted (
2.7.0)
Looks like it's doing what you're telling it to do and what the server allows you to do.
We just report the status reported by OpenVPN -- using the same exact cert/keys and such to two servers will allow the same client on both, and if the server(s) have "Dynamic IP" checked then it has trouble figuring out which is which because it allows the peer to renegotiate freely.
So either way there is no bug here that we can do anything for -- it's either expected behavior for the configuration (uncheck "Dynamic IP" on both servers) or it's OpenVPN itself misreporting the status, so it's a bug that OpenVPN would have to fix.
Updated by Sam Jay about 2 years ago
Hi Jim,
This "Dynamic IP" feature on both the tunnels are already un-checked. Please advice.
Updated by Jim Pingle about 2 years ago
If it's the same on the widget and status page, then it's likely being misreported by OpenVPN itself.
You can try connecting to the management sockets and looking yourself:
nc -U /var/etc/openvpn/server<id>/sock status 3 quit
Do that on both servers and see what it shows. You might try status 2 instead if the format on that one doesn't look right. 3 is supposed to be more human-readable, 2 is easier for scripts to parse.