Bug #13602
closedOpenVPN fails to start again if it crashes with DCO enabled
0%
Description
If OpenVPN crashes with DCO enabled, it doesn't remove the interface which prevents it from starting again. The interface must be manually destroyed first with e.g. ifconfig ovpnc1 destroy
.
Oct 27 16:58:13 openvpn 28323 Failed to create interface ovpns1 (SIOCSIFNAME): File exists (errno=17) Oct 27 16:58:13 openvpn 28323 DCO device ovpns1 already exists, won't be destroyed at shutdown Oct 27 16:58:13 openvpn 28323 /sbin/ifconfig ovpns1 172.25.1.1/24 mtu 1500 up Oct 27 16:58:13 openvpn 28323 FreeBSD ifconfig failed: external program exited with error status: 1 Oct 27 16:58:13 openvpn 28323 Exiting due to fatal error
Updated by Kristof Provost about 2 years ago
https://gitlab.netgate.com/pfSense/factory/-/merge_requests/81
Your analysis is spot on. We can resolve this problem by always destroying the interface just before we start openvpn.
Arguably we could also teach openvpn to not create the interface if it already exists, but Linux has the same behaviour as the current freebsd behaviour, so it's less likely to be acceptable to upstream.
Updated by Marcos M about 2 years ago
- Status changed from New to Resolved
Tested and it works well - thanks!
Updated by Marcos M about 2 years ago
- Status changed from Resolved to New
I think it'd be preferred to implement part of this in both CE and Plus to avoid unnecessary code differences.
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/963
Updated by Marcos M about 2 years ago
- Status changed from New to Pull Request Review
Updated by Marcos M about 2 years ago
- Project changed from pfSense to pfSense Plus
- Category changed from OpenVPN to OpenVPN
- Assignee set to Kristof Provost
- Target version set to 23.01
- Release Notes changed from Default to Force Exclusion
- Affected Plus Version set to 22.05
- Affected Architecture All added
Updated by Kristof Provost about 2 years ago
- Assignee changed from Kristof Provost to Jim Pingle
Jim is beter qualified to review these changes than I am.
Updated by Jim Pingle almost 2 years ago
- Status changed from Pull Request Review to Resolved
The commit that's in place now is already tested and working. Let's move that other change to the next release so we aren't unnecessarily changing too much at this point.
Updated by Dean Arnold almost 2 years ago
I have the same issue. I have to run ifconfig ovpns3 destroy to allow the DCO enabled OpenVPN server to restart.
Jim, Any chance this could be added as a Recommended System Patch? against 22.05?
Updated by Jim Pingle almost 2 years ago
- Subject changed from OpenVPN fails to start again if it crashes with DCO enabled. to OpenVPN fails to start again if it crashes with DCO enabled
There have been lots of other changes in the code, so patches would need to be crafted from scratch just for 22.05 if that were the case since they wouldn't directly apply. 23.01 is close to release, so it's not likely to be worth the effort given how uncommon it is for most people to encounter.