Project

General

Profile

Actions

Bug #13602

closed

OpenVPN fails to start again if it crashes with DCO enabled

Added by Marcos M over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Force Exclusion
Affected Plus Version:
22.05
Affected Architecture:
All

Description

If OpenVPN crashes with DCO enabled, it doesn't remove the interface which prevents it from starting again. The interface must be manually destroyed first with e.g. ifconfig ovpnc1 destroy.

Oct 27 16:58:13     openvpn     28323     Failed to create interface ovpns1 (SIOCSIFNAME): File exists (errno=17)
Oct 27 16:58:13     openvpn     28323     DCO device ovpns1 already exists, won't be destroyed at shutdown
Oct 27 16:58:13     openvpn     28323     /sbin/ifconfig ovpns1 172.25.1.1/24 mtu 1500 up
Oct 27 16:58:13     openvpn     28323     FreeBSD ifconfig failed: external program exited with error status: 1
Oct 27 16:58:13     openvpn     28323     Exiting due to fatal error 
Actions #1

Updated by Marcos M over 1 year ago

  • Description updated (diff)
Actions #2

Updated by Kristof Provost over 1 year ago

https://gitlab.netgate.com/pfSense/factory/-/merge_requests/81

Your analysis is spot on. We can resolve this problem by always destroying the interface just before we start openvpn.

Arguably we could also teach openvpn to not create the interface if it already exists, but Linux has the same behaviour as the current freebsd behaviour, so it's less likely to be acceptable to upstream.

Actions #3

Updated by Marcos M over 1 year ago

  • Status changed from New to Resolved

Tested and it works well - thanks!

Actions #4

Updated by Marcos M over 1 year ago

  • Status changed from Resolved to New

I think it'd be preferred to implement part of this in both CE and Plus to avoid unnecessary code differences.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/963

Actions #5

Updated by Marcos M over 1 year ago

  • Status changed from New to Pull Request Review
Actions #6

Updated by Marcos M over 1 year ago

  • Project changed from pfSense to pfSense Plus
  • Category changed from OpenVPN to OpenVPN
  • Assignee set to Kristof Provost
  • Target version set to 23.01
  • Release Notes changed from Default to Force Exclusion
  • Affected Plus Version set to 22.05
  • Affected Architecture All added
Actions #7

Updated by Kristof Provost over 1 year ago

  • Assignee changed from Kristof Provost to Jim Pingle

Jim is beter qualified to review these changes than I am.

Actions #8

Updated by Jim Pingle about 1 year ago

  • Status changed from Pull Request Review to Resolved

The commit that's in place now is already tested and working. Let's move that other change to the next release so we aren't unnecessarily changing too much at this point.

Actions #9

Updated by Dean Arnold about 1 year ago

I have the same issue. I have to run ifconfig ovpns3 destroy to allow the DCO enabled OpenVPN server to restart.

Jim, Any chance this could be added as a Recommended System Patch? against 22.05?

Actions #10

Updated by Jim Pingle about 1 year ago

  • Subject changed from OpenVPN fails to start again if it crashes with DCO enabled. to OpenVPN fails to start again if it crashes with DCO enabled

There have been lots of other changes in the code, so patches would need to be crafted from scratch just for 22.05 if that were the case since they wouldn't directly apply. 23.01 is close to release, so it's not likely to be worth the effort given how uncommon it is for most people to encounter.

Actions

Also available in: Atom PDF