Project

General

Profile

Actions

Regression #14781

closed

OpenVPN resync for a specific interface may unintentionally restart OpenVPN instances on unrelated interfaces

Added by Lev Prokofev 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

Tested on

23.09-DEVELOPMENT (amd64)
built on Thu Sep 07 06:05:43 UTC 2023
FreeBSD 14.0-ALPHA2

If you have an interface with the gateway assigned the system will terminal the OpenVPN on every link event. Disabling Gateway monitoring or Gateway monitoring actions doesn't help.

for example, I have an interface called AH with the gateway(this is a LAN interface purpose for routing), and I disable it.
It will produce the following log:

*Sep 14 11:30:49    kernel        ovpnc3: link state changed to UP*
Sep 14 11:30:49    check_reload_status    332    rc.newwanip starting ovpnc3
Sep 14 11:30:48    kernel        ovpn1: changing name to 'ovpnc3'
Sep 14 11:30:48    php-fpm    292    /rc.start_packages: Restarting/Starting all packages.
Sep 14 11:30:47    check_reload_status    332    Starting packages
Sep 14 11:30:47    php-fpm    10907    /interfaces.php: Creating rrd update script
Sep 14 11:30:47    php-fpm    10907    /interfaces.php: Ignoring IPsec reload since there are no tunnels on interface opt5
Sep 14 11:30:46    check_reload_status    332    Reloading filter
*Sep 14 11:30:46    php-fpm    10907    OpenVPN PID written: 57788*
Sep 14 11:30:46    php-fpm    74406    /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed IP addresses. Reloading endpoints that may use HEV6_TUNNELV6.
Sep 14 11:30:46    php-fpm    74406    /rc.openvpn: Static Routes: Gateway IP could not be found for 172.21.100.0/24
Sep 14 11:30:46    php-fpm    74406    /rc.openvpn: route_add_or_change: Invalid gateway and/or network interface ipsec3
Sep 14 11:30:45    check_reload_status    332    Reloading filter
*Sep 14 11:30:44    php-fpm    10907    OpenVPN terminate old pid: 52182*
Sep 14 11:30:43    check_reload_status    332    Reloading filter
Sep 14 11:30:43    check_reload_status    332    Restarting OpenVPN tunnels/interfaces
Sep 14 11:30:43    check_reload_status    332    Restarting IPsec tunnels
Sep 14 11:30:43    check_reload_status    332    updating dyndns HEV6_TUNNELV6
*Sep 14 11:30:43    php-fpm    10907    /interfaces.php: Resyncing OpenVPN instances for interface AH.*
Sep 14 11:30:41    php-fpm    10907    /interfaces.php: Starting DHCP6 client for interfaces pppoe0 in DHCP6 without RA mode
Sep 14 11:30:41    php-fpm    10907    /interfaces.php: Accept router advertisements on interface igb0

It doesn't behave this way on 23.05.1 and 23.01

Actions #1

Updated by Lev Prokofev 7 months ago

Update:

Not related to the gateway on LAN, and reproducible on 23.05.1

here I disable OPT10 Interface that is simple LAN,

Sep 14 13:46:38 php-fpm 91444 /interfaces.php: Configuration Change: (Local Database): Interfaces settings changed
Sep 14 13:46:38 check_reload_status 475 Syncing firewall
Sep 14 13:46:38 php-fpm 91444 /interfaces.php: Beginning configuration backup to https://acb.netgate.com/save
Sep 14 13:46:42 php-fpm 405 /interfaces.php: Resyncing OpenVPN instances for interface OPT10.
Sep 14 13:46:42 php-fpm 405 OpenVPN terminate old pid: 64779
Sep 14 13:46:44 kernel ovpns3: link state changed to DOWN
Sep 14 13:46:44 check_reload_status 475 Reloading filter
Sep 14 13:46:44 kernel ovpns3: link state changed to UP
Sep 14 13:46:44 check_reload_status 475 Reloading filter
Sep 14 13:46:44 php-fpm 405 OpenVPN PID written: 95244
Sep 14 13:46:44 php-fpm 405 OpenVPN terminate old pid: 70941
Sep 14 13:46:44 check_reload_status 475 rc.newwanip starting ovpns3
Sep 14 13:46:44 php-fpm 405 OpenVPN PID written: 16512
Sep 14 13:46:44 php-fpm 405 OpenVPN terminate old pid: 25038
Sep 14 13:46:45 php-fpm 405 OpenVPN PID written: 33835
Sep 14 13:46:45 php-fpm 405 OpenVPN PID written: 55178
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip: Info: starting on ovpns3.
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip: on (IP address: 192.168.41.1) (interface: []) (real interface: ovpns3).
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip called with empty interface.
Sep 14 13:46:45 check_reload_status 475 Reloading filter
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 192.168.41.1 - Restarting packages.
Sep 14 13:46:45 check_reload_status 475 Starting packages
Sep 14 13:46:45 php-fpm 405 /interfaces.php: Ignoring IPsec reload since there are no tunnels on interface opt10
Sep 14 13:46:45 php-fpm 405 /interfaces.php: Removing static route for monitor 8.8.8.8 and adding a new route through 192.168.100.1
Sep 14 13:46:45 check_reload_status 475 Starting packages
Sep 14 13:46:45 kernel ovpn0: changing name to 'ovpnc2'
Sep 14 13:46:45 check_reload_status 475 rc.newwanip starting ovpnc2
Sep 14 13:46:45 kernel ovpnc2: link state changed to UP
Sep 14 13:46:46 php-fpm 71386 /rc.start_packages: Restarting/Starting all packages.
Sep 14 13:46:46 radiusd 18976 Signalled to terminate
Sep 14 13:46:46 radiusd 18976 Exiting normally
Sep 14 13:46:46 php-fpm 3126 /rc.start_packages: Skipping STARTing packages process because previous/another instance is already running
Sep 14 13:46:46 php-fpm 3126 /rc.newwanip: rc.newwanip: Info: starting on ovpnc2.
Sep 14 13:46:46 php-fpm 3126 /rc.newwanip: rc.newwanip: on (IP address: 10.150.0.2) (interface: OVPN_RUS[opt6]) (real interface: ovpnc2).
Sep 14 13:46:47 kernel ovpn1: changing name to 'ovpnc1'
Sep 14 13:46:47 check_reload_status 475 rc.newwanip starting ovpnc1
Sep 14 13:46:47 kernel ovpnc1: link state changed to UP
Sep 14 13:46:48 php-fpm 91444 /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
Sep 14 13:46:48 php-fpm 91444 /rc.newwanip: rc.newwanip: on (IP address: 172.27.114.133) (interface: NG_OVPN[opt5]) (real interface: ovpnc1).

Actions #2

Updated by Jim Pingle 7 months ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from OpenVPN to OpenVPN
  • Status changed from New to Not a Bug
  • Affected Plus Version deleted (23.09)

That is expected and intended behavior. When an interface event occurs, daemons bound to that interface will be restarted no matter what the gateway settings are. Disabling an interface isn't a proper test of what happens on connectivity loss/gateway events.

Actions #3

Updated by Lev Prokofev 7 months ago

Agree but the OpenVPN server and clients are listening on the WAN interface and have nothing with the OPT10 interface(second log) or with AH (in the first log).

Actions #4

Updated by Jim Pingle 7 months ago

  • Status changed from Not a Bug to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.8.0
  • Plus Target Version set to 23.09

OK I see what happened here. Though at the moment I can still only trigger it by forcefully disabling an interface and not naturally.

The change from #14646 ended up also changing the contents of the 'interface' file in the openvpn config directory to be the internal interface name and not an OS interface name. When checking for gateway group changes around source:src/etc/inc/openvpn.inc#L1830 it reads in that file and then compares it with the output of get_failover_interface() which is an OS interface name. The two can never match, so it always thinks a gateway group has changed.

Easy fix is to use the same type of content when storing the interface so it can once again check for a proper match.

Actions #5

Updated by Jim Pingle 7 months ago

  • Release Notes changed from Default to Force Exclusion
Actions #6

Updated by Jim Pingle 7 months ago

  • Subject changed from The system terminate all OpenVPN pids on if the interface with assigned gateway go down to OpenVPN resync for a specific interface may unintentionally restart OpenVPN instances on unrelated interfaces
Actions #7

Updated by Jim Pingle 7 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Lev Prokofev 7 months ago

Tested changeset on 23.09,
Don't see OpenVPN restart events anymore.

Actions #9

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved
Actions #10

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF