Regression #14781
closed
OpenVPN resync for a specific interface may unintentionally restart OpenVPN instances on unrelated interfaces
Added by Lev Prokofev about 1 year ago.
Updated about 1 year ago.
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Description
Tested on
23.09-DEVELOPMENT (amd64)
built on Thu Sep 07 06:05:43 UTC 2023
FreeBSD 14.0-ALPHA2
If you have an interface with the gateway assigned the system will terminal the OpenVPN on every link event. Disabling Gateway monitoring or Gateway monitoring actions doesn't help.
for example, I have an interface called AH with the gateway(this is a LAN interface purpose for routing), and I disable it.
It will produce the following log:
*Sep 14 11:30:49 kernel ovpnc3: link state changed to UP*
Sep 14 11:30:49 check_reload_status 332 rc.newwanip starting ovpnc3
Sep 14 11:30:48 kernel ovpn1: changing name to 'ovpnc3'
Sep 14 11:30:48 php-fpm 292 /rc.start_packages: Restarting/Starting all packages.
Sep 14 11:30:47 check_reload_status 332 Starting packages
Sep 14 11:30:47 php-fpm 10907 /interfaces.php: Creating rrd update script
Sep 14 11:30:47 php-fpm 10907 /interfaces.php: Ignoring IPsec reload since there are no tunnels on interface opt5
Sep 14 11:30:46 check_reload_status 332 Reloading filter
*Sep 14 11:30:46 php-fpm 10907 OpenVPN PID written: 57788*
Sep 14 11:30:46 php-fpm 74406 /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed IP addresses. Reloading endpoints that may use HEV6_TUNNELV6.
Sep 14 11:30:46 php-fpm 74406 /rc.openvpn: Static Routes: Gateway IP could not be found for 172.21.100.0/24
Sep 14 11:30:46 php-fpm 74406 /rc.openvpn: route_add_or_change: Invalid gateway and/or network interface ipsec3
Sep 14 11:30:45 check_reload_status 332 Reloading filter
*Sep 14 11:30:44 php-fpm 10907 OpenVPN terminate old pid: 52182*
Sep 14 11:30:43 check_reload_status 332 Reloading filter
Sep 14 11:30:43 check_reload_status 332 Restarting OpenVPN tunnels/interfaces
Sep 14 11:30:43 check_reload_status 332 Restarting IPsec tunnels
Sep 14 11:30:43 check_reload_status 332 updating dyndns HEV6_TUNNELV6
*Sep 14 11:30:43 php-fpm 10907 /interfaces.php: Resyncing OpenVPN instances for interface AH.*
Sep 14 11:30:41 php-fpm 10907 /interfaces.php: Starting DHCP6 client for interfaces pppoe0 in DHCP6 without RA mode
Sep 14 11:30:41 php-fpm 10907 /interfaces.php: Accept router advertisements on interface igb0
It doesn't behave this way on 23.05.1 and 23.01
Update:
Not related to the gateway on LAN, and reproducible on 23.05.1
here I disable OPT10 Interface that is simple LAN,
Sep 14 13:46:38 php-fpm 91444 /interfaces.php: Configuration Change: admin@172.21.100.10 (Local Database): Interfaces settings changed
Sep 14 13:46:38 check_reload_status 475 Syncing firewall
Sep 14 13:46:38 php-fpm 91444 /interfaces.php: Beginning configuration backup to https://acb.netgate.com/save
Sep 14 13:46:42 php-fpm 405 /interfaces.php: Resyncing OpenVPN instances for interface OPT10.
Sep 14 13:46:42 php-fpm 405 OpenVPN terminate old pid: 64779
Sep 14 13:46:44 kernel ovpns3: link state changed to DOWN
Sep 14 13:46:44 check_reload_status 475 Reloading filter
Sep 14 13:46:44 kernel ovpns3: link state changed to UP
Sep 14 13:46:44 check_reload_status 475 Reloading filter
Sep 14 13:46:44 php-fpm 405 OpenVPN PID written: 95244
Sep 14 13:46:44 php-fpm 405 OpenVPN terminate old pid: 70941
Sep 14 13:46:44 check_reload_status 475 rc.newwanip starting ovpns3
Sep 14 13:46:44 php-fpm 405 OpenVPN PID written: 16512
Sep 14 13:46:44 php-fpm 405 OpenVPN terminate old pid: 25038
Sep 14 13:46:45 php-fpm 405 OpenVPN PID written: 33835
Sep 14 13:46:45 php-fpm 405 OpenVPN PID written: 55178
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip: Info: starting on ovpns3.
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip: on (IP address: 192.168.41.1) (interface: []) (real interface: ovpns3).
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: rc.newwanip called with empty interface.
Sep 14 13:46:45 check_reload_status 475 Reloading filter
Sep 14 13:46:45 php-fpm 71386 /rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 192.168.41.1 - Restarting packages.
Sep 14 13:46:45 check_reload_status 475 Starting packages
Sep 14 13:46:45 php-fpm 405 /interfaces.php: Ignoring IPsec reload since there are no tunnels on interface opt10
Sep 14 13:46:45 php-fpm 405 /interfaces.php: Removing static route for monitor 8.8.8.8 and adding a new route through 192.168.100.1
Sep 14 13:46:45 check_reload_status 475 Starting packages
Sep 14 13:46:45 kernel ovpn0: changing name to 'ovpnc2'
Sep 14 13:46:45 check_reload_status 475 rc.newwanip starting ovpnc2
Sep 14 13:46:45 kernel ovpnc2: link state changed to UP
Sep 14 13:46:46 php-fpm 71386 /rc.start_packages: Restarting/Starting all packages.
Sep 14 13:46:46 radiusd 18976 Signalled to terminate
Sep 14 13:46:46 radiusd 18976 Exiting normally
Sep 14 13:46:46 php-fpm 3126 /rc.start_packages: Skipping STARTing packages process because previous/another instance is already running
Sep 14 13:46:46 php-fpm 3126 /rc.newwanip: rc.newwanip: Info: starting on ovpnc2.
Sep 14 13:46:46 php-fpm 3126 /rc.newwanip: rc.newwanip: on (IP address: 10.150.0.2) (interface: OVPN_RUS[opt6]) (real interface: ovpnc2).
Sep 14 13:46:47 kernel ovpn1: changing name to 'ovpnc1'
Sep 14 13:46:47 check_reload_status 475 rc.newwanip starting ovpnc1
Sep 14 13:46:47 kernel ovpnc1: link state changed to UP
Sep 14 13:46:48 php-fpm 91444 /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
Sep 14 13:46:48 php-fpm 91444 /rc.newwanip: rc.newwanip: on (IP address: 172.27.114.133) (interface: NG_OVPN[opt5]) (real interface: ovpnc1).
- Project changed from pfSense Plus to pfSense
- Category changed from OpenVPN to OpenVPN
- Status changed from New to Not a Bug
- Affected Plus Version deleted (
23.09)
That is expected and intended behavior. When an interface event occurs, daemons bound to that interface will be restarted no matter what the gateway settings are. Disabling an interface isn't a proper test of what happens on connectivity loss/gateway events.
Agree but the OpenVPN server and clients are listening on the WAN interface and have nothing with the OPT10 interface(second log) or with AH (in the first log).
- Status changed from Not a Bug to In Progress
- Assignee set to Jim Pingle
- Target version set to 2.8.0
- Plus Target Version set to 23.09
OK I see what happened here. Though at the moment I can still only trigger it by forcefully disabling an interface and not naturally.
The change from #14646 ended up also changing the contents of the 'interface' file in the openvpn config directory to be the internal interface name and not an OS interface name. When checking for gateway group changes around source:src/etc/inc/openvpn.inc#L1830 it reads in that file and then compares it with the output of get_failover_interface()
which is an OS interface name. The two can never match, so it always thinks a gateway group has changed.
Easy fix is to use the same type of content when storing the interface so it can once again check for a proper match.
- Release Notes changed from Default to Force Exclusion
- Subject changed from The system terminate all OpenVPN pids on if the interface with assigned gateway go down to OpenVPN resync for a specific interface may unintentionally restart OpenVPN instances on unrelated interfaces
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Tested changeset on 23.09,
Don't see OpenVPN restart events anymore.
- Status changed from Feedback to Resolved
- Target version changed from 2.8.0 to 2.7.1
Also available in: Atom
PDF