Regression #14833
openOpenVPN client process in bridged tap mode fails after 2.7.0 CE upgrade
0%
Description
Have a P2P OpenVPN tunnel that bridges 2 physical interfaces for the purpose of passing multicast traffic. Has been running since prior to 2.6.0. Updated to 2.7.0,and tunnel came up and passes traffic without issue. Found that if process on client side box is restarted, the OpenVPN process dies,and and cannot be restarted. Rebooting client side box recovers the tunnel. Specific last lines in Ovpn log are:
openvpn 60082 /sbin/ifconfig ovpnc1 172.16.10.2/24 mtu 1500 up
openvpn 60082 FreeBSD ifconfig failed: external program exited with error status: 1
openvpn 60082 Exiting due to fatal error
Server and client side are P2P SSL/TLS. Device Mode tap. Server side (only) has IPV4 Tunnel Network of 172.16.10.0/24. Both sides have Intel 4 port NICs for LAN and and the physical port (IGB1) that is bridged to the Ovpn tunnel. Wan is on motherboard nic (em0). For the purposes of testing, the client and server were rebuilt from scratch on different machines to see each other over private IPs on a LAN via the WAN port vs. public IPs.
Upon client machine restart, tunnel comes up without issue. If the client Ovpn process is restarted, the gui reports:
down 0 (pending) Service not running? Unable to contact daemon:
I have also found that if I reconfigure tunnel to use shared keys rather than SSL/TLS certs, the tunnel will establish. Also, if I remove the client Ovpn tunnel from the bridge - with SSL/TLS - and restart the client process, the tunnel will establish. If client side Ovpn tunnel establishes, I can then re-add it to the bridge with the physical interface, and the client tunnel process stays up and established.
The files I am attaching show client tunnel establish on 2.6.0, what happened upon restart after update to 2.7.0. What happens after client process restart while on 2.7.0. And then what happened after client reboot while on 2.7.0. Verbosity set to 7. Also, I include the complete client config while on 2.6.0 including cert and CA. Nothing in file is sensitive as it is all private IPs and built from scratch. Cert and CA is only used for the example uploaded and will never be used again. Password for the config is "Password" Server side config not included, but you just need the server side tunnel built and accessible. Bridge or not makes no difference.
Files
Updated by admin admin 7 months ago
Confirm pfSense 2.7.2. I set up the Openvpn bridge on a clean configuration. When changing the parameters of the Openvpn service or when restarting, the service does not start, there is no information in the logs about the problem with starting the service. Restarting pfSense or starting Openvpn without adding it to the bridge helps. Problem is on both sides of tunnel.