Bug #15316
closed
OpenVPN Clients with Gateway Group Interface on DHCP Exits on Error 1
0%
Description
By default with DHCP gateways, they are not populated into the config as <gateway_item>, but can be present in a <gateway_group>. Because of this, when assigning a gateway group to an OpenVPN client that has an interface go down in the current, active tier, OpenVPN will not properly fail over. Instead, it will hang for a long time, produce errors stating that it's "unable to bind" to the interface (because it's unplugged and the gateway disappears), give an error about being unable to delete a route, and then exits on "Error 1".
If you go into each gateway item under System --> Routing, edit the gateway items without making any changes, save, and apply, the gateways will become present in the config.xml, they'll show as "Pending" in gateway statuses (rather than disappearing entirely), and OpenVPN will fail over as expected.
Either we should be adding a <gateway_item> for each gateway that is present in a <gateway_group> or we should fix OpenVPN so that it doesn't bomb out when a gateway disappears rather than transitioning to Pending.
Updated by George Phillips 9 months ago
Mar 6 11:27:55 pfSense openvpn89316: [us8788.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Mar 6 11:27:55 pfSense openvpn89316: SIGUSR1[soft,ping-restart] received, process restarting
Mar 6 11:28:05 pfSense openvpn89316: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 6 11:28:05 pfSense openvpn89316: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.12:1194
Mar 6 11:28:05 pfSense openvpn89316: TCP/UDP: Socket bind failed on local address [AF_INET]100.76.71.26:0: Can't assign requested address (errno=49)
Mar 6 11:28:05 pfSense openvpn89316: Exiting due to fatal error
Mar 6 11:28:05 pfSense openvpn89316: ERROR: FreeBSD route delete command failed: external program exited with error status: 1
Mar 6 11:28:05 pfSense openvpn89316: /sbin/ifconfig ovpnc1 10.8.2.6 -alias
Mar 6 11:28:05 pfSense openvpn89316: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.2.6 255.255.255.0 init
Mar 6 11:28:05 pfSense openvpn35723: Flushing states on OpenVPN interface ovpnc1 (Link Down)
Updated by Danilo Zrenjanin 8 months ago
- Status changed from New to Confirmed
I was able to replicate this behavior. The OpenVPN client doesn't failover to the next gateway in the gateway group.
Tested against:
23.09.1-RELEASE (amd64) built on Wed Feb 28 16:16:00 UTC 2024 FreeBSD 14.0-CURRENT
Mar 20 14:59:59 openvpn 1194 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.33.1:1197 Mar 20 14:59:59 openvpn 1194 TCP/UDP: Socket bind failed on local address [AF_INET]172.21.10.103:0: Can't assign requested address (errno=49) Mar 20 14:59:59 openvpn 1194 Exiting due to fatal error Mar 20 14:59:59 openvpn 1194 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 init Mar 20 14:59:59 openvpn 46672 Flushing states on OpenVPN interface ovpnc1 (Link Down)
Updated by Azamat Khakimyanov 5 months ago
I tested on 23.05, 23.09.1 and 24.03 and I wasn't able to reproduce this issue.
With Failover group as an Interface for OpenVPN Client, if Tier 1 WAN went down, OpenVPN started to use Tier 2 WAN immediately without any issue in logs, etc
Updated by Danilo Zrenjanin 4 months ago
The problem is specific to the OpenVPN client setup. Azamat, can you confirm that you tested with it?
Updated by Danilo Zrenjanin 4 months ago
- Status changed from Confirmed to Resolved
After conducting thorough tests, I could not reproduce the issue on 24.03.
Additionally, even when the tier 1 gateway transitions to a Pending status, the OpenVPN client seamlessly switches to the tier 2 gateway and establishes the connection.
I am marking this ticket resolved.