Project

General

Profile

Actions
Copy link

Bug #15316

open

OpenVPN Clients with Gateway Group Interface on DHCP Exits on Error 1

Added by Kris Phillips about 2 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Gateways
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.09.1
Affected Architecture:
All

Description

By default with DHCP gateways, they are not populated into the config as <gateway_item>, but can be present in a <gateway_group>. Because of this, when assigning a gateway group to an OpenVPN client that has an interface go down in the current, active tier, OpenVPN will not properly fail over. Instead, it will hang for a long time, produce errors stating that it's "unable to bind" to the interface (because it's unplugged and the gateway disappears), give an error about being unable to delete a route, and then exits on "Error 1".

If you go into each gateway item under System --> Routing, edit the gateway items without making any changes, save, and apply, the gateways will become present in the config.xml, they'll show as "Pending" in gateway statuses (rather than disappearing entirely), and OpenVPN will fail over as expected.

Either we should be adding a <gateway_item> for each gateway that is present in a <gateway_group> or we should fix OpenVPN so that it doesn't bomb out when a gateway disappears rather than transitioning to Pending.

Actions
Copy link
 #1

Updated by George Phillips about 2 months ago

Mar 6 11:27:55 pfSense openvpn89316: [us8788.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Mar 6 11:27:55 pfSense openvpn89316: SIGUSR1[soft,ping-restart] received, process restarting
Mar 6 11:28:05 pfSense openvpn89316: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 6 11:28:05 pfSense openvpn89316: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.12:1194
Mar 6 11:28:05 pfSense openvpn89316: TCP/UDP: Socket bind failed on local address [AF_INET]100.76.71.26:0: Can't assign requested address (errno=49)
Mar 6 11:28:05 pfSense openvpn89316: Exiting due to fatal error
Mar 6 11:28:05 pfSense openvpn89316: ERROR: FreeBSD route delete command failed: external program exited with error status: 1
Mar 6 11:28:05 pfSense openvpn89316: /sbin/ifconfig ovpnc1 10.8.2.6 -alias
Mar 6 11:28:05 pfSense openvpn89316: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 10.8.2.6 255.255.255.0 init
Mar 6 11:28:05 pfSense openvpn35723: Flushing states on OpenVPN interface ovpnc1 (Link Down)

Actions
Copy link
 #2

Updated by Danilo Zrenjanin about 1 month ago

  • Status changed from New to Confirmed

I was able to replicate this behavior. The OpenVPN client doesn't failover to the next gateway in the gateway group.

Tested against:

23.09.1-RELEASE (amd64)
built on Wed Feb 28 16:16:00 UTC 2024
FreeBSD 14.0-CURRENT


Mar 20 14:59:59    openvpn    1194    TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.33.1:1197
Mar 20 14:59:59    openvpn    1194    TCP/UDP: Socket bind failed on local address [AF_INET]172.21.10.103:0: Can't assign requested address (errno=49)
Mar 20 14:59:59    openvpn    1194    Exiting due to fatal error
Mar 20 14:59:59    openvpn    1194    /usr/local/sbin/ovpn-linkdown ovpnc1 1500 0 init
Mar 20 14:59:59    openvpn    46672    Flushing states on OpenVPN interface ovpnc1 (Link Down)
Actions
Copy link

Also available in: Atom PDF