Bug #6285
closed
Stability issue with w/ OpenVPN Server on pfSense 2.3
0%
Description
First, thank you for building a awesome piece of software! This is my first bug report. I hope the information is useful.
After upgrading from 2.2.6 to 2.3 my OpenVPN remote access became very unstable. I have a pretty basic config. Remote Access with TLS & User Auth using TCP on port 443 (easy access to home through my work firewall). It has been bullet proof with 2.2.x. I assumed my config was screwed up after I upgraded so I recreated OpenVPN Server, everything including the CA and certs (user and server). Still the same issue. After a few hours of use, I would get disconnected from the OpenVPN server and it would not let me reconnect unless I either ran the openvpn_resync_all() (via the shell into pfSense) or rebooted the pfSense box. That seem more of a pfSense 2.3 oddity because with 2.2.x I could occasionally get a openvpn client connection reset and it would immediately reconnect.
I tried something interesting with pfSense 2.3 (OpenVPN 2.3.9). I ssh'd into the pfSense box and connected to the OpenVPN management socket (nc -U /var/etc/openvpn/server1.sock). I could get the status, state all, etc, no problem. What I found out was after about 30 seconds my OpenVPN client (on Ubuntu) would time out and disconnect. I tried the same exact test with pfSense 2.2.6 (OpenVPN 2.3.8) and everything stays connected. I also noticed in both cases when connected to the management socket after a few minutes would cause the openvpn process on the pfSense box to consume 100% of the CPU. When I exited out of the management socket the openvpn process would go back to normal. That seemed odd to me. I'm not sure what to make of my observation except to say that pfSense 2.3 w/ OpenVPN 2.3.9 is more frail than 2.2.x. Is it possible that pfSense 2.3 using the management socket is causing the OpenVPN Sever instability?
Updated by Chris Buechler about 9 years ago
- Status changed from New to Feedback
the reconnect issue, what OpenVPN logs do you get at the time?
if there's an issue with manually connecting to the management socket for long periods, it's in OpenVPN and needs to be reported there. The first issue might be related to that too if it happens while you're manually connected to the management socket.
Updated by Frank Lattuca about 9 years ago
I built a VM to do some additional testing with 2.3. I was unable to recreate the OpenVPN connection reset problem. But I could definitely peg the CPU at 100% by using net cat to attach to the management socket (nc -U server1.sock) with both version of pfSense 2.2.6 and 2.3. I'm going to backup my 2.3 config and reload pfSense 2.3 and do a restore to see if that fixes my reconnect issues. I'll also open a ticket with OpenVPN and share my findings about the CPU load.
Updated by Chris Buechler about 9 years ago
- Status changed from Feedback to Not a Bug
Thanks for the follow up. I don't see an open bug in OpenVPN's bug tracker on that, it's worth opening one.
Maybe the disconnect happened as a result of that issue?
Don't see any issue here in any of our code.
Updated by Frank Lattuca about 9 years ago
Just to wrap this up. I had a chance over the weekend to install 2.3 from the iso and restore my configuration. OpenVPN has been solid as a rock since.
I also opened up bug report to the OpenVPN team #681 (https://community.openvpn.net/openvpn/ticket/681).
Thanks again for all the great work that you and your team does!