pfSense

Summary:
A race condition starting OpenVPN client at boot (rc.bootup) is causing a firewall rule (that is dependent upon the OpenVPN gateway) to fail to initialise.

The failure is intermittent, but occurs around 50% of the time on my system.

Manually restarting the OpenVPN client service (after boot) clears the fault (properly initialises the rule) 100% of the time.

pfSense version 2.3.2 and 2.3.2-p1 running as Linux KVM guest on amd64.

Workaround:
Moving the call to openvpn_resync_all() in /etc/rc.bootup further down has resolved the boot-time failure completely.
(I have moved the call to below setup_gateways_monitor(), but I am not familiar enough with the code to know where the dependency actually is, it may just be that the added delay is sufficient in my case).

Details of failure state (immediately after boot sequence is complete):
- web interface shows OpenVPN client status as "up"
- OpenVPN log has the following entry:
/usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.XX.XX.XX 255.255.0.0 init
- System log has the following entry:
/rc.newwanip:rc.newwanip:on (IP address:10.XX.XX.XX)(interface: VPN_WAN[opt2])(real interface:ovpnc1).
- verified at CLI with ifconfig and ping to vpn peer.
- pfctl does not show expected rule.
- /tmp/rules.debug contains the following line: # rule LAN ALLOW OUTBOUND disabled because gateway VPN_GATEWAY is down label "USER_RULE: LAN ALLOW OUTBOUND"