Bug #8142
closed
OpenVPN client does not remove static route for custom monitor IP
0%
Description
Since upgrading from 2.3.4 to 2.4.2 I've had this problem with my OpenVPN clients that specify a custom monitoring IP address. The client connects fine, but if the client is restarted or disconnects and attempts to restart, etc. it will fail to restart:
/sbin/ifconfig ovpnc3 10.6.0.50 10.6.0.1 mtu 1500 netmask 255.255.0.0 up
This is the command that always fails in the ovpn logs on the restart attempt. The only way to get the tunnel to reconnect is to reboot pfSense.
I've tracked it down to the fact that the static route that is created based on the monitor IP setting for the gateway is not removed. I tried to manually remove the route from the command line (after the tunnel has been disconnected and all the other routes associated with the tunnel have been successfully removed) and it will not delete:
route delete 10.6.0.1 route: writing to routing socket: Address already in use delete host 10.6.0.1 fib 0: gateway uses the same route
In 2.3.x this worked fine with specifying a monitoring IP. My workaround for now is to not specify a monitoring IP for my OVPN gateways. As long as I don't then when the tunnel is disconnected, the route table updates as expected and the tunnel can reconnect without issue. The downside, of course, is that my gateway monitoring is not accurate (as it ends up monitoring its own IP address).
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- Priority changed from High to Normal
There must be something more to it than that alone, as I can't reproduce the problem by simply setting an alternate monitor IP address. The VPN still stops/starts/restarts/reconnects/etc fine for me when I test it.
See some existing discussion here: https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734
If you have a repeatable method to reproduce it starting with a fresh configuration, we'll need more information about the VPN setup and exact steps taken to reproduce the issue.
Updated by Derek Battams over 7 years ago
I'll have to try to setup a reproduction scenario in my lab on a vm, but fwiw, I am using the same vpn provider as the others in that thread: AirVPN. Maybe we're looking at a problem between the versions of OpenVPN on each end of the link?
I can also say this is a fresh install... I "upgraded" from 2.3.4 to 2.4.2, but my upgrade process was to wipe and rebuild from scratch. I have 3 openvpn connections on my system:
Site to Site with shared key
Remote access server
Client connection to AirVPN
The client connection with a custom monitor IP is what causes this everytime for me. Removed the monitor IP and haven't had a problem since. I'll add this to the thread as well, but here are the answers to the questions posed in that thread:
1. Is the VPN interface assigned/enabled under the Interfaces menu? Yes
2. Does the VPN gateway have an alternate monitoring IP address? Yes
3. Is there a DNS server set to use the VPN gateway? No
4. Are there any manually-defined static routes set to the use VPN gateway? (there should never be, but some people add them not realizing they are a problem) No
5. Any dynamic routing protocols using the VPN? No
Updated by Anonymous over 6 years ago
Is this issue still present in the latest development build? If so, what are the specific steps to reproduce the behavior?
Updated by Derek Battams over 6 years ago
I'm not able to reproduce this on 2.4.4p1. However, I will say I'm also no longer using the same vpn provider. I'm now using PIA and am using a custom monitor ip with this vpn service and things are working fine. Not sure if something's changed on the pfsense side since or if the issue was specific to the AirVPN service? As far as I'm concerned, this can probably be closed as I can no longer reproduce it.
Updated by Jim Pingle over 6 years ago
- Status changed from Feedback to Resolved
In the forum thread, others who could reproduce it were also on airvpn, so it is likely specific to something that provider was pushing to clients. I haven't seen any recent complaints, though, so either they fixed it or something else fixed it.
We can reopen it if someone can find a reliably way to reproduce the issue without involving a third party VPN provider.
Updated by Gabriele Villa almost 6 years ago
Hi,
I'm able to reproduce the issue at 100% with an OpenVPN client on pfSense 2.4.4-p3 and OpenVPN server on one of mine VPS that I've connected right from pfSense.
That VPS it's used only as VPN endpoint (until now used only by laptop when away) and I've configured it some years ago with this script: https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
I've set it up with the script just to be quicker during setup, now looking deeply at OpenVPN configuration that has been generated, I think that the issue in pfSense could be generated by this option that it's not removed after VPN disconnects:
push "redirect-gateway def1 bypass-dhcp"