openvpn tap tunnel goes offline

johngoutbeck

pfsense v2.70 or 2.71
Setup a tap (bridge) openvpn with TLS/SSL

Right now this is a POC and its failing

after this, then add a second WAN for WAN failover
after 2nd WAN, add 2nd unit with CARP to unit HA

Start the pfsense server (75.152.103.51)

the WAN cable is disconnected - so the WAN status is red with 'no carier'
but the tap openvpn is showing an IP address & the openvpn status is waiting for a connection

--- Console (copied from ssh session)

the tap openvpn is up & will stay up - waiting for a client to connect (with the WAN cable disconnected)

pfSense - Netgate Device ID: 81f332591f8a44a18182

*** Welcome to pfSense 2.7.1-RELEASE (amd64) on brg151 ***

WAN (wan) -> ue0 -> v4: 75.152.103.51/24
LAN (lan) -> em0 -> v4: 172.16.138.51/16
OPT1_VPN_BRIDGE (opt1) -> ovpns1 -> v4: 10.0.1.1/29

--- check to see if openvpn process is running - it is
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps uxaww | grep openvpn
root 61518 0.0 0.1 23052 9896 - Ss 09:54 0:00.05 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn
root 18564 0.0 0.0 12752 2360 0 S+ 09:55 0:00.00 grep openvpn
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root:

--- openvpn log file
Nov 22 09:54:26 openvpn 55560 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 09:54:26 openvpn 55560 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 09:54:26 openvpn 55560 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 09:54:26 openvpn 61518 GDG: problem writing to routing socket
Nov 22 09:54:26 openvpn 61518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 09:54:27 openvpn 61518 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 09:54:27 openvpn 61518 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 09:54:27 openvpn 61518 TUN/TAP device /dev/tap1 opened
Nov 22 09:54:27 openvpn 61518 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 09:54:27 openvpn 61518 /usr/local/sbin/ovpn-linkup ovpns1 1500 0 10.0.1.1 255.255.255.248 init
Nov 22 09:54:27 openvpn 61518 UDPv4 link local (bound): [AF_INET]75.152.103.51:1194
Nov 22 09:54:27 openvpn 61518 UDPv4 link remote: [AF_UNSPEC]
Nov 22 09:54:27 openvpn 61518 Initialization Sequence Completed

--- now plug in the WAN cable - WAN status goes to green with 'up'

the 1 client (75.152.103.53) connects
the GUI openvpn status display the client connected
connected for a while (about 10 - 30 seconds) - then the server brings the openvpn link down
and it cannot see the client anymore

--- openvpn log
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_VER=2.6.4
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_PLAT=freebsd
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_TCPNL=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_MTU=1600
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_NCP=2
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_PROTO=990
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_LZO_STUB=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_COMP_STUB=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_COMP_STUBv2=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 [VPNCert-user] Peer Connection Initiated with [AF_INET]75.152.103.53:2539
Nov 22 09:59:14 openvpn 61518 VPNCert-user/75.152.103.53:2539 MULTI_sva: pool returned IPv4=10.0.1.2, IPv6=(Not enabled)
Nov 22 09:59:16 openvpn 61518 VPNCert-user/75.152.103.53:2539 write UDPv4: No route to host (fd=6,code=65)

--- GUI openvpn status
ovpns1: VPN-Bridged UDP4:1194 / Client Connections: 0
[error] Unable to contact daemon Service not running?

and the openvpn will not restart when the 'restart' icon is clicked

--- Console (copied from ssh session)

the openvpn connection looses its IP

pfSense - Netgate Device ID: 81f332591f8a44a18182

*** Welcome to pfSense 2.7.1-RELEASE (amd64) on brg151 ***

WAN (wan) -> ue0 -> v4: 75.152.103.51/24
LAN (lan) -> em0 -> v4: 172.16.138.51/16
OPT1_VPN_BRIDGE (opt1) -> ovpns1 ->

--- check to see if openvpn process is running - it is NOT
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
42536 0 S+ 0:00.00 grep openvpn

--- openvpn log
Nov 22 10:06:10 openvpn 79586 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 10:06:10 openvpn 79586 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 10:06:10 openvpn 79586 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 10:06:10 openvpn 79803 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 10:06:10 openvpn 79803 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 10:06:10 openvpn 79803 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 10:06:10 openvpn 79803 TUN/TAP device /dev/tap1 opened
Nov 22 10:06:10 openvpn 79803 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 10:06:10 openvpn 79803 FreeBSD ifconfig failed: external program exited with error status: 1
Nov 22 10:06:10 openvpn 79803 Exiting due to fatal error

restart the openvpn process via GUI
the openvpn will not start
restart the openvpn from ssh session
/usr/local/sbin/pfSsh.php playback svc restart openvpn server 1
Attempting to issue restart to openvpn service...

openvpn has been restarted.

but the ps command does not see the openvpn process running
ps ax | grep openvpn
42536 0 S+ 0:00.00 grep openvpn

-- using a differnt openvpn restart command

comes back with errors
[2.7.1-RELEASE][admin@brg151.kyetech.local]/etc: service openvpn onerestart
openvpn not running? (check /var/run/openvpn.pid).
/usr/local/etc/rc.d/openvpn: WARNING: /usr/local/etc/openvpn/openvpn.conf is not readable.
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn
no openvpn process running
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
46024 0 S+ 0:00.00 grep openvpn

-- using a another openvpn restart command
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: /usr/local/sbin/ovpn-linkup ovpns1 1500 0 10.0.1.1 255.255.255.248 init
OK

no openvpn process running
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
46024 0 S+ 0:00.00 grep openvpn

Can never restart the openvpn
need to reboot the server
and even then the openvpn service sometimes does not start

Another test

--- on a reboot - the openvpn starts & is waiting for a client to connect

without connecting the WAN cable
restart openvpn from GUI
openvpn does not restart

--- GUI openvpn status
ovpns1: VPN-Bridged UDP4:1194 / Client Connections: 0
[error] Unable to contact daemon Service not running?

--- openvpn log
Nov 22 11:08:00 openvpn 71097 /sbin/ifconfig ovpns1 10.0.1.1 -alias
Nov 22 11:08:00 openvpn 71097 /usr/local/sbin/ovpn-linkdown ovpns1 1500 0 10.0.1.1 255.255.255.248 init
Nov 22 11:08:00 openvpn 71663 Flushing states on OpenVPN interface ovpns1 (Link Down)
Nov 22 11:08:00 openvpn 71097 SIGTERM[hard,] received, process exiting
Nov 22 11:08:01 openvpn 83693 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 11:08:01 openvpn 83693 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 11:08:01 openvpn 83693 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 11:08:01 openvpn 83816 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 11:08:01 openvpn 83816 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 11:08:01 openvpn 83816 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 11:08:01 openvpn 83816 TUN/TAP device /dev/tap1 opened
Nov 22 11:08:01 openvpn 83816 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 11:08:01 openvpn 83816 FreeBSD ifconfig failed: external program exited with error status: 1
Nov 22 11:08:01 openvpn 83816 Exiting due to fatal error

Questions

How to restart the tap openvpn from cli?
Why the tap openvpn tunnel goes down? And how to fix

Any suggestions, guesses, fixes???