Alias use in OpenVPN - Broken on Reboots (and possibly other edge cases)
-
Hmm, still can't replicate that here in Plus. The start order could well have changed since 2.7.2.
How are those aliases being resolved? If you add one as a host override locally does it make it into the conf. Though that doesn't work here with a near default setup
-
I'm not sure I am interpreting your question correctly, so if I am not answering your question, I apologize.
The aliases are pfSense firewall aliases. For instance, K12A_Devices is an alias for two hosts:
k12a-outlet.k12.benchpress.lan,k12a-bulb.k12.benchpress.lanThe host records referred to in the aliases are DHCP static mappings under pfSense DHCP server (for instance
k12a-outletis statically assigned a 192 address).I tried adding a host override for k12a-outlet, and it still did not make it into the configuration after reboot. It does show up after clicking "save" in the UI for the settings though (same behavior as static mappings).
-
Ok, that's the same thing I'm seeing. It can only resolve it against Unbound when static mappings are added and that is not running when the file is created in 2.7.2.
Also those are not added at boot but host overrides and other resolved hosts are.
I don't think that is a bug though since it has never worked AFAIK and was not expected to. It should be opened as a feature request though so:
https://redmine.pfsense.org/issues/15922 -
Thanks for opening the feature request and working through it! I appreciate it!
-
@azeliff3 said in Alias use in OpenVPN - Broken on Reboots (and possibly other edge cases):
Unfortunately, restarting the OpenVPN service (even after 5-6 minutes uptime) does not appear to get those resolved hostname aliases to show in the configuration
Restarting by clicking here :
does not recreate ".opvn" config file from the pfSense GUI settings.
It's more a "if a config file exist, start the openvpn binary".However, with some minimal scripting you can do what is done when you click here :
My problem is : I don't have 2.7.2. anymore ...
If you're not afraid of some PHP (re)searching, I can already tell you that all you need is in
/etc/inc/services.inc
/etc/inc/services-utils.inc
/etc/inc/openvpn.inc
/usr/local/www/vpn_openvpn_server.php (for reference)
I'll be assisting you. -
Hello,
I'm suffering from a very similar issuewith pfsense Plus. I don't know how to reproduce it. I'm not sure if the reboot is the root cause because I haven't been able to reboot the appliance for testing purposes. But from time to time, I realize OpenVPN has the wrong config because the alias was not replaced. Here's the reported bug: https://redmine.pfsense.org/issues/16073 -
So you only see it with nested aliases in the local networks list?
-
Yes, I only see it with nested aliases in the local networks list.
I've been checking the source code and I think it could be a problem related to the boot order. If openVPN service starts before aliases have been loaded into the variable
$aliastable, thefunction alias_to_subnets_recursivewill return an empty array and thefunction openvpn_gen_route_ipv4will write a config line with the alias as-is without replacing it. And this is the behaviour I am seeing.
I've seen the boot service order is managed by/etc/rc.bootupand it seems OpenVPN starts before having aliases loaded... Not sure which is the cleanest way to fix this. -
What sort of aliases are they?
-
AliasChild1=192.168.0.0/16
AliasChild2=10.0.0.0/8
AliasParent=AliasChild1, AliasChild2All children are either an IP address or subnet, none of the children contain further aliases.
AliasParent is the only entry used in OpenVPN server's
IPv4 Local network(s)field.Restarting OpenVPN or saving without any modification
AliasParentfix the configuration replacing the alias. -
Hm, so only IPs and subnets, nothing that needs to be resolved? That should load as soon as pf does, which should be before the openvpn resyn at boot.
Do you see any errors in the OpenVPN or system logs when this happens? Or any sort of difference in the process ordering?
