Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN reconnect on WAN DHCP renew

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 818 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maltehillmann
      last edited by maltehillmann

      Hello!

      I have a netgate SG-1100. It was working great with my old ISP, using PPPoE. Now i changed my ISP to some cable provider. The cable modem is in bridge mode and the pfSense gets its IP-Address via DHCP.

      The Problem is: The ISP has a very short lease time of around 30-90 minutes. (changes sometimes?)
      Everytime pfSense renews the lease, it kills my OpenVPN connection. Even when it gets the same IP-Address as before. (which it does, most of the time)

      Here is a log of a renew:
      I changed the last two octets from WAN/VPN-IP. And yes, it gets the same IP-Address as before, but states an IP change/WAN reconnection. I also modified the interface name of the OpenVPN. OpenVPN changes its IP-Address because it gets a force restart from the WAN-IP "change".

      Jun 18 14:20:40 pfSense check_reload_status: rc.newwanip starting mvneta0.4090
      Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on mvneta0.4090.
      Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 77.21.12.34) (interface: WAN[wan]) (real interface: mvneta0.4090).
      Jun 18 14:20:41 pfSense dhcpleases: /etc/hosts changed size from original!
      Jun 18 14:20:46 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254
      Jun 18 14:20:47 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.12.254
      Jun 18 14:20:48 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
      Jun 18 14:20:51 pfSense dhcpleases: /etc/hosts changed size from original!
      Jun 18 14:20:51 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
      Jun 18 14:20:54 pfSense dhcpleases: kqueue error: unknown
      Jun 18 14:20:59 pfSense php-fpm[75805]: /rc.newwanip: phpDynDNS (): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
      Jun 18 14:21:00 pfSense php-fpm[75805]: /rc.newwanip: Forcefully reloading IPsec
      Jun 18 14:21:00 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:17 pfSense php-fpm[75805]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
      Jun 18 14:21:18 pfSense php-fpm[75805]: OpenVPN terminate old pid: 84763
      Jun 18 14:21:19 pfSense kernel: ovpnc1: link state changed to DOWN
      Jun 18 14:21:19 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:19 pfSense php-fpm[75805]: OpenVPN PID written: 34702
      Jun 18 14:21:19 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:19 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script
      Jun 18 14:21:21 pfSense kernel: ovpnc1: link state changed to UP
      Jun 18 14:21:21 pfSense check_reload_status: rc.newwanip starting ovpnc1
      Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 77.21.12.34 ->  77.21.12.34 - Restarting packages.
      Jun 18 14:21:22 pfSense check_reload_status: Starting packages
      Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
      Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 10.3.12.34) (interface: VPN[opt2]) (real interface: ovpnc1).
      Jun 18 14:21:23 pfSense dhcpleases: /etc/hosts changed size from original!
      Jun 18 14:21:23 pfSense php-fpm[75805]: /rc.newwanip: IP Address has changed, killing states on former IP Address 10.3.43.21.
      Jun 18 14:21:25 pfSense php-fpm[79709]: /rc.start_packages: Restarting/Starting all packages.
      Jun 18 14:21:30 pfSense rc.gateway_alarm[34636]: >>> Gateway alarm: VPN_VPNV4 (Addr:8.8.8.8 Alarm:1 RTT:29.558ms RTTsd:20.728ms Loss:22%)
      Jun 18 14:21:30 pfSense check_reload_status: updating dyndns VPN_VPNV4
      Jun 18 14:21:30 pfSense check_reload_status: Restarting ipsec tunnels
      Jun 18 14:21:30 pfSense check_reload_status: Restarting OpenVPN tunnels/interfaces
      Jun 18 14:21:30 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:30 pfSense php-fpm[79709]: [pfBlockerNG] Starting cron process.
      Jun 18 14:21:31 pfSense check_reload_status: Syncing firewall
      Jun 18 14:21:31 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
      Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use HIDEME_VPNV4.
      Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254
      Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.43.254
      Jun 18 14:21:35 pfSense php-fpm[79709]: /rc.filter_configure_sync: dpinger: No dpinger session running for gateway HIDEME_VPNV4
      Jun 18 14:21:36 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
      Jun 18 14:21:39 pfSense dhcpleases: /etc/hosts changed size from original!
      Jun 18 14:21:40 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
      Jun 18 14:21:43 pfSense dhcpleases: kqueue error: unknown
      Jun 18 14:21:47 pfSense php-fpm[5078]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
      Jun 18 14:21:47 pfSense check_reload_status: Reloading filter
      Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface opt2
      Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script
      Jun 18 14:21:50 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.3.12.34 ->  10.3.43.21 - Restarting packages.
      Jun 18 14:21:50 pfSense check_reload_status: Starting packages
      Jun 18 14:21:51 pfSense php-fpm[75805]: /rc.start_packages: Restarting/Starting all packages.
      

      Maybe someone can help me?
      Do I have to change my config anywhere or is there a bug in the rc.newwanip script?

      As i said before: This config worked great with PPPoE. The Problem is there since I changed it to DHCP.

      Thank you.

      Regards
      Malte

      1 Reply Last reply Reply Quote 0
      • M
        maltehillmann
        last edited by

        Okay, i've done some research by myself.

        The rc.newwanip script contains this lines:

        /*
         * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
         * Even with the same IP the VPN software is unhappy with the IP disappearing, and we
         * could be failing back in which case we need to switch IPs back anyhow.
         */
        if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interfaces'][$interface]['ipaddr'])) {
        

        I'm unsure why VPN needs to be restarted when there is NO IP change on WAN. The WAN interface isn't down for the time pfSense renews the lease.

        So I changed this line a bit:

        if (!is_ipaddr($oldip) || $curwanip != $oldip) {
        

        Now the script does not force restart my OpenVPN anymore. My OpenVPN client works without problems, even after the renew.
        But I think that isn't a permanent solution.

        Any ideas for a stable fix?

        Regards
        Malte

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Ok so that happens because your WAN 'ipaddr' is set to dhcp I assume?

          Is that an OpenVPN client or server?

          You may be able to workaround it by running that on a different interface, one that is static. Then port forwarding to it in the server case.

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.