Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabled static route deletes OpenVPN's routes

    Scheduled Pinned Locked Moved
    OpenVPN
    3
    6
    716
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hbh7
      last edited by

      Hi all,

      Just finished fighting with this issue for the last hour trying to figure out why my VPN wasn't routing properly. Turns out that if you've previously set up static routes and disabled but not deleted them (I was migrating from an old setup and kept them just in case), they're not really disabled like you'd think.

      Once OpenVPN starts up and it makes its routes, after about 5 seconds they mysteriously vanishe. Something relating to the disabled static routes is deleting OpenVPN's routes because once I deleted the disabled routes, no longer were OpenVPN's routes deleted.

      In case that wasn't clear:

      1. Have disabled static route
      2. Have OpenVPN make a similar route using the same network (such as thru remote networks)
      3. Start OpenVPN server, route appears in diagnostics -> routes
      4. After a few seconds, route is gone, never to be seen again.

      I think there's something not right here because I can't imagine how this is intended functionality. Perhaps I'm mistaken. I wanted to submit a bug report but their requirements seemed a bit scary and like they want me to find the exact bug in the code, and otherwise to post here, so here I am.

      Hope someone can shed some light on this or get it passed to the right people. Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I have seen something similar but could not duplicate it in my lab.

        You do not need to find the specific bug in the code to open a bug report, but specific steps to duplicate, preferably starting with a clean installation of the current production version (2.4.4-p3) would be helpful.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • F
          fertig
          last edited by

          @Derelict said in Disabled static route deletes OpenVPN's routes:

          I have seen something similar but could not duplicate it in my lab.

          I've got the same problem here, pfSense 2.4.5_p1. Took me hours of inspecting. I'm also migrating from a separate OpenVPN Router, so I had static routes to the target OpenVPN directing to this router.

          This is simple to reproduce:

          1. create OpenVPN Connection to some target. In my case this is a client connection and the server is pushing the routes to the target networks to the client

          2. test this connection

          3. create a static route (to some other device in your network) for the above target network

          4. disable the static route

          5. to be sure - reboot the pfsense.

          (you should be able to start at step 3, if you allready have a working OpenVPN)

          If you ping from the pfSense cli to some hosts in the target network you will observe that the pings are only working for about 5 seconds after restarting the VPN. Then the routes disappear.

          This should not happen, as the static routes are "disabled".

          Christian

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Workaround: delete them. Don't set them to disabled. You should not be using static routes for OpenVPN routes anyway. Let OpenVPN maintain them using Remote Networks.

            I have not looked at the code path there but I have seen similar. It is as if a disabled route is deleted from the routing table "just to be sure" or the same code that is run when you disable an active route is run when you restart.

            If you think you have steps to reproduce, search for the same issue on the redmine and if you don't find it, file a bug.

            https://redmine.pfsense.org/

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            F 1 Reply Last reply Reply Quote 1
            • F
              fertig @Derelict
              last edited by

              @Derelict said in Disabled static route deletes OpenVPN's routes:

              Workaround: delete them. Don't set them to disabled. You should not be using static routes for OpenVPN routes anyway. Let OpenVPN maintain them using Remote Networks.

              • if you're using a separate OpenVPN-gateway, you'll have to use static routes to this gateway
              • if you're migrating away from such a gateway, while you're testing the OpenVPN on the pfSense, you'll allways disable the routes
                temporarly, to get back quickly. This is the normal way of doing in my opinion... Especially because you don't get the VPN working - as
                the routes are allways deleted. This is a complete unexpected behaviour.

              Anyway, I filled a bug report

              Christian

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @fertig
                last edited by

                @fertig said in Disabled static route deletes OpenVPN's routes:

                @Derelict said in Disabled static route deletes OpenVPN's routes:

                Workaround: delete them. Don't set them to disabled. You should not be using static routes for OpenVPN routes anyway. Let OpenVPN maintain them using Remote Networks.

                • if you're using a separate OpenVPN-gateway, you'll have to use static routes to this gateway

                That is a static route to a gateway, not into OpenVPN. Two entirely different things.

                • if you're migrating away from such a gateway, while you're testing the OpenVPN on the pfSense, you'll allways disable the routes
                  temporarly, to get back quickly. This is the normal way of doing in my opinion... Especially because you don't get the VPN working - as
                  the routes are allways deleted. This is a complete unexpected behaviour.

                Anyway, I filled a bug report

                Good deal. That's the way to get developer eyes on it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post