Minor issue - Changing WAN IP breaks OpenVPN until restart



  • We got a new ISP last week so I updated my static IP info on the WAN interface and various aliases.  After applying, everything seemed to work fine.  Days later, I noticed that nobody has been able to connect to the VPN since the IP change.  I went to Status > OpenVPN and clicked the restart service button, and everything immediately starting connecting properly again.  I'm guessing that OpenVPN listens on a specific IP address instead of just "whatever IP the WAN interface has", and so it got left behind when that WAN IP was changed.

    I request that, if OpenVPN's bound interface IP gets changed, that the OpenVPN service automatically restart.  Or better, OpenVPN server should automatically be informed of the IP change so that a service restart isn't necessary.

    Thanks for the amazing product!



  • Yes, you can look at two things:

    • In your OpenVPN config, you will see a line stating:

      • Local (wan_ip) - Which shows the IP that the service was bound to when the OpenVPN service started
    • Run "sockstat -4 -l" from the shell.  Which will show you what IP, port, and protocol the openvpn service is currently listening on

    Neither of the above is going to update until the OpenVPN service is restarted.  So, there currently must not be a mechanism to restart the OpenVPN service once an IP change has been detected on the WAN interface. If it's something that happens frequently on your connection,  I would submit an enhancement or feature request.  Unfortunately, I am not sure how that would be submitted.  Possibly thru the bug tracker -> https://redmine.pfsense.org?



  • There is the –float directive.
    See manual 2.4:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    How that is handled by pfSense firewall. i do not know, just try it.



  • @Pippin:

    There is the –float directive.
    See manual 2.4:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    How that is handled by pfSense firewall. i do not know, just try it.

    As I read about the float directive, it appears to deal with incoming connections from clients and does not address updating the IP that the OpenVPN service is bound to after a WAN IP change on PFsense.    E.g. if a client is on a laptop connected to a flaky cellular hotsot and the connection breaks briefly causing the hotspot to reconnect and acquires a new public IP … the float directive will allow the client to re-connect and authenticate even though subsequent connections (post reconnect) are coming from a different IP than the initial connection.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy