No openvpn connectivity after first disconnect

  • Hello,

    On first connect to the openvpn server (pfSense), all is working perfect, but after disconnecting al future connects result in no connectivity on the openvpn client (Tunnelblick). This seems to be related to the client generating a new mac address every time it connects (and only the first one works and keeps working).

    I am using:
    pfSense 2.4.3
    openvpn in TAP mode (bridge)
    Tunnelblick client on MacOS

    I already found out that using the lladdr option in the client's config file to lock the mac address (instead of generating a new one on every connect) fixes this issue, but this forces me to manually add that option (and keep track of conflicting mac addresses) to the client config file, also a random mac address is the default way of doing it and seems logical for a virtual (client) interface.

    After reconnecting without vpn connectivity (when the client has generated a new mac address), restarting for example dhcp server or dns resolver on pfSense immediately restores connectivity. I guess the new mac address is accepted when some networking is restarted.

    The system log shows "arp: moved from <client_generated_mac_from_previous_connection>to <client_generated_mac_current_connection>on ovpns2" every time the client connects.

    Some ip info:
    pfSense own ip (local gateway):
    DHCP range for local clients:
    openvpn server bridge DHCP start:
    openvpn server bridge DHCP end:

    Interface info:
    WAN: em0
    LAN: em1
    OVPN_TAP: ovpns2 (ovpns1 is a tun server)

    BRIDGE0 members: LAN, OVPN_TAP

    Openvpn's Bridge interface: LAN

    My question:
    Why is there no connectivity when the openvpn client's mac address is different from the previous connection, and what can I do to make al future connects work while still allowing the client to generate a new mac address on every connect?

    Thanks in advance, if any extra information (e.g. logs) is needed please let me know.</client_generated_mac_current_connection></client_generated_mac_from_previous_connection>

Log in to reply