Openvpn Server not possible to assign to Interface -



  • Hello all. Until this last update, I had my openvpn server assigned to a specific interface that I created (not the default one OpenVPN). All my rules where in the new interface that I called "VPN", the OpenVPN default interface was empty, no single rule. This configuration was fine for several years.

    Today I updated to the latest version and I was not able to access anything from my VPN, when I copied the rules to the OpenVPN interface all started working again. It seams that the new version (2.4.3-RELEASE-p1) broke the assignment of the server to a specific interface.

    The problem is that many packages don't take into account the OpenVPN interface and limits a lot. Is this a bug from the latest release that should be fixed?

    Thank you
    All



  • Ok, some more test shows me that it seams that only the rules are being evaluated in the OpenVPN interface... For example, if I create a rule and activate the logs in OpenVPN interface, the log shows as interface the "VPN" (the new that I have created", more testing is required to check if the packages are taking into account the "VPN" interface.

    This seems strange, can it be a bug?

    Thank you



  • The rules in the "VPN" interface are never evaluated, only the ones in the OpenVPN default interface. This breaks packages like pfBlockerNG. Seems like a bug from the update.

    i'm trying to open a ticket, but I'm having difficulties restoring my password, I'll try again latter.

    Thank you



  • Hi,

    This is what I figured out :
    I kept my "OpenVPN" interface - auto-created when creating a VPN server - empty, no rules.

    0_1529904265266_9a266425-b260-4571-bd02-47aedb14614f-image.png

    This is the description of my VPN server :

    0_1529904357432_53ebc68b-a036-4384-a011-feb06dd36ea6-image.png

    I was able to create ne new interface OPT3, using the VPN server instance :

    0_1529904402394_c19e1003-1067-4851-b52b-3237c800aeaf-image.png

    And could add rules to this interface - which can be 'seen' and 'used' by packages :

    0_1529904458037_d7b77e1e-daa2-4f06-82c2-3d9385e74500-image.png



  • That was the configuration that I had before the update, now I had to swap my rules to the OpenVPN interface to keep working.

    A strange thing is that if I activate debug on the rules on my new interface VPN, I don't get any entry on the logs, but if I activate the log in the OpenVPN interface I get logs, but they have the name of the new interface "VPN"



  • Humm.
    Running 2.4.3-RELEASE-p1 (amd64) since it was available - didn't notice any changes.

    Use the principle that your system == my system (same pfSense version == same code) . Only the "config" is different - and mine works.
    I propose that you delete as much as possible and redo your config.

    Your interface "VPN" is an OPTx interface that you created when you assigned the VPN server instance to an interface, right ?



  • Hello, yes my interface is a OPT, I renamed it to VPN to better identify. I will try to delete all and create again when I get back home next week, now I don't what to risk it and lose connection to the VPN again.

    Thank you


  • Rebel Alliance Developer Netgate

    What version were you on before?

    I run several systems (At my edge and in my lab) with assigned OpenVPN interfaces and I haven't noticed any change in behavior here.

    The rules on the OpenVPN tab will be processed before the assigned interface tab rules, but they should both be respected. Unless, perhaps you have some other group defined which may be interfering.

    See https://www.netgate.com/docs/pfsense/firewall/firewall-rule-processing-order.html for more information on how the rules are processed.

    You can see the generated set of rules in /tmp/rules.debug and the contents of that should shed some light on what is happening when your rules are on the VPN/OPT3 interface.



  • I jumped 2 or 3 versions (don't remember), because I'm not on site, and I don't like to make updates remotely. this time I did and it confirmed the reason why I don't do them... I was locked out of my remote site... I will try to analise this and report back...

    Thank you