Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug or not: IPSec and OpenVPN bind to wrong IP on WAN with virtual IPs (2.4.4-p1)

    General pfSense Questions
    2
    4
    372
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msi
      last edited by msi

      I'd like to understand if I'm running into a bug or not, the issue has come up when updating an old pfSense 2.0 to 2.4.4 (via 2.3.5) which otherwise was pretty straightforward beyond pfSense to my surprise beyond some minor nits (i.e. changing from SHA1 to SHA256 on OpenVPN server side).

      What I encountered:

      • pfSense has a default gateway on an OPT (not WAN if that matters, for historic reasons) where IPSec and OpenVPN should bind to.
      • OPT interface has a /29 of IPv4 addresses, the first IP is the interface IP, the other 3 are configured as virtual IPs
      • Both OpenVPN and IPSec were configured to use the interface address, however generated config always started those service on the first virtual IP (only ralized when playing with sockstat and checking /var/etc)
      • If the first (or any other) virtual IP was explicitely configured, the IP defined in the GUI would also be the one both devices would bind to.

      The current workaround was to move IPSec and OpenVPN to one of the virtual IPs, fortunately only 2 virtual IPs were in use so 2 services could be moved to one free IPv4 address.

      Although 2.0 was really outdated, before upgrading it would bind IPSec and OpenVPN to the interface IP, not the first virtual IP and not on 2.4.4 it does not generate according configs.

      IMO this looks like a bug, but I'd first like to confirm this and if I can provide some extra debugging or config.xml snippets, I'm all game.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Based on what you have described it sounds like it was working incorrectly and is now working correctly. So if anything it was a bug that has been fixed.

        Unless I'm reading the description wrong.

        If so provide screen shots of the OPT inerface configuration, VIP configuration, the VPN binding configuration, and the proof it's binding to a different address.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          msi
          last edited by msi

          Hi

          It wasn't as easy to describe but I might have to rephrase and thus let me add some more data,
          it's actually the other way: Worked as expected previously, doesn't work as expected after the updated.

          I thought it was easier to show XML/config and shell example instead of screenshots, I hope this is OK as well.
          However the forum software detected all code sections as spam, so I had to resort to github gists instead:

          I've snipped the config.xml parts about the OPT IPs, the virtual IPs: ifconfig

          This results in the following (shortened) ifconfig

          First: Known-good config

          • Now for the known-good/working way when I select (any) virtual IP to bind OpenVPN to on WAN_<removed>, this is the resulting part of <openvpn-server> section in config.xml
          • This in turn results into the following OpenVPN config (in this case /var/etc/openvpn/server1.conf)
          • And you can see, the output of sockstat confirms that it does bind to the right IP.

          Problematic case: Binding to the OPT's IP:

          Now for the (to me) problematic example when I select WAN_<removed> as Interface...

          • First the <openvpn-server> part of config.xml, there you can see that no Address is defined.
          • This however results into the following server1.conf for OpenVPN.
          • And sockstat confirms that indeed, even though you can see the difference in config.xml, the OpenVPN server does not bind to .250 which is the WAN_<removed>'s address.

          I could repeat that with the IPSec server but it is repeatable with both IPSec and OpenVPN.

          1 Reply Last reply Reply Quote 0
          • M
            msi
            last edited by

            Hi

            I wanted to ask about where to look at further. The workaround works and since then I have (for sole fun) tried to reproduce this on a fresh system with a main and a secondary virtual IP but have not been able to reproduce it.

            It has been reproducible though on this particular setup that has been update from 2.0.3 via 2.3.5 to latest 2.4.4-p1.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.