OpenVPN and Static routes mess
-
Hello everyone, I write here to report strange behaviour we had with our pfsense box.
We have set up OpenVPN site to site with one central server and 8 remote clients.
Server side, 12 subnets are declared in IPv4 Remotes Networks to reach other sites.
Until 2.4.3_P1 it worked well at the cost of manual restart of openVPN service after each reboot. The supsected cause was that WAN interface could not be fully ready when OpenVPN server starts.With 2.4.4_P1 upgrade, OpenVpn Traffic suddenly dropped periodically without any reason as server and clients was still up in status and nothing very noticable in the logs.
By restarting Ovpn service traffic gets back to life but made the whole thing very unstable as it drops again few minutes later.With no way to downgrade to previous versions, we started investigate deeper. It reveals that only some of the remote sites were lost and by looking at the server's routing table, only half of the ovpn routes have disapeard. If ovpn service is restarted, routes get back to life but same thing some minutes later....
We finished by looking in XML config file and found that lost routes were corresponding exactly to DISABLED old static routes that were remaining since VPN migration from other pfsense.
By deleting those static routes, no more drops, even after reboot .
I end this post as a feature suggestion to check existing statics routes while setting OpenVPn to avoid such conflicts, and many hours of investigation for other carrefull users like me who use disable instead of delete for quick rollback.
Thank to pfsense team !