OpenVPN reconnect on WAN DHCP renew



  • Hello!

    I have a netgate SG-1100. It was working great with my old ISP, using PPPoE. Now i changed my ISP to some cable provider. The cable modem is in bridge mode and the pfSense gets its IP-Address via DHCP.

    The Problem is: The ISP has a very short lease time of around 30-90 minutes. (changes sometimes?)
    Everytime pfSense renews the lease, it kills my OpenVPN connection. Even when it gets the same IP-Address as before. (which it does, most of the time)

    Here is a log of a renew:
    I changed the last two octets from WAN/VPN-IP. And yes, it gets the same IP-Address as before, but states an IP change/WAN reconnection. I also modified the interface name of the OpenVPN. OpenVPN changes its IP-Address because it gets a force restart from the WAN-IP "change".

    Jun 18 14:20:40 pfSense check_reload_status: rc.newwanip starting mvneta0.4090
    Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on mvneta0.4090.
    Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 77.21.12.34) (interface: WAN[wan]) (real interface: mvneta0.4090).
    Jun 18 14:20:41 pfSense dhcpleases: /etc/hosts changed size from original!
    Jun 18 14:20:46 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254
    Jun 18 14:20:47 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.12.254
    Jun 18 14:20:48 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
    Jun 18 14:20:51 pfSense dhcpleases: /etc/hosts changed size from original!
    Jun 18 14:20:51 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
    Jun 18 14:20:54 pfSense dhcpleases: kqueue error: unknown
    Jun 18 14:20:59 pfSense php-fpm[75805]: /rc.newwanip: phpDynDNS (): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
    Jun 18 14:21:00 pfSense php-fpm[75805]: /rc.newwanip: Forcefully reloading IPsec
    Jun 18 14:21:00 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:17 pfSense php-fpm[75805]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
    Jun 18 14:21:18 pfSense php-fpm[75805]: OpenVPN terminate old pid: 84763
    Jun 18 14:21:19 pfSense kernel: ovpnc1: link state changed to DOWN
    Jun 18 14:21:19 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:19 pfSense php-fpm[75805]: OpenVPN PID written: 34702
    Jun 18 14:21:19 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:19 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script
    Jun 18 14:21:21 pfSense kernel: ovpnc1: link state changed to UP
    Jun 18 14:21:21 pfSense check_reload_status: rc.newwanip starting ovpnc1
    Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 77.21.12.34 ->  77.21.12.34 - Restarting packages.
    Jun 18 14:21:22 pfSense check_reload_status: Starting packages
    Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on ovpnc1.
    Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 10.3.12.34) (interface: VPN[opt2]) (real interface: ovpnc1).
    Jun 18 14:21:23 pfSense dhcpleases: /etc/hosts changed size from original!
    Jun 18 14:21:23 pfSense php-fpm[75805]: /rc.newwanip: IP Address has changed, killing states on former IP Address 10.3.43.21.
    Jun 18 14:21:25 pfSense php-fpm[79709]: /rc.start_packages: Restarting/Starting all packages.
    Jun 18 14:21:30 pfSense rc.gateway_alarm[34636]: >>> Gateway alarm: VPN_VPNV4 (Addr:8.8.8.8 Alarm:1 RTT:29.558ms RTTsd:20.728ms Loss:22%)
    Jun 18 14:21:30 pfSense check_reload_status: updating dyndns VPN_VPNV4
    Jun 18 14:21:30 pfSense check_reload_status: Restarting ipsec tunnels
    Jun 18 14:21:30 pfSense check_reload_status: Restarting OpenVPN tunnels/interfaces
    Jun 18 14:21:30 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:30 pfSense php-fpm[79709]: [pfBlockerNG] Starting cron process.
    Jun 18 14:21:31 pfSense check_reload_status: Syncing firewall
    Jun 18 14:21:31 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
    Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use HIDEME_VPNV4.
    Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254
    Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.43.254
    Jun 18 14:21:35 pfSense php-fpm[79709]: /rc.filter_configure_sync: dpinger: No dpinger session running for gateway HIDEME_VPNV4
    Jun 18 14:21:36 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
    Jun 18 14:21:39 pfSense dhcpleases: /etc/hosts changed size from original!
    Jun 18 14:21:40 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
    Jun 18 14:21:43 pfSense dhcpleases: kqueue error: unknown
    Jun 18 14:21:47 pfSense php-fpm[5078]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Jun 18 14:21:47 pfSense check_reload_status: Reloading filter
    Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface opt2
    Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script
    Jun 18 14:21:50 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.3.12.34 ->  10.3.43.21 - Restarting packages.
    Jun 18 14:21:50 pfSense check_reload_status: Starting packages
    Jun 18 14:21:51 pfSense php-fpm[75805]: /rc.start_packages: Restarting/Starting all packages.
    

    Maybe someone can help me?
    Do I have to change my config anywhere or is there a bug in the rc.newwanip script?

    As i said before: This config worked great with PPPoE. The Problem is there since I changed it to DHCP.

    Thank you.

    Regards
    Malte



  • Okay, i've done some research by myself.

    The rc.newwanip script contains this lines:

    /*
     * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
     * Even with the same IP the VPN software is unhappy with the IP disappearing, and we
     * could be failing back in which case we need to switch IPs back anyhow.
     */
    if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interfaces'][$interface]['ipaddr'])) {
    

    I'm unsure why VPN needs to be restarted when there is NO IP change on WAN. The WAN interface isn't down for the time pfSense renews the lease.

    So I changed this line a bit:

    if (!is_ipaddr($oldip) || $curwanip != $oldip) {
    

    Now the script does not force restart my OpenVPN anymore. My OpenVPN client works without problems, even after the renew.
    But I think that isn't a permanent solution.

    Any ideas for a stable fix?

    Regards
    Malte


  • Netgate Administrator

    Ok so that happens because your WAN 'ipaddr' is set to dhcp I assume?

    Is that an OpenVPN client or server?

    You may be able to workaround it by running that on a different interface, one that is static. Then port forwarding to it in the server case.

    Steve


Log in to reply