OpenVPN reconnect on WAN DHCP renew
-
Hello!
I have a netgate SG-1100. It was working great with my old ISP, using PPPoE. Now i changed my ISP to some cable provider. The cable modem is in bridge mode and the pfSense gets its IP-Address via DHCP.
The Problem is: The ISP has a very short lease time of around 30-90 minutes. (changes sometimes?)
Everytime pfSense renews the lease, it kills my OpenVPN connection. Even when it gets the same IP-Address as before. (which it does, most of the time)Here is a log of a renew:
I changed the last two octets from WAN/VPN-IP. And yes, it gets the same IP-Address as before, but states an IP change/WAN reconnection. I also modified the interface name of the OpenVPN. OpenVPN changes its IP-Address because it gets a force restart from the WAN-IP "change".Jun 18 14:20:40 pfSense check_reload_status: rc.newwanip starting mvneta0.4090 Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on mvneta0.4090. Jun 18 14:20:41 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 77.21.12.34) (interface: WAN[wan]) (real interface: mvneta0.4090). Jun 18 14:20:41 pfSense dhcpleases: /etc/hosts changed size from original! Jun 18 14:20:46 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254 Jun 18 14:20:47 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.12.254 Jun 18 14:20:48 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Jun 18 14:20:51 pfSense dhcpleases: /etc/hosts changed size from original! Jun 18 14:20:51 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process. Jun 18 14:20:54 pfSense dhcpleases: kqueue error: unknown Jun 18 14:20:59 pfSense php-fpm[75805]: /rc.newwanip: phpDynDNS (): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry. Jun 18 14:21:00 pfSense php-fpm[75805]: /rc.newwanip: Forcefully reloading IPsec Jun 18 14:21:00 pfSense check_reload_status: Reloading filter Jun 18 14:21:17 pfSense php-fpm[75805]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Jun 18 14:21:18 pfSense php-fpm[75805]: OpenVPN terminate old pid: 84763 Jun 18 14:21:19 pfSense kernel: ovpnc1: link state changed to DOWN Jun 18 14:21:19 pfSense check_reload_status: Reloading filter Jun 18 14:21:19 pfSense php-fpm[75805]: OpenVPN PID written: 34702 Jun 18 14:21:19 pfSense check_reload_status: Reloading filter Jun 18 14:21:19 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script Jun 18 14:21:21 pfSense kernel: ovpnc1: link state changed to UP Jun 18 14:21:21 pfSense check_reload_status: rc.newwanip starting ovpnc1 Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 77.21.12.34 -> 77.21.12.34 - Restarting packages. Jun 18 14:21:22 pfSense check_reload_status: Starting packages Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: Info: starting on ovpnc1. Jun 18 14:21:22 pfSense php-fpm[75805]: /rc.newwanip: rc.newwanip: on (IP address: 10.3.12.34) (interface: VPN[opt2]) (real interface: ovpnc1). Jun 18 14:21:23 pfSense dhcpleases: /etc/hosts changed size from original! Jun 18 14:21:23 pfSense php-fpm[75805]: /rc.newwanip: IP Address has changed, killing states on former IP Address 10.3.43.21. Jun 18 14:21:25 pfSense php-fpm[79709]: /rc.start_packages: Restarting/Starting all packages. Jun 18 14:21:30 pfSense rc.gateway_alarm[34636]: >>> Gateway alarm: VPN_VPNV4 (Addr:8.8.8.8 Alarm:1 RTT:29.558ms RTTsd:20.728ms Loss:22%) Jun 18 14:21:30 pfSense check_reload_status: updating dyndns VPN_VPNV4 Jun 18 14:21:30 pfSense check_reload_status: Restarting ipsec tunnels Jun 18 14:21:30 pfSense check_reload_status: Restarting OpenVPN tunnels/interfaces Jun 18 14:21:30 pfSense check_reload_status: Reloading filter Jun 18 14:21:30 pfSense php-fpm[79709]: [pfBlockerNG] Starting cron process. Jun 18 14:21:31 pfSense check_reload_status: Syncing firewall Jun 18 14:21:31 pfSense check_reload_status: Reloading filter Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Jun 18 14:21:33 pfSense php-fpm[79709]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use HIDEME_VPNV4. Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 208.67.222.222 and adding a new route through 77.21.12.254 Jun 18 14:21:35 pfSense php-fpm[75805]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 10.3.43.254 Jun 18 14:21:35 pfSense php-fpm[79709]: /rc.filter_configure_sync: dpinger: No dpinger session running for gateway HIDEME_VPNV4 Jun 18 14:21:36 pfSense php-fpm[75805]: /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Jun 18 14:21:39 pfSense dhcpleases: /etc/hosts changed size from original! Jun 18 14:21:40 pfSense dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process. Jun 18 14:21:43 pfSense dhcpleases: kqueue error: unknown Jun 18 14:21:47 pfSense php-fpm[5078]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing. Jun 18 14:21:47 pfSense check_reload_status: Reloading filter Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface opt2 Jun 18 14:21:47 pfSense php-fpm[75805]: /rc.newwanip: Creating rrd update script Jun 18 14:21:50 pfSense php-fpm[75805]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.3.12.34 -> 10.3.43.21 - Restarting packages. Jun 18 14:21:50 pfSense check_reload_status: Starting packages Jun 18 14:21:51 pfSense php-fpm[75805]: /rc.start_packages: Restarting/Starting all packages.
Maybe someone can help me?
Do I have to change my config anywhere or is there a bug in the rc.newwanip script?As i said before: This config worked great with PPPoE. The Problem is there since I changed it to DHCP.
Thank you.
Regards
Malte -
Okay, i've done some research by myself.
The rc.newwanip script contains this lines:
/* * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces. * Even with the same IP the VPN software is unhappy with the IP disappearing, and we * could be failing back in which case we need to switch IPs back anyhow. */ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interfaces'][$interface]['ipaddr'])) {
I'm unsure why VPN needs to be restarted when there is NO IP change on WAN. The WAN interface isn't down for the time pfSense renews the lease.
So I changed this line a bit:
if (!is_ipaddr($oldip) || $curwanip != $oldip) {
Now the script does not force restart my OpenVPN anymore. My OpenVPN client works without problems, even after the renew.
But I think that isn't a permanent solution.Any ideas for a stable fix?
Regards
Malte -
Ok so that happens because your WAN 'ipaddr' is set to
dhcp
I assume?Is that an OpenVPN client or server?
You may be able to workaround it by running that on a different interface, one that is static. Then port forwarding to it in the server case.
Steve