OpenVPN not longer starts after update to 2.4.5-p1

Mainzelman

Hello everybody,

I have Netgate XG-1537 HA in use.
After update Backup(Slave) FW OpenVPN not longer starts after reboot and cannot be started in the GUI. A start in the console is possible.
/usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
/usr/local/sbin/openvpn --config /var/etc/openvpn/server2.conf

Log:
Jul 1 12:52:54 openvpn 72500 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020
Jul 1 12:52:54 openvpn 72500 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
Jul 1 12:52:54 openvpn 72762 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 1 12:52:54 openvpn 72762 Initializing OpenSSL support for engine 'rdrand'
Jul 1 12:52:54 openvpn 72762 TUN/TAP device ovpns2 exists previously, keep at program end
Jul 1 12:52:54 openvpn 72762 TUN/TAP device /dev/tun2 opened
Jul 1 12:52:54 openvpn 72762 ioctl(TUNSIFMODE): Device busy (errno=16)
Jul 1 12:52:54 openvpn 72762 /sbin/ifconfig ovpns2 192.168.121.129 192.168.121.130 mtu 1500 netmask 255.255.255.128 up
Jul 1 12:52:54 openvpn 72762 /usr/local/sbin/ovpn-linkup ovpns2 1500 1621 192.168.121.129 255.255.255.128 init
Jul 1 12:52:54 openvpn 72762 UDPv4 link local (bound): [AF_INET]2xx.xx.xx.xx:1195
Jul 1 12:52:54 openvpn 72762 UDPv4 link remote: [AF_UNSPEC]
Jul 1 12:52:54 openvpn 72762 Initialization Sequence Completed
Jul 1 12:58:36 openvpn 67760 event_wait : Interrupted system call (code=4)
Jul 1 12:58:36 openvpn 67760 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 192.168.121.1 255.255.255.128 init
Jul 1 12:58:36 openvpn 67760 SIGTERM[hard,] received, process exiting
Jul 1 12:58:37 openvpn 72762 event_wait : Interrupted system call (code=4)
Jul 1 12:58:37 openvpn 72762 /usr/local/sbin/ovpn-linkdown ovpns2 1500 1621 192.168.121.129 255.255.255.128 init
Jul 1 12:58:37 openvpn 72762 SIGTERM[hard,] received, process exiting

Does anyone have an idea what it can be ?
Where can I still download v2.4.5 and undo the patch ?

Many thanks.
Artur

JeGr

Quick question: why should openvpn start at all on the standby node? Didn't you set it up, so it only runs on the active node? How should that work in case of a failover?

Gertjan

Also :

@Mainzelman said in OpenVPN not longer starts after update to 2.4.5-p1:

Jul 1 12:52:54 openvpn 72762 Initialization Sequence Completed

..... nearly 6 minutes pass ....

Jul 1 12:58:36 openvpn 67760 event_wait : Interrupted system call (code=4)

Can you see in the other logs if some event - like a interface event ( example NON exhaustive) - happened, what results in a OpenVPN Server restart (it should restart in such an event) - only the admin can actually stop a service - or an error condition.

Mainzelman

@JeGr said in OpenVPN not longer starts after update to 2.4.5-p1:

why should openvpn start at all on the standby node? Didn't you set it up, so it only runs on the active node? How should that work in case of a failover?

Many thanks for the answer. As described, I use pfsense HA.
The services run on both firewalls. Until the update to Patch1 it was like that.

I will shut down the masters FW (tonight) and see if OpenVPN starts.

For info only - even Snort has not started after the update. A complete uninstall and reinstallation have fixed the error.

Mainzelman

@Gertjan
Many thanks for answer. I also searched other logs - found nothing.

Mainzelman

Hello everybody,
I shutdown the Master FW last night.
OpenVPN Service started directly on the backup (Slave) FW !

Maybe I'm wrong - but I think before the update to 2.4.5-p1 the service had also started on the Backup FW.

Thank you all.

JeGr

@Mainzelman said in OpenVPN not longer starts after update to 2.4.5-p1:

Maybe I'm wrong - but I think before the update to 2.4.5-p1 the service had also started on the Backup FW.

Shouldn't have been the case. The only case I know where they are started on both nodes is, if you bind them on a local VIP or localhost and forward your OVPN ports with Port Forward entries to that server. That is recommended with e.g. MultiWAN setups to have the ability to connect to the same server via multiple external IPs/WAN uplinks. As the server is bound to "localhost" it is always started/restarted on both nodes and waiting for connections (without getting into each others turf ;) ).

So seems to be working as intended ;)