Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.5.2-release still has OpenVPN Site2Site Bug with explicit-exit-notify

    Development
    2
    7
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator
      last edited by

      See my report here:
      https://forum.netgate.com/topic/164257/openvpn-exits-without-restarting-with-exit-notify/4

      TL;DR

      A OVPN site2site tunnel configured with explicit-exit-notify flags (retry 1 or 2) will instantly go down, exit and kill the process if the other side sends notification of exit. Instead of speeding up the process of reconnection on either side through notification of its exit, that essentially brings down a tunnel without a chance to reconnect, as the peer shuts down the process instead of trying to reconnect immediatly (or removing the peer from its connected client list for the server side).

      ATM best thing to do is to avoid the setting with tunnels but if you have a client, that does send an exit notification, the server can/will go down.

      Cheers

      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      JeGrJ 1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator @JeGr
        last edited by JeGr

        Details:

        Server:
        b5c870ce-b362-414a-945e-4135475c63e6-image.png

        Client:
        cbc18dd2-ddac-4f1b-bb1e-026f1dbf5b5b-image.png


        Server/Client Tunnel is up and running:

        a025d101-5336-4f57-ac54-2fa406592c58-image.png

        restarting Server Instance:

        681adc9a-ea16-406b-9ac7-28bf7f404d8e-image.png

        Client shuts down and exits/kills process, Server now restarted and waits for connection, but nothing is incoming:

        06c37c88-0472-4a61-9838-8018fafd6daa-image.png

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        JeGrJ 1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator @JeGr
          last edited by

          @jimp as the old thread was in the 2.5.2 subforum and is locked to further answers:

          We had that problem here with a 2.5.2-release and a 2.6-testing system. The customer has LTE routers from a brand, that can run OpenVPN and they connect them via a Site2Site tunnel to their pfSense setup. As the LTE router's OVPN implementation has explicit-exit-notify set up (whysoever), every time one of them disconnects the pfSense server side goes down and stays down.

          No we don't have the possibility to change the client side and have server side always exiting. Customer says, that with a normal linux vhost with openvpn set up, they don't have that problem so the server seems to behave in another way as the one running on pfSense.

          Is that something we can fix in pfSense' implementation? Upstream FreeBSD? Upstream OVPN? Don't understand why the server behaves like that in s2s mode in the first place, as - as tested - in RAS mode it just works as expected.

          Cheers
          \jens

          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            I explained all that in my responses on the other thread -- it's something in OpenVPN internally.

            For point-to-point tunnels exit-notify is not desirable. Re-read my past responses for the distinction between "point-to-point" in OpenVPN and "site-to-site" in the pfSense GUI.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            JeGrJ 1 Reply Last reply Reply Quote 0
            • JeGrJ
              JeGr LAYER 8 Moderator @jimp
              last edited by

              @jimp I did, nevertheless the router on the other end is configured that way and every time it restarts/reconnects the tunnel, the whole server goes down.

              I completely understand it is not desirable, but that doesn't help in that scenario when the other side sets that config option and can crash our side of the tunnel at will? That can't be by design nor an allowed configuration IMHO? I mean what software offers to DoS itself by a peer config option? It just makes no sense to me. So no offense meant against you or the project, just trying to grasp an understanding if that could somehow mitigated on pfSense' side by auto-restarting the server or it not killing and permanently exiting.

              Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                explicit-exit-notify must be disabled on both sides of point-to-point. If either one has it on, the other will still receive and honor the notification. It's doing exactly what OpenVPN has programmed it to do -- it's nothing that pfSense is doing. And it's been that way for years. The other end of that connection must be changed.

                If you want a way to ignore that, you'd have to take it up with OpenVPN upstream.

                In the meantime, you can always use the Service Watchdog package to restart the service when it has stopped.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                JeGrJ 1 Reply Last reply Reply Quote 0
                • JeGrJ
                  JeGr LAYER 8 Moderator @jimp
                  last edited by

                  @jimp said in 2.5.2-release still has OpenVPN Site2Site Bug with explicit-exit-notify:

                  In the meantime, you can always use the Service Watchdog package to restart the service when it has stopped.

                  Ah didn't think of that. Normally I'm more "solve the problem, don't restart" type of engineer but you're right, if the other side is "wrongdoing" and there's nothing we can do - so be it :/

                  Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.