Cannot disable an OpenVPN instance while the interface is assigned. Remove the interface assignment first

sotirone

Hello.

Ever since I updated to 2.6.0, when I try to disable an OpenVPN client that has been assigned to an Interface, I get this error.

This has been very problematic for me and I don't see its purpose.

I use pfSense to pfSense OpenVPN tunnels to service clients remotely.

Some of those clients have networks with subnets that are either similar to mine or to each other.

By assigning an Interface and a Gateway to each tunnel, I can just switch a Static Route between Gateways and access networks with same subnets on different client locations easily.

But, I don't want the OpenVPN tunnels to be always UP. So I enable them as needed every time I need to do some work on each client.

This new behavior forces me to either have the tunnels always UP, or having to delete the Interface assignments and then redo them (and their Gateway configuration) every time I need to access one of these subnets.

This new behavior was a solution to a problem that didn't exist. Now it has caused real problems.

bingo600

Have reported the same issue here
https://forum.netgate.com/topic/172119/ce-2-6-0-unable-to-disable-openvpn-server-if-interface-is-assigned

No response yet

/Bingo

blabs

Can we get some traction on this issue? This is ridiculous, still a problem in v2.7.0...

rcoleman-netgate

@blabs said in Cannot disable an OpenVPN instance while the interface is assigned. Remove the interface assignment first:

Can we get some traction on this issue? This is ridiculous, still a problem in v2.7.0...

Please open a redmine at https://redmine.pfsense.org/

MoonKnight

@rcoleman-netgate Same with Wireguard, can't DISABLE the tunnel, get this message "Cannot disable tun_wg4 to XXXXXXXXXXX (opt7).

darkcorner

Same error for me too.
I want to eliminate all references in OpenVPN because they are obsolete in this new location, but it still remains an interface.

WaltW 0

I also have this issue. Any suggestions on how to fix?

mac1995

To unassign the VPN interface you would like to disable, go to Interfaces -> Interface Assignments, and find that there is something like:

Interface Network port
WAN em1 (00:0c:29:82:45:9a)
LAN em0 (00:0c:29:82:45:90)
OPT1 ovpns1 (VPN Access 1)
OPT2 ovpns2 (VPN Access 2)

In order to disable in this case (VPN Access 1) you can
delete the OPT1, (and lose the rules you had there!!!); or
assign the OPT1 to some other stub interface you create that is not routable, so you can keep this rule set around for
reference, or to use again when you re-enable the VPN Access 1.

Once there is no interface assigned to the particular VPN server, you can disable that interface back on the
VPN/OpenVPN/Servers page

coreybrett

@mac1995 Nice hack, but not really a fix

Another hack fix is to disable the WAN rule that allows the client to connect to the server. But that's only really effective if the OP has all the servers on his side, and the clients on the remote side.