• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN server exists when WAN DHCP is renewed (fixed by dyn allocated - so not changed)

Scheduled Pinned Locked Moved OpenVPN
1 Posts 1 Posters 237 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    hoegge
    last edited by Oct 17, 2022, 9:44 AM

    Every now and then my OpenVPN server crashes, and I found out it happens, when the WAN DHCP IP address is renewed (but not changed). From the syslog at 9:50 the WAN renews and then ovpn1s goes down. I manually restart it 5 @ 11:05

    Oct 17 09:50:27 fw1 rc.gateway_alarm[32439]: >>> Gateway alarm: WAN_DHCP (Addr:87.blinded.blinded.blinded Alarm:1 RTT:.951ms RTTsd:.187ms Loss:21%)
    Oct 17 09:50:27 fw1 check_reload_status[2558]: updating dyndns WAN_DHCP
    Oct 17 09:50:27 fw1 check_reload_status[2558]: Restarting IPsec tunnels
    Oct 17 09:50:27 fw1 check_reload_status[2558]: Restarting OpenVPN tunnels/interfaces
    Oct 17 09:50:27 fw1 check_reload_status[2558]: Reloading filter
    Oct 17 09:50:28 fw1 php-fpm[61384]: /rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_DHCP'
    Oct 17 09:50:28 fw1 php-fpm[61384]: /rc.openvpn: Gateway, NONE AVAILABLE
    Oct 17 09:50:28 fw1 php-fpm[61384]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Oct 17 09:50:28 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'nat' rules.
    Oct 17 09:50:28 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'pfearly' rules.
    Oct 17 09:50:28 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'filter' rules.
    Oct 17 09:51:35 fw1 kernel: ovpns1: link state changed to DOWN
    Oct 17 09:51:35 fw1 check_reload_status[2558]: Reloading filter
    Oct 17 09:51:36 fw1 php-fpm[2520]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'nat' rules.
    Oct 17 09:51:37 fw1 php-fpm[2520]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'pfearly' rules.
    Oct 17 09:51:37 fw1 php-fpm[2520]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'filter' rules.
    Oct 17 10:00:00 fw1 php[41235]: [pfBlockerNG] Starting cron process.
    Oct 17 10:06:40 fw1 check_reload_status[2558]: rc.newwanip starting igb0
    Oct 17 10:06:41 fw1 php-fpm[20489]: /rc.newwanip: rc.newwanip: Info: starting on igb0.
    Oct 17 10:06:41 fw1 php-fpm[20489]: /rc.newwanip: rc.newwanip: on (IP address: <secret>) (interface: WAN[wan]) (real interface: igb0).
    Oct 17 10:06:41 fw1 php-fpm[20489]: /rc.newwanip: Accept router advertisements on interface igb0 
    Oct 17 10:06:41 fw1 php-fpm[20489]: /rc.newwanip: Starting rtsold process
    Oct 17 10:06:43 fw1 check_reload_status[2558]: Reloading filter
    Oct 17 10:06:44 fw1 php-fpm[20489]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'nat' rules.
    Oct 17 10:06:44 fw1 php-fpm[20489]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'pfearly' rules.
    Oct 17 10:06:44 fw1 php-fpm[20489]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'filter' rules.
    Oct 17 10:06:59 fw1 php[41235]: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
    Oct 17 10:06:59 fw1 php[41235]: 
    Oct 17 10:07:39 fw1 rc.gateway_alarm[36419]: >>> Gateway alarm: WAN_DHCP (Addr:<secret> Alarm:0 RTT:1.077ms RTTsd:.224ms Loss:5%)
    Oct 17 10:07:39 fw1 check_reload_status[2558]: updating dyndns WAN_DHCP
    Oct 17 10:07:39 fw1 check_reload_status[2558]: Restarting IPsec tunnels
    Oct 17 10:07:39 fw1 check_reload_status[2558]: Restarting OpenVPN tunnels/interfaces
    Oct 17 10:07:39 fw1 check_reload_status[2558]: Reloading filter
    Oct 17 10:07:40 fw1 php-fpm[61384]: /rc.openvpn: Gateway, NONE AVAILABLE
    Oct 17 10:07:40 fw1 php-fpm[61384]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP.
    Oct 17 10:07:40 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'nat' rules.
    Oct 17 10:07:40 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'pfearly' rules.
    Oct 17 10:07:41 fw1 php-fpm[2519]: /rc.filter_configure_sync: [squid] Installed but disabled. Not installing 'filter' rules.
    Oct 17 11:00:00 fw1 php[50112]: [pfBlockerNG] Starting cron process.
    Oct 17 11:02:15 fw1 php[50112]: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
    Oct 17 11:02:15 fw1 php[50112]: 
    Oct 17 11:02:20 fw1 php-fpm[83949]: /index.php: Successful login for user '<secret>' from: 192.168.0.20 (Local Database)
    Oct 17 11:04:00 fw1 sshguard[82423]: Exiting on signal.
    Oct 17 11:04:00 fw1 sshguard[12219]: Now monitoring attacks.
    Oct 17 11:05:27 fw1 kernel: ovpns1: link state changed to UP
    Oct 17 11:05:27 fw1 php-fpm[61384]: OpenVPN PID written: 9768
    Oct 17 11:05:27 fw1 check_reload_status[2558]: Reloading filter
    Oct 17 11:05:27 fw1 check_reload_status[2558]: rc.newwanip starting ovpns1
    

    In the OpenVPN log it shows like this:

    Oct 17 11:05:34	openvpn	9768	Initialization Sequence Completed
    Oct 17 11:05:34	openvpn	9768	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 17 11:05:34	openvpn	9768	Peer Connection Initiated with [AF_INET]<secret_ip>:32284
    Oct 17 11:05:27	openvpn	9768	UDPv4 link remote: [AF_UNSPEC]
    Oct 17 11:05:27	openvpn	9768	UDPv4 link local (bound): [AF_INET]<secret_ip>:1194
    Oct 17 11:05:27	openvpn	9768	/usr/local/sbin/ovpn-linkup ovpns1 1400 1472 10.0.8.1 10.0.8.2 init
    Oct 17 11:05:27	openvpn	9768	/sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1400 netmask 255.255.255.255 up
    Oct 17 11:05:27	openvpn	9768	TUN/TAP device /dev/tun1 opened
    Oct 17 11:05:27	openvpn	9768	TUN/TAP device ovpns1 exists previously, keep at program end
    Oct 17 11:05:27	openvpn	9768	WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
    Oct 17 11:05:27	openvpn	9768	Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 17 11:05:27	openvpn	9768	Incoming Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 17 11:05:27	openvpn	9768	Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Oct 17 11:05:27	openvpn	9768	Outgoing Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
    Oct 17 11:05:27	openvpn	9768	Initializing OpenSSL support for engine 'rdrand'
    Oct 17 11:05:27	openvpn	9768	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 17 11:05:27	openvpn	9597	library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
    Oct 17 11:05:27	openvpn	9597	OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
    Oct 17 11:05:27	openvpn	9597	Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
    Oct 17 09:51:35	openvpn	65663	/usr/local/sbin/ovpn-linkdown ovpns1 1400 1472 10.0.8.1 10.0.8.2 init
    Oct 17 09:51:35	openvpn	65663	Closing TUN/TAP interface
    Oct 17 09:51:35	openvpn	65663	Exiting due to fatal error
    Oct 17 09:51:35	openvpn	65663	TCP/UDP: Socket bind failed on local address [AF_INET]<secret_ip>:1194: Can't assign requested address (errno=49)
    Oct 17 09:51:35	openvpn	65663	Preserving previous TUN/TAP instance: ovpns1
    Oct 17 09:51:35	openvpn	65663	WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
    Oct 17 09:51:35	openvpn	65663	Re-using pre-shared static key
    Oct 17 09:51:35	openvpn	65663	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 17 09:51:30	openvpn	65663	SIGUSR1[soft,ping-restart] received, process restarting
    Oct 17 09:51:30	openvpn	65663	Inactivity timeout (--ping-restart), restarting
    Oct 17 09:51:29	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:51:28	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:51:27	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:51:26	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:51:19	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:51:09	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:50:59	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:50:49	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:50:39	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:50:38	openvpn	65663	write UDPv4: No route to host (code=65)
    Oct 17 09:50:37	openvpn	65663	write UDPv4: No route to host (code=65)
    

    Is there a way to prevent OpenVPN server from crashing when WAN IP is refreshed? (it is a fixed IP but dynaically allocated).

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received