openvpn tap tunnel goes offline

johngoutbeck

pfsense v2.70 or 2.71
Setup a tap (bridge) openvpn with TLS/SSL

Right now this is a POC and its failing

• after this, then add a second WAN for WAN failover
• after 2nd WAN, add 2nd unit with CARP to unit HA

Start the pfsense server (75.152.103.51)

• the WAN cable is disconnected - so the WAN status is red with 'no carier'
• but the tap openvpn is showing an IP address & the openvpn status is waiting for a connection

--- Console (copied from ssh session)

• the tap openvpn is up & will stay up - waiting for a client to connect (with the WAN cable disconnected)

pfSense - Netgate Device ID: 81f332591f8a44a18182

*** Welcome to pfSense 2.7.1-RELEASE (amd64) on brg151 ***

WAN (wan) -> ue0 -> v4: 75.152.103.51/24
LAN (lan) -> em0 -> v4: 172.16.138.51/16
OPT1_VPN_BRIDGE (opt1) -> ovpns1 -> v4: 10.0.1.1/29

--- check to see if openvpn process is running - it is
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps uxaww | grep openvpn
root 61518 0.0 0.1 23052 9896 - Ss 09:54 0:00.05 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1/config.ovpn
root 18564 0.0 0.0 12752 2360 0 S+ 09:55 0:00.00 grep openvpn
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root:

--- openvpn log file
Nov 22 09:54:26 openvpn 55560 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 09:54:26 openvpn 55560 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 09:54:26 openvpn 55560 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 09:54:26 openvpn 61518 GDG: problem writing to routing socket
Nov 22 09:54:26 openvpn 61518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 09:54:27 openvpn 61518 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 09:54:27 openvpn 61518 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 09:54:27 openvpn 61518 TUN/TAP device /dev/tap1 opened
Nov 22 09:54:27 openvpn 61518 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 09:54:27 openvpn 61518 /usr/local/sbin/ovpn-linkup ovpns1 1500 0 10.0.1.1 255.255.255.248 init
Nov 22 09:54:27 openvpn 61518 UDPv4 link local (bound): [AF_INET]75.152.103.51:1194
Nov 22 09:54:27 openvpn 61518 UDPv4 link remote: [AF_UNSPEC]
Nov 22 09:54:27 openvpn 61518 Initialization Sequence Completed

--- now plug in the WAN cable - WAN status goes to green with 'up'

• the 1 client (75.152.103.53) connects
• the GUI openvpn status display the client connected
• connected for a while (about 10 - 30 seconds) - then the server brings the openvpn link down
• and it cannot see the client anymore

--- openvpn log
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_VER=2.6.4
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_PLAT=freebsd
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_TCPNL=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_MTU=1600
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_NCP=2
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_PROTO=990
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_LZO_STUB=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_COMP_STUB=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 peer info: IV_COMP_STUBv2=1
Nov 22 09:59:14 openvpn 61518 75.152.103.53:2539 [VPNCert-user] Peer Connection Initiated with [AF_INET]75.152.103.53:2539
Nov 22 09:59:14 openvpn 61518 VPNCert-user/75.152.103.53:2539 MULTI_sva: pool returned IPv4=10.0.1.2, IPv6=(Not enabled)
Nov 22 09:59:16 openvpn 61518 VPNCert-user/75.152.103.53:2539 write UDPv4: No route to host (fd=6,code=65)

--- GUI openvpn status
ovpns1: VPN-Bridged UDP4:1194 / Client Connections: 0
[error] Unable to contact daemon Service not running?

• and the openvpn will not restart when the 'restart' icon is clicked

--- Console (copied from ssh session)

• the openvpn connection looses its IP

pfSense - Netgate Device ID: 81f332591f8a44a18182

*** Welcome to pfSense 2.7.1-RELEASE (amd64) on brg151 ***

WAN (wan) -> ue0 -> v4: 75.152.103.51/24
LAN (lan) -> em0 -> v4: 172.16.138.51/16
OPT1_VPN_BRIDGE (opt1) -> ovpns1 ->

--- check to see if openvpn process is running - it is NOT
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
42536 0 S+ 0:00.00 grep openvpn

--- openvpn log
Nov 22 10:06:10 openvpn 79586 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 10:06:10 openvpn 79586 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 10:06:10 openvpn 79586 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 10:06:10 openvpn 79803 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 10:06:10 openvpn 79803 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 10:06:10 openvpn 79803 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 10:06:10 openvpn 79803 TUN/TAP device /dev/tap1 opened
Nov 22 10:06:10 openvpn 79803 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 10:06:10 openvpn 79803 FreeBSD ifconfig failed: external program exited with error status: 1
Nov 22 10:06:10 openvpn 79803 Exiting due to fatal error

• restart the openvpn process via GUI

• the openvpn will not start

• restart the openvpn from ssh session
  /usr/local/sbin/pfSsh.php playback svc restart openvpn server 1
  Attempting to issue restart to openvpn service...

openvpn has been restarted.

but the ps command does not see the openvpn process running
ps ax | grep openvpn
42536 0 S+ 0:00.00 grep openvpn

-- using a differnt openvpn restart command

• comes back with errors
  [2.7.1-RELEASE][admin@brg151.kyetech.local]/etc: service openvpn onerestart
  openvpn not running? (check /var/run/openvpn.pid).
  /usr/local/etc/rc.d/openvpn: WARNING: /usr/local/etc/openvpn/openvpn.conf is not readable.
  /usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn

• no openvpn process running
  [2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
  46024 0 S+ 0:00.00 grep openvpn

-- using a another openvpn restart command
[2.7.1-RELEASE][admin@brg151.kyetech.local]/root: /usr/local/sbin/ovpn-linkup ovpns1 1500 0 10.0.1.1 255.255.255.248 init
OK

• no openvpn process running
  [2.7.1-RELEASE][admin@brg151.kyetech.local]/root: ps ax | grep openvpn
  46024 0 S+ 0:00.00 grep openvpn

---

• Can never restart the openvpn
• need to reboot the server
• and even then the openvpn service sometimes does not start

---

• Another test

--- on a reboot - the openvpn starts & is waiting for a client to connect

• without connecting the WAN cable
• restart openvpn from GUI
• openvpn does not restart

--- GUI openvpn status
ovpns1: VPN-Bridged UDP4:1194 / Client Connections: 0
[error] Unable to contact daemon Service not running?

--- openvpn log
Nov 22 11:08:00 openvpn 71097 /sbin/ifconfig ovpns1 10.0.1.1 -alias
Nov 22 11:08:00 openvpn 71097 /usr/local/sbin/ovpn-linkdown ovpns1 1500 0 10.0.1.1 255.255.255.248 init
Nov 22 11:08:00 openvpn 71663 Flushing states on OpenVPN interface ovpns1 (Link Down)
Nov 22 11:08:00 openvpn 71097 SIGTERM[hard,] received, process exiting
Nov 22 11:08:01 openvpn 83693 OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Nov 22 11:08:01 openvpn 83693 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Nov 22 11:08:01 openvpn 83693 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F
Nov 22 11:08:01 openvpn 83816 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 22 11:08:01 openvpn 83816 WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Nov 22 11:08:01 openvpn 83816 TUN/TAP device ovpns1 exists previously, keep at program end
Nov 22 11:08:01 openvpn 83816 TUN/TAP device /dev/tap1 opened
Nov 22 11:08:01 openvpn 83816 /sbin/ifconfig ovpns1 10.0.1.1/29 mtu 1500 up
Nov 22 11:08:01 openvpn 83816 FreeBSD ifconfig failed: external program exited with error status: 1
Nov 22 11:08:01 openvpn 83816 Exiting due to fatal error

---

Questions

1. How to restart the tap openvpn from cli?

2. Why the tap openvpn tunnel goes down? And how to fix

Any suggestions, guesses, fixes???