New to pfSense, Does OpenVPN have a service running even if not setup and configured?

tikirover · Feb 27, 2024, 3:18 PM

More detail - I left my new install running overnight for the first time. Apparently it had some kind of drop or lease reset around 3am. (or some disconnect/reconnect event)

The system shows "hotplug" events, and looks like it went through a reconnecting. For each interface, regular and vlan, it shows "Rysyncing OpenVpn instances"

Is this normal? I haven't done anything yet with OpenVPN at all. Here is a screen cap of that section of the log.

stephenw10 · Feb 27, 2024, 4:15 PM

Yes it shows the OpenVPN script is run whether or not there are instances runnning.

The actual cause of that is not shown but I'd guess one of your gateways down. It should be shown in the log before that point.

Steve

tikirover · Feb 27, 2024, 4:22 PM

@stephenw10 Thanks Steve- I appreciate the answer! I would agree that looks like what was happening. The "event" started at the Feb 27 03:27:45 mark as shown on this second screenshot. Most of the messages made sense for a dropped connection, just wasn't sure about the OpenVPN. Learning this is kinda like drinking from a firehose!

tikirover · Feb 27, 2024, 4:25 PM

@tikirover I should have added that it was all back up and running by the time I reviewed it this morning. Just trying to make sure I understand as much as possible.

stephenw10 · Feb 27, 2024, 4:29 PM

Yes the igc1 NIC lost link and hence all the VLANs on it. I assume that's connected to a switch? Maybe the switch rebooted?

tikirover · Feb 27, 2024, 4:33 PM

@tikirover This was in one of the other logs at the same time stamp, and I believe this supports the interruption at the gateway. Since it was running again by this morning. I'm assuming it was a lease renew.

stephenw10 · Feb 27, 2024, 4:37 PM

A lease renewal would not normally bring down the link.

Seeing dpinger restart like that implies the WAN did restart though. Is that on a VLAN on igc1?

tikirover · Feb 27, 2024, 4:44 PM

@stephenw10 No the WAN is through igc0 and coming via passthrough/ATT gateway (BCG320).

I do remember seeing an update time of 3 am from my Unifi switch - but I would have thought that would have been earlier - it is on the igc1. Timing is about a 27 minutes off, but related?

stephenw10 · Feb 27, 2024, 4:51 PM

I'd expect the switch to have logged a link change on the trunk.

Do you see igc0 logging a link state change in pfSense?

tikirover · Feb 27, 2024, 5:05 PM

@stephenw10 If it would be prior to this time frame, I will have to check later. I just grabbed a handful of screenshots that had this same time stamp this morning before I came into work.

The only thing 10 min before the linkstate change/Hot plug, etc on igc1 and its related vlans are sshguard messages about Now monitoring attacks.

The OpenVPN appearance had me wondering if I had a security issue or not.

Does this seem like a functional problem, or should I be concerned about something else?

tikirover · Feb 27, 2024, 5:15 PM

@tikirover In my screenshots, this message shows up for each of the igc1 interfaces

and in the gateway log the message I posted earlier was part of a string of similar messages with different PID numbers.

stephenw10 · Feb 27, 2024, 5:32 PM

The only thing I would be concerned about is the fact that igc1 lost link for some reason. Since it's connected to a switch directly it should not.

Some of the early i225v revision (<rev3) chips had link issues. Try running: pciconf -lv igc1
`