Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alias use in OpenVPN - Broken on Reboots (and possibly other edge cases)

    Scheduled Pinned Locked Moved OpenVPN
    23 Posts 4 Posters 2.0k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      azeliff3
      last edited by

      I'm thinking I might have found a bug with how aliases from pfSense Firewall are used in OpenVPN configurations. I have multiple aliases created, some for individual IPs, others for CIDR notations of subnets.

      When you apply the configuration, everything works as expected. I've unfortunately found that they occasionally stop working all together. I've seen occasional issues after substantial OpenVPN server configuration changes, but I haven't been able to narrow down the specifics.

      What I have been able to narrow down to a reproducible (on my environment at least) sequence is that restarting the pfSense system entirely causes the aliases to not work in the OpenVPN configuration. More interestingly, after a reboot, if you go in and simply click "save" on the OpenVPN server configuration (or client specific overrides), the aliases start working again at next reconnect.

      This is a big problem since if the firewall reboots for any reason, suddenly routes are no longer presented to VPN clients if they're defined with aliases.

      Here's a more detailed example:

      Create a firewall alias for a specific IP and subnet in CIDR, as such:
      90730077-0d87-4fca-b720-0d8edc7d6e61-image.png

      I've observed the same issue with server configurations as well as client specific overrides, so for brevity I'm only showing client specific overrides:
      65a2db90-f447-4fb0-acfa-75f2d9a78464-image.png

      Click save, and connect via the client. Everything works as expected.

      Now, reboot the pfSense device (e.g.: Diagnostics>Reboot>submit)

      Once the server is back online, connect to the OpenVPN server and the routes for the local networks that are aliased will not longer be present.

      If you "save" the override again after reboot and reconnect, it will start working again.

      I have a LOT of aliases used throughout my setup, and re-saving configs without any changes any time a reboot etc. occurs is a problem.

      I would like others' takes on this to see if I am missing something, or if this is a real bug. This certainly appears to be a bug to me.

      Thanks!

      GertjanG 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Check the generated conf file in /var/etc/openvpn/serverX

        Are alises populated there after reboot?

        1 Reply Last reply Reply Quote 0
        • A Offline
          azeliff3
          last edited by

          I just checked -- aliases are properly stored as their expanded strings (CIDR notation, IPs etc.) in the config and the appropriate CSC configs before reboot.

          After reboot, the entries that should be there from aliases are NOT present. The below are CSC configs. I checked the same behavior is present in the main server config for aliases as well.

          Before reboot (after hitting save on configs)
          b4beaf07-5ba9-42e0-bbe1-0531a67a8840-image.png

          After reboot:
          7703675a-694d-4965-9854-8a7b8c96c4e8-image.png

          1 Reply Last reply Reply Quote 1
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            OK, is this something that has just started happening? After an upgrade etc?

            1 Reply Last reply Reply Quote 0
            • A Offline
              azeliff3
              last edited by azeliff3

              I just setup the openVPN servers using aliases a few weeks ago. It's a fresh install and appears to have been acting this way since I setup the servers a few weeks ago.

              1 Reply Last reply Reply Quote 1
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Have you only seen this in 2.7.2?

                Can't replicate it here in 24.11. There were quite a few commits into the alias system recently.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  azeliff3
                  last edited by

                  Correct, but I only have been using 2.7.2, so no idea if it is present in 24.11.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, which aliases are actually not populating there? Anything with nested aliases? Only those host aliases that have to be resolved?

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      azeliff3
                      last edited by

                      host and network aliases are failing to populate (CIDR Notation for networks, and FQDN for hosts). It appears that the type of alias doesn't matter based on what I'm seeing.

                      1 Reply Last reply Reply Quote 0
                      • GertjanG Offline
                        Gertjan @azeliff3
                        last edited by

                        @azeliff3 said in Alias use in OpenVPN - Broken on Reboots (and possibly other edge cases):

                        are used in OpenVPN configurations

                        Client ? Server ?

                        What happens when pfSense starts, and the OpenVPN server ? Client ?) start before the resolver starts ....
                        What is the state of the aliases at that moment ? Are the known with the 'IP addresses' known from before the reboot ? Or unknown, as they are getting used before they are resolved ...
                        IP (or network aliases should 'work' because their content is known right out of the box.
                        But you have also Host(s) and these have to get resolved first.

                        A 'broken' solution : I don't know if process like OpenVPN can get delayed upon system boot, but I guess, with cron, you could setup a cron script that reboots the openvon process '300' seconds after reboot, as aliases hosts are typically resolved every 5 minutes.
                        Btw : when resolved, and the aliases content changed (for example : the IP addresses changed) I'm not sure if OpenVPN will be aware of that. It starts with its config files, and if these change, the process has to restart to take them in account.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Your screenshot above shows it still has routes for those 10.x.x.x subnets which I assume are the network alias?

                          There's no need to obscure private subnets.

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            azeliff3
                            last edited by azeliff3

                            The configurations shown and in question are the server configurations.

                            I apologize for obscuring the private subnets. I've dealt with people panicking when they see any IP publicly posted in other venues, so I default to obscuring.

                            Here's a more detailed breakout of after reboot vs re-applying the settings:

                            74a4db43-0c8b-4111-afe5-631be6b90896-image.png

                            It appears to match with what @Gertjan implied regarding resolution of host names, where they may not be resolved before the openVPN server starts on a fresh boot. Unfortunately, restarting the OpenVPN service (even after 5-6 minutes uptime) does not appear to get those resolved hostname aliases to show in the configuration. They only seem to show up when I re-apply the settings.

                            The fact that server configs get generated and skip over host aliases that are valid (but perhaps not resolved at that instant in time after a reboot) seems like a problem. Since restarting the openVPN service individually doesn't fix the missing aliases, it seems like there is a dependency in the service boot order on pfSense that was introduced when the use of aliases was allowed, which may not have been properly handled. Since all the host aliases are resolved and configured in pfSense, I feel like the resolution should be incredibly quick.

                            I'm not really sure where to go from here -- is this a bug with service startup dependencies?

                            I realize in my original post I mentioned CIDR aliases not showing up. I haven't been able to replicate what I had seen earlier for screenshots regarding CIDR, so I'm currently trying to recreate that.

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Hmm, still can't replicate that here in Plus. The start order could well have changed since 2.7.2.

                              How are those aliases being resolved? If you add one as a host override locally does it make it into the conf. Though that doesn't work here with a near default setup

                              1 Reply Last reply Reply Quote 0
                              • A Offline
                                azeliff3
                                last edited by azeliff3

                                I'm not sure I am interpreting your question correctly, so if I am not answering your question, I apologize.

                                The aliases are pfSense firewall aliases. For instance, K12A_Devices is an alias for two hosts:
                                k12a-outlet.k12.benchpress.lan, k12a-bulb.k12.benchpress.lan

                                The host records referred to in the aliases are DHCP static mappings under pfSense DHCP server (for instance k12a-outlet is statically assigned a 192 address).

                                I tried adding a host override for k12a-outlet, and it still did not make it into the configuration after reboot. It does show up after clicking "save" in the UI for the settings though (same behavior as static mappings).

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Ok, that's the same thing I'm seeing. It can only resolve it against Unbound when static mappings are added and that is not running when the file is created in 2.7.2.

                                  Also those are not added at boot but host overrides and other resolved hosts are.

                                  I don't think that is a bug though since it has never worked AFAIK and was not expected to. It should be opened as a feature request though so:
                                  https://redmine.pfsense.org/issues/15922

                                  1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    azeliff3
                                    last edited by

                                    Thanks for opening the feature request and working through it! I appreciate it!

                                    1 Reply Last reply Reply Quote 0
                                    • GertjanG Offline
                                      Gertjan @azeliff3
                                      last edited by

                                      @azeliff3 said in Alias use in OpenVPN - Broken on Reboots (and possibly other edge cases):

                                      Unfortunately, restarting the OpenVPN service (even after 5-6 minutes uptime) does not appear to get those resolved hostname aliases to show in the configuration

                                      Restarting by clicking here :

                                      a0bb37c3-0c3b-4b2e-abf2-54aae68bc34d-image.png

                                      does not recreate ".opvn" config file from the pfSense GUI settings.
                                      It's more a "if a config file exist, start the openvpn binary".

                                      However, with some minimal scripting you can do what is done when you click here :

                                      b724f4d3-0b3f-4c09-bd05-7c31814d8d1d-image.png

                                      My problem is : I don't have 2.7.2. anymore ...
                                      If you're not afraid of some PHP (re)searching, I can already tell you that all you need is in
                                      /etc/inc/services.inc
                                      /etc/inc/services-utils.inc
                                      /etc/inc/openvpn.inc
                                      /usr/local/www/vpn_openvpn_server.php (for reference)
                                      I'll be assisting you.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      1 Reply Last reply Reply Quote 1
                                      • G Offline
                                        galcorlo
                                        last edited by

                                        Hello,
                                        I'm suffering from a very similar issuewith pfsense Plus. I don't know how to reproduce it. I'm not sure if the reboot is the root cause because I haven't been able to reboot the appliance for testing purposes. But from time to time, I realize OpenVPN has the wrong config because the alias was not replaced. Here's the reported bug: https://redmine.pfsense.org/issues/16073

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          So you only see it with nested aliases in the local networks list?

                                          1 Reply Last reply Reply Quote 0
                                          • G Offline
                                            galcorlo
                                            last edited by galcorlo

                                            Yes, I only see it with nested aliases in the local networks list.

                                            I've been checking the source code and I think it could be a problem related to the boot order. If openVPN service starts before aliases have been loaded into the variable $aliastable, the function alias_to_subnets_recursive will return an empty array and the function openvpn_gen_route_ipv4 will write a config line with the alias as-is without replacing it. And this is the behaviour I am seeing.
                                            I've seen the boot service order is managed by /etc/rc.bootup and it seems OpenVPN starts before having aliases loaded... Not sure which is the cleanest way to fix this.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.