VPN disconnects when applying a change



  • Most changes, editing a user, changing a certificate etc make all of my client's openVPN connections close and they have to reconnect.

    We are running 2.0.3-RELEASE (i386) and make use of several features such as CARP over 2 synced pfsense firewalls.

    Is this a known problem?



  • The dev's can chime in, but I think every change restarts the service, so I don't see a way around it.


  • Rebel Alliance Developer Netgate

    When you make changes to openvpn it restarts that instance of openvpn, no way to avoid that and have all of the settings properly apply.

    It doesn't restart all of them, so if you have 4 servers setup and edit 1 of them, only that one that was changed restarts.



  • @jimp:

    When you make changes to openvpn it restarts that instance of openvpn, no way to avoid that and have all of the settings properly apply.

    It doesn't restart all of them, so if you have 4 servers setup and edit 1 of them, only that one that was changed restarts.

    That would make sense, but I get disconnected for non-openvpn setting changes. For example adding a certificate to a user or even changing some firewall rules which are not related to the openvpn connection.
    Furthermore, this does not happen every tie, it seems to be every other time I make a change that I get disconnected


  • Rebel Alliance Developer Netgate

    That's not related to OpenVPN then.

    Check your gateways, if you have a gateway flagged as down, states can be cleared on any change that causes a filter reload.

    Fix the gateway, or if you have only one WAN, disable state killing for down gateways under System > Advanced on the Misc tab.



  • @jimp:

    That's not related to OpenVPN then.

    Check your gateways, if you have a gateway flagged as down, states can be cleared on any change that causes a filter reload.

    Fix the gateway, or if you have only one WAN, disable state killing for down gateways under System > Advanced on the Misc tab.

    My gateway is okay,
    Would this have a negative effect since I'm using CARP, could it cause failovers to stop working etc?


  • Banned

    @jimp:

    When you make changes to openvpn it restarts that instance of openvpn, no way to avoid that and have all of the settings properly apply.
    It doesn't restart all of them, so if you have 4 servers setup and edit 1 of them, only that one that was changed restarts.

    Well, I get a restart when I change the description field of the OVPN server. This for sure is not necessary.


  • Rebel Alliance Developer Netgate

    @doktornotor:

    @jimp:

    When you make changes to openvpn it restarts that instance of openvpn, no way to avoid that and have all of the settings properly apply.
    It doesn't restart all of them, so if you have 4 servers setup and edit 1 of them, only that one that was changed restarts.

    Well, I get a restart when I change the description field of the OVPN server. This for sure is not necessary.

    To be pedantic, yes, but that requires a lot more complex code than currently exists. Patches accepted.


  • Rebel Alliance Developer Netgate

    @grahambmtw:

    @jimp:

    That's not related to OpenVPN then.

    Check your gateways, if you have a gateway flagged as down, states can be cleared on any change that causes a filter reload.

    Fix the gateway, or if you have only one WAN, disable state killing for down gateways under System > Advanced on the Misc tab.

    My gateway is okay,
    Would this have a negative effect since I'm using CARP, could it cause failovers to stop working etc?

    No that option only affects Multi-WAN, not CARP.



  • There are lots of GUI config screens where pressing Save updates the config and restarts the relevant bit of the system. Most of it does not check closely exactly which data fields were changed. Yes, it would be handy if things didn't restart when just a description field (and other non-functional fields) are modified. As JimP suggests "Patches accepted" - it is an Open Source project, so feel free to contribute enhanced GUI validation, minimal restart processing… :)



  • @jimp:

    That's not related to OpenVPN then.

    Check your gateways, if you have a gateway flagged as down, states can be cleared on any change that causes a filter reload.

    Fix the gateway, or if you have only one WAN, disable state killing for down gateways under System > Advanced on the Misc tab.

    Thanks!
    This fixed the issue, I'll conduct a firewall failover test to 100% ensure that CARP failover still works



  • Actually, this is still an issue. Applying firewall rules, or almost any update will kill existing connections including my OpenVPN connection to the firewall requiring me to reconnect..


Log in to reply