We have a rather simple setup, working rather well in the 99% of the time. The 1% is giving us problems.
We have a central office, with Debian Linux, OVPN with webmin control system. The webmin is working well for us, as we can generate PKI certificates, we can monitor the connections,…
We have also some remote sites, every site with a ADSL router (Linksys), a wrap with pfsense and OVPN with a certificate on it. The wrap connects with the central office, establishes the OVPN tunnel, and everything works.
The problem we have is when the system starts. As ther are no technics at the remote office, the system is started at the same time. Unfortunately, the wrap is up when the Linksys is still starting, and the ADSL connection is not working. So the NTP daemon is not able to sync, the wrap reports as date 01/01/00, the OVPN tunnel is not working (invalid certificate) and I have to fix it manually.
Sometimes when I tell to take the wrap up and down (the Linksys is up and working) the system works, but sometimes I have to connect, force a NTP sync, open the OVPN page, force a connection, and the system starts. Obviously this is not a professional setup.
I thought that OVPN had a reconnect feature (and it looks like, we saw from log messages), but if i let the system connected to internet for a whole day te NTP daemon and the OVPN connection are not working.
We are working at a script that checks NTP, and in case restarts NTPD, checks OVPN, and in case restart it, but this means to modify manually the system. I don't like it.
- how can i have the time syncronized not only at the startup?
- Is there a way to have the system up with some setup done via the GUI?
Thanks in advance
Cry Havok last edited by
A less technical solution, but you can buy power strips that will switch devices on in a chosen order with the delays you decide. It may be worth investing in one of those, to ensure that the ADSL router has the time to come up.
Alternatively, encourage them to not switch the ADSL router off every night ;)
Yep all you need is a time delay relay which you can set to turn the unit on xx minutes after power is applied. If you want to do this for cheap you can buy yourself a project box at RadioShack, hack a power cord in half, and wire in a relay such as the below. You leave the neutral and ground wires alone and just cut the hot, crimp on quick connect terminals, and push them onto the relay. This should cost you around $25 per unit complete.
I thank you very much for the hardware suggestions, for now I have a human relay, as stated in the firs email (my users ara a little accustomed to manual restart the system when Italian power provider (ENEL) decides us to use candle lights….) ;)
What I mean is that NTP & OVPN must have a restart system. OVPN has a "ping restart" switch, that we tried without results, and that we put in the box for custom commands in OVPN. Perheps not the right place?
The same for the NTP daemon: if the time reference is not available the first time, I don't think that a retry could harm (a retry every X minutes, for ex.)
When we tried, we believe that in the pfsense setup of OVPN is a retry system, but we were not able to have it working.
Someone with better experience could help?
Cry Havok last edited by
However, a clean (and common) solution is to simply arrange for the pfSense host to be powered up N minutes after the ADSL router/modem, which is what we're suggesting. Building a list of services that need restarted, while a fully-featured solution, isn't likely to be trivial (you need to build a full dependency list for a start) and I'd suspect that you'd need to raise a bounty for such work.
As for the OpenVPN config, if you SSH onto the pfSense host and look in /var/etc you'll find a file called something like openvpn_client0.conf. If the connect-retry option is set you'll find it there. If it isn't then you'll need to provide it in the "Custom options" field of the OpenVPN client config. Note that this only works for TCP clients (as detailed in the OpenVPN man page).