OpenVPN clients and resolv-retry



  • I posted this comment on RedMine https://redmine.pfsense.org/issues/3894

    I have systems where the internet somewhere goes away quite regularly. The actual pfSense WAN interface to the upstream device (ISP, whatever) is fine, so there is no link down/link up event for pfSense to see in that sense.
    OpenVPN site-to-clients time out after a bit, and then try to find their server end again. For this they try to resolve the FQDN of the server again. However the ISP issue lasts more than a few minutes, the DNS resolution fails, and with the now-default "resolv-retry 2", the OpenVPN client simply gives up and exits.
    Then there is nothing in the system to try and start it again, either when ISP internet is better, or every so often. The clients stay down.
    I have noticed this happen quite a few times recently and now realise the "resolv-retry 2" change is the reason for the new behavior. It seems odd to have a config that will simply exit in a reasonably-expected situation (DNS resolution has gone away for a few minutes) and that the client process just exits and is never restarted.
    I can select "Infinitely resolve server" and that will put things back the way they were. But it will be a hassle for lots of users to find this out after upgrading to 2.2
    But with Chris' comment above about the SIGKILL/SIGTERM stuff - if that really resolves the underlying issue, then would it be best to revert the commit of the "resolv-retry 2" stuff?

    My home system has been running 2.2-BETA with 2 site-to-site clients to 2 of our offices. While at work, my home disappears from view. I get home to find that both OpenVPN site-to-site clients have decided to give up. Seems a bit of an odd "feature" for a component like this to be able to "give up" and exit without any code that tries to bring it back to life again.

    Comments welcome.


Log in to reply