Issue with OpenVPN not starting properly on secondary router
I'm running a testlab to evaluate the use of two dedicated carp routers with OpenOSPFd, with an additional router used as an OpenVPN Client, also running OpenOSPFd. I have OSPF and everything working properly over the VPN link, but when testing failover regarding the OpenVPN connection, I'm running into an odd issue. The OpenVPN server starts just fine on the master, but after I fail over to the secondary router, the OpenVPN server fails to start. If I then restart the secondary router, the OpenVPN service starts properly and establishes a proper connection with the 3rd router (through the secondary router) and everything works. After reconnecting the master and then disconnecting it, the OpenVPN service won't start again on the secondary router. I'm at a loss for ideas, so I figured I'd ask here.
Here's the contents of the OpenVPN Log:
Aug 18 00:27:08 openvpn: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Aug 18 00:27:08 openvpn: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Aug 18 00:27:08 openvpn: TUN/TAP device ovpns1 exists previously, keep at program end
Aug 18 00:27:08 openvpn: TUN/TAP device /dev/tun1 opened
Aug 18 00:27:08 openvpn: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Aug 18 00:27:08 openvpn: /sbin/ifconfig ovpns1 192.168.252.1 192.168.252.2 mtu 1500 netmask 255.255.255.255 up
Aug 18 00:27:08 openvpn: FreeBSD ifconfig failed: external program exited with error status: 1
Aug 18 00:27:08 openvpn: Exiting due to fatal error
When executing "/sbin/ifconfig ovpns1 192.168.252.1 192.168.252.2 mtu 1500 netmask 255.255.255.255 up" on the secondary router over ssh I get:
ifconfig: ioctl (SIOCAIFADDR): Address already in use
ifconfig doesn't show any other interfaces configured with an address in the 192.168.252.* range, so I'm unsure why it thinks the address is in use, especially when everything works on a clean boot with this router running solo. Thanks for any help in advance!
As a side note, everything else from my testing has been working great! I know that building pfSense to support carp must not have been a minor undertaking, so I appreciate all the work that you guys have done.
Make sure to have OSPF reject and not send routes for the OpenVPN interface IP addresses on both sides. Looks like the OS routing table learned a route for the OpenVPN interface IP address and it's "stuck" there in the routing table.
If you disable acceptance and distribution of routes for those addresses that won't happen.
Doesn't seem to make a difference, unfortunately. I had thought the same thing as you, and that was the reason that I stopped the OSPF process as part of my troubleshooting. Apparently it takes a while for the ospf routes to disappear from the routing table after the process is stopped, but even after that I am unable to start the openvpn process. Looking into things further, the problem is a conflict with the route for the ip address 192.168.252.2. Here's the results from the diag->routes/netstat output
192.168.252.2 link#19 UH 0 1500 ovpns1
If I'm not mistaken, if that route were propagated through OSPF, it would have the number 1 as an additional flag, yes?
This route stays persistent even when the interface is down. The only way I was able to get the openvpn service to come back online is when I destroyed the openvpn instance, which destroyed the interface and the route, and then recreated it. It looks like I'm able to get the openvpn instance to restart properly right up until I initiate a carp failover, then the instance stops and is unable to restart. I'm not an expert at the backend of freebsd routing, but if I'm not mistaken, the command "route del 192.168.252.2" should remove that route from the routing table. When I try that, I get this error:
route: writing to routing socket: Address already in use
del host 192.168.252.2 fib 0: gateway uses the same route
Let me know if you have any other suggestions. As I mentioned earlier, this is a lab environment, so I'm free to try anything at any time, fortunately. Thanks!
Any suggestions here? At this point if I can't get this running I'm looking at having to run a 3rd router without redundancy to provide the vpn link, and I'd rather not have to do that.
EDIT: Looks like it fails at the exact moment of the failover to master. The OpenVPN server appears to continue running when it is in the backup state, but as soon as it changes to master it looks like the OpenVPN service restarts and is unable to bring up the interface properly.
Have you checked that the OpenVPN Interface is the VIP and not the physical Interface?