Adding OpenVPN client/interface takes over WAN interface (bug?)



  • Today I added a new (third) OpenVPN client. Then I proceeded to interfaces to assign this newly created interface (OPT6/ovpnc). Then opened this new interface to enable. Then went to routing (System - Routing) to see if new gateway was added.

    Then I saw no new gateway was added, but the WAN_DHCP (default) gateway was now automatically linked to new created OpenVPN interface (OPT6). Did not understand. Then looked again ad Interfaces - assign and saw that the new created OpenVPN interface was now automatically mapped to my fysical WAN network port (emc2) with no option to remove (as I suppose you need a WAN interface) and also that a new interface (previously WAN?) could be added. That also did not make sense to me.

    Changing the interface to the correct network port did not work well. pfSense still 'thought' that my new OpenVPN interface was a WAN interface as there was no cross to "delete interface". This cross however was available with my new WAN interface.

    To solve this had to delete new WAN interface, rename OpenVPN interface to WAN interface and assign to correct fysical network port and adjust WAN interface to DHCP and the recreate new OpenVPN interface (to ovpnc).


    So, in short: there seems to be a bug when you add a new OpenVPN client/interface which automatically takes over the WAN interface, which breaks the internet connection.


    Troubleshooting this issue was also problematic for me as I also had to:

    • Disable all OpenVPN clients to elimating OpenVPN issues
    • Adjust Outgoing Network Interfaces in Resolver to all (was only assigned to OpenVPN interfaces)
    • Adjust the gateway in the "allow all LAN" rule from OpenVPN client to WAN (as "Skip rules when gateway is down" was enabled)
    • Correct (new) WAN interface to DHCP (IPv4 Configuration Type)
    • Two reboots were needed to re-assign interfaces to correct fysical networ port and to receive a new IP from my ISP.
    • Then had to enable all OpenVPN clients and again adjust all settings in rules, resolver, etc.

    (Currenly using pfSense 2.2.5 only a few days after upgrading from 2.1.5)


  • Rebel Alliance Developer Netgate

    I've assigned OpenVPN interfaces frequently and on many firewalls and I've not seen this. Have you been able to reproduce it again?

    The only way I can see that happening is if you actually had accidentally changed the WAN interface to be one of the OpenVPN interfaces.

    You can step back through your config history (if it goes back far enough) and check diffs to see what happened.



  • I also have added and removed multiple OpenVPN interfaces before and have not seen this before. Did hestitate to post this issue, because I did expect a question if I could reproduce. But currently do not want to try reproduce, because of the risk of internet connection going offline again. Maybe later, have to schedule.

    But I am also quite sure I did not accidentally changed the WAN interface to OpenVPN interfaces. The moment (described as: "Then I saw no new gateway was added, but the WAN_DHCP (default) gateway was now automatically linked to new created OpenVPN interface") I clearly remember me thinking: how is this possible, that a way to change OpenVPN in upgrade from 2.1.5 to 2.2.5, why does anybody wants this to be done like this, I do not understand the purpose.

    I can PM the config history of that day if you would like?
    (I did make a total diff dump from beginning to end. Maybe something missing from the start of the day, I am not sure. Maybe there is also a easy way to create a total dump for each individual change made during the day from begin to end?)


Log in to reply