OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: netgeek on July 10, 2019, 05:18:46 am
-
After configuring an OpenVPN server, and adding the OpenVPN interface, default for IPv4 was changed to point through the OpenVPN interface, which killed everything:
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.10.10.2 UGS ovpns1
10.0.0.0/24 10.10.10.2 UGS ovpns1
10.10.10.0/24 10.10.10.2 UGS ovpns1
10.10.10.1 link#11 UHS lo0
10.10.10.2 link#11 UH ovpns1
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
I disabled the OpenVPN server, and the default was pulled, but nothing replaced it:
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
root@aker:~ # netstat -rna4
After a reboot, all is back to normal (OpenVPN is still turned off):
root@aker:~ # netstat -rna4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 73.140.16.1 UGS em0
73.140.16.0/23 link#1 U em0
73.140.16.217 link#1 UHS lo0
127.0.0.1 link#7 UH lo0
192.168.42.0/24 link#2 U em1
192.168.42.1 link#2 UHS lo0
This worked in 19.1.10. I upgraded that version to 19.7r1, but ran into this problem. I then reinstalled a fresh 19.7r1 and ran into the same problem. Why would the OpenVPN *server* install a default route?
-
As you can see, there is no mention of a default in my OpenVPN server config:
-
Typically OpenVPN servers are not candidates for interface assignments. Why was this done in particular?
Cheers,
Franco
-
It was assigned an interface because this box is intended to have multiple OpenVPN servers running on it and I need to be able to do firewall rules per VPN. However, right now only one VPN is configured, and there is an allow any firewall rule. The exact same config worked in 19.1.10.
-
> The exact same config worked in 19.1.10.
Sure. Things can change. That's why we do major releases. Let's keep this approachable from more than one angle please.
Do you have gateways under System: Gateways: Single? Do you have a default gateway assigned there?
Cheers,
Franco
-
I just have the DHCP gateway - nothing pointing to openvpn.
-
This only happens when I assign an interface to an openvpn tunnel.
-
Can you run this command when the OpenVPN server is assigned / default route clobbered and let us know the output?
# ls /tmp/*defaultgw*
Thanks,
Franco
-
Would you also post a screenshot of System: Gateways: Single?
-
Also, do you have System: Settings: General Option "Allow default gateway switching" enabled?
-
OK, to get this to happen I had to configure a OpenVPN server, Assign an interface, and then disable/enable the server. (It doesn't happen right when the interface is assigned, but will happen on reboot or disable/enable)
root@OPNsense:~ # ls /tmp/*defaultgw*
/tmp/em0_defaultgwv6 /tmp/ovpns1_defaultgw
-
Patch here: https://github.com/opnsense/core/commit/a9786a6be
But to be honest it looks like you didn't specify WAN_DCHP as the default gateway so what you're seeing is quite normal: a gateway will be picked by the system.
If it's not the one you want just specify it and the system will understand. ;)
Cheers,
Franco
-
I just had a similar problem after upgrading to 19.7, but with OVPN client
Had a few OVPN client connections set up before upgrade.
After the upgrade it picked the first active one (on port ovpnc2 - ovpnc1 is inactive) as the active gateway.
# ls /tmp/*defaultgw* showed only /tmp/ovpnc2_defaultgw
After reading this thread I checked the WAN gateway settings (under System: Gateways: Single) and its priority for GW-selection was 255, just like the OVPN gateway.
System: Settings: General Option "Allow default gateway switching" was and is disabled
When I select System: Settings: General: WAN Option "Upstream Gateway" and save&apply,
once I go back into System: Settings: General: WAN the option is deselected again.
I dropped the value for GW-selection priority for WAN to 254, and now it's the active one.
(actually I dropped it to value of 10, but after save&apply it jumped to 254 by itself)
(Just played with that, setting it to a value below 129 + save&apply - it will show 254 when going back into the GW settings -- setting 129 stays put)
Also, when in System: Gateways: Single overview, clicking on the green arrow/triangle of an enabled gateway has no effect. When hovering over it there is a text-'popup' saying 'Disable', but nothing happens when clicking.
Going into the settings for a gateway and selecting option 'Disabled' + save&apply then shows that gateway as 'Pending' in the 'Status' column of System: Gateways: Single - but the green arrow/triangle is now grey presumably indicating that it is disabled.
-
I just had a similar problem after upgrading to 19.7, but with OVPN client
Had a few OVPN client connections set up before upgrade.
After the upgrade it picked the first active one (on port ovpnc2 - ovpnc1 is inactive) as the active gateway.
# ls /tmp/*defaultgw* showed only /tmp/ovpnc2_defaultgw
After reading this thread I checked the WAN gateway settings (under System: Gateways: Single) and its priority for GW-selection was 255, just like the OVPN gateway.
System: Settings: General Option "Allow default gateway switching" was and is disabled
When I select System: Settings: General: WAN Option "Upstream Gateway" and save&apply,
once I go back into System: Settings: General: WAN the option is deselected again.
I dropped the value for GW-selection priority for WAN to 254, and now it's the active one.
(actually I dropped it to value of 10, but after save&apply it jumped to 254 by itself)
(Just played with that, setting it to a value below 129 + save&apply - it will show 254 when going back into the GW settings -- setting 129 stays put)
Also, when in System: Gateways: Single overview, clicking on the green arrow/triangle of an enabled gateway has no effect. When hovering over it there is a text-'popup' saying 'Disable', but nothing happens when clicking.
Going into the settings for a gateway and selecting option 'Disabled' + save&apply then shows that gateway as 'Pending' in the 'Status' column of System: Gateways: Single - but the green arrow/triangle is now grey presumably indicating that it is disabled.
Had the exact same problem after upgrade. I use OpenVPN.
No outbound traffic after the update and OVPN_GW not in the System: Gateways: Single -list.
Lowering the Gateway Priority of WAN_DHCP by 1 (254) and it is solved. Then I can turn on my OpenVPN server (VPN-OpenVPN-Servers) again and OVPN_GW appears again in the System: Gateways: Single -list
Edit: Just figured out that when I select WAN_DHCP as the default gateway (by checking Upstream Gateway), it also works. The check doesn't last however - it is gone when I check again (but everything still works)