Messages

1

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 03:06:00 pm »

I love the DCO feature, it gives our users close to wire speed performance. It's rather strange, we have weeks of stable operations with hundreds of simultaneous users. But we're on to something. I'll let you know as soon as we found a reliable way to reproduce the issue.

2

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 02:59:47 pm »

I think that we found a way to maybe reproduce it. But we're still investigating. Does it make sense to open a new issue on github and supply information? Or is there already an open issue that we should refer to?

3

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 02:33:31 pm »

Correct. The process dies and there's a message "DCO interface closing".

4

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 02:21:29 pm »

BTW: I think I found a message in the logs which occurs right before the OpenVPN process crashes:

Code: [Select]

Failed to set key: No such file or directory (errno=2)

5

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 10:52:28 am »

Yes, I'm using the new instances. I'll send feedback ASAP.

6

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 10:45:07 am »

I can't reproduce the failure of the OpenVPN process but if it happens again, I'll give it a try. Thanks for the hint. I'll give feedback as soon as it happened again.

Quick question regarding the ID for restarting the process: it's the one that looks like a long hex UUID, right?

7

Virtual private networks / Re: Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 10:22:56 am »

Hi Franco,

if

# /usr/local/sbin/pluginctl -s openvpn restart YOURIDHERE

is the same as restarting the OpenVPN service from the UI, it indeed doesn't work. The logs say that it can't be restarted because the device ovpns2 already exists. Thats the reason why we do an "ifconfig ovpns2 destroy" first. However, we're completely unsure what's actually going wrong. No logs indicate what the trouble is. The process basically dies without letting us know what's wrong.

8

Virtual private networks / Reliably restart OpenVPN service via CLI

« on: November 11, 2024, 07:03:14 am »

Dear all,

I have some inexplicable occasional crashes of the OpenVPN service. Unfortunately it can't simply be reloaded via the web UI because the tunnel device is already existing (ovpnsX). I'm checking the process via Monit which works fine. I want to use a small shell script to remove the interface and restart the service:

Code: [Select]

#!/bin/sh
/sbin/ifconfig ovpns2 destroy
/usr/local/sbin/pluginctl -s openvpn start 2
However, it looks to me like the last command doesn't do anything. My question is: what's the correct command to stop / start an OpenVPN process?

9

Virtual private networks / Re: Advanced configuration on new openVPN instances

« on: April 22, 2024, 06:53:01 am »

Yes: Do it differently. 

Joking aside, there're good reasons to not use "client-connect" scripts for OpenVPN. For one, OpenVPN is single-threaded and using a client-connect script will freeze traffic for all (!) connected clients until the script returns / terminates. The impact is low for up to 10 clients but for more clients the impact is 100% notable and gets really annoying for more than that, especially if the script runs for ~1s or more. Clients experience packet losses / interrupted streams etc..

A good approach that doesn't involve putting stuff on the OPNsense box itself is using the API: https://docs.opnsense.org/development/api/core/openvpn.html you can get all the information you need from the API and it's reasonably quick. I use the core/openvpn endpoint for a similar scenario and it works like a charme.

10

Virtual private networks / Re: OpenVPN: I can't connect to the Internet with active Connection on client

« on: February 12, 2024, 12:05:11 pm »

That's interesting. Is this a NAT issue by any chance so that a packet coming from a VPN client is not NAT'ed by the firewall (and in turn this would cause packets not being able to return to the client)?

EDIT: Can you post the firewall rules showing that all traffic going out to the internet is directed to the WANGWGROUP (or whatever name you gave it)? Maybe the VPN client network is missing?

11

Virtual private networks / Re: OpenVPN: I can't connect to the Internet with active Connection on client

« on: February 12, 2024, 10:36:08 am »

I'm not a multi-WAN expert but I think it's unlikely that this is the issue if the routing itself is working for your local network because redirecting the gateway should simply tell the clients to tunnel everything to the gateway and the routing table on the gateway itself decides what to do with the packets. Have you checked the box's firewall logs to find out whether VPN traffic to the outside world is discarded? If the gateways are properly redirected, the firewall may be the culprit.

12

Virtual private networks / Re: Questions to Migrate OpenVPN Servers legacy to Instances New

« on: February 08, 2024, 03:41:17 pm »

Yes, that seems to be the case. You can't select an interface but only add an IP. As a workaround you can leave this empty and have it bind to all interfaces and set up firewall rules that only allow access via WAN. I'm not sure what the design decision is behind not being able to select an interface but I suspect it has something to do with dynamic IPs on interfaces (e. g. if there's no fixed WAN IP).

13

Virtual private networks / Re: Advanced configuration on new openVPN instances

« on: February 08, 2024, 10:51:30 am »

There's no way to set this option in a server instance and I also wouldn't recommend it. Can you share what you're trying to do with the script? Maybe there's an easy workaround.

14

Virtual private networks / Re: istance openvpn question

« on: February 08, 2024, 09:35:50 am »

From what I can tell, you can't set this. That being said, you can retrieve all of the data contained in the logs via the OPNsense API: https://docs.opnsense.org/development/api/core/openvpn.html
The API is very easy to use and can be accessed securely with a user that only has privileges to read the openvpn API. Can you let us know what data you need to access?

15

Virtual private networks / Re: OpenVPN: I can't connect to the Internet with active Connection on client

« on: February 08, 2024, 09:24:08 am »

Have you selected "default" and/or "ipv6 (default)" under the Redirect Gateway option when configuring the server instance?