[Solved] vpn connection drops after update

[tbandixen]

I can trigger the connection drop by manually executing /usr/local/etc/rc.newwanip

[subivoodoo]

In my case (confirmed by ISP that WAN IP Renewal Time = 30 seconds) I get 2 VPN drops per minute.

Also the NTP service is not running: it get's a SIGTERM 15 every 30 seconds because of the rc.newwanip script.

[Joergen]

I can confirm that it has something to do with automaticly renewal of WAN. Here on my box 19.1.1 it happens every 30 minutes. (13:00, 13:30 etc) And the same time all VPN connections are lost.
Thats why the VPN drops after 0 to 30 minutes - its depending on what time you connect.

It most be someting new in 19.1.

here is my log from the box
_______
Feb 6 13:00:06   opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Feb 6 13:00:06   opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Feb 6 13:00:06   kernel: ovpns1: link state changed to UP
Feb 6 13:00:04   kernel: ovpns1: link state changed to DOWN
Feb 6 13:00:04   opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway X.XXX.XX.XXX'
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to X.XXX.XX.XXX
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv4 default gateway set, assuming wan
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: On (IP address: X.XXX.XX.XXX) (interface: WAN[wan]) (real interface: em1).
Feb 6 13:00:02   opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'em1'
______

Any idears for solutions??

Joergen

[Joergen]

Is there an easy and fast way to return to 18.7

Joergen

[Mr.Goodcat]

I think you are onto something here.
Upon renewing the WAN IP, connections get dropped, and VPN as well as dpinger and sometimes NTP die :-/

[drakosha]

I think you are onto something here.
Upon renewing the WAN IP, connections get dropped, and VPN as well as dpinger and sometimes NTP die :-/

It's strange, for example i have static IP from my ISP, but! It should be requested over DHCP, and it works fine over the year on 18.* series.

I'll try to check newwanip script today evening...

[tbandixen]

According to github, the last changes where 5 month ago.
I think it has something to do with the switch to HardenedBSD, but I am absolutly not a unix guy...

[qinohe]

Hey Mark

If you take the time to read my first post you would see it has been working fine with OTP.
I made the setup in march 2017.
Only change since then is an update of the cerfificates in March 2018.
I use the vpn quite often and it has always been with OTP for the ekstra security.
In oktober 2018 I was away from my country and was working remotely via VPN. That time i had sessions up to 10 hours via VPN - there was no proplem at all - it just worked perfekt.

Just to see if there was a problem with Viscosity I tried to connect from my android device via open vnp to android.
Its the same problem the connection drops after some time because of inactivity in the certificate. Same message as when connecting via Viscosity. You can see the log in my first post.

So there most clearly be a bug in opnsense

Joergen

Hi Joergen,

I know you were using OTP all that time, I was merely trying to find a cause/solution but I don't see drops in any way on my network.
I'm not able to track anything further besides what I tried already, hope you guys find a solution soon...

About it being a bug On OPNsense, could be, but I leave that for the devs to decide.  ;)

Have a nice day, mark

[Joergen]

Hey Mark

Thanks for the help.

Hope somebody find out. I am not a technician

Best regards

Joergen

[subivoodoo]

What is the easiest way to downgrade?

New install of 18.x and restore config Backup?

[qinohe]

What is the easiest way to downgrade?

New install of 18.x and restore config Backup?

Hi subivoodoo,

There is 'opnsense-revert' have a look at https://wiki.opnsense.org/manual/opnsense_tools.html

Greetings, mark

[Joergen]

I was just going to reply the same as Mark

https://wiki.opnsense.org/manual/opnsense_tools.html?highlight=reverse

The only thing is I dont know if its possible to reverse from 19 to 18?? or its only possible inside the same series??

Regards

Joergen

[tbandixen]

I opened an issue on github:
https://github.com/opnsense/core/issues/3197

[Mr.Goodcat]

I was just going to reply the same as Mark

https://wiki.opnsense.org/manual/opnsense_tools.html?highlight=reverse

The only thing is I dont know if its possible to reverse from 19 to 18?? or its only possible inside the same series??

Regards

Joergen

On my box the downgrade fails, i.e. doesn't even start properly  :(

Running on Intel CPU and NIC btw.

Update:
So far the patch seems to have fixed the issue with dropping connections and dead VPN/Dpinger/NTP. Will update tomorrow to report if it was stable throughout the night.

Update II:
Still no issues. Great!  8)

[drakosha]

Finally... Fresh 18.7.10 setup, restore configs from backup, and i have working router...