Red Square in /ui/core/hasync_status on OpenVPN instances but sync seems fine

[Zugschlus]

Hi,
I have a cluster of two OPNsense machines running 25.1.10 (I know, later). I have two OpenVPN instances configured. The OpenVPN instances seem to sync fine, so do the associated certificates seem to sync just fine. But in /ui/core/hasync_status, the two OpenVPN instances show a red square where all other services have a green arrow:
You cannot view this attachment.
That doesn't look nice. What is going on here and how can I make those two pieces of red vanish?
Greetings
Marc Haber

[Patrick M. Hausen]

Did you explicitly specify the bind address for the instance as the CARP address on WAN? In that case the service cannot start on the standby until a failover happens. That's what the UI is telling you. Not "broken", just "stopped".

If you leave the bind address empty, everything should be green.

The HA implementation is pretty straightforward and does in general not mess with e.g. reconfiguring services on failover. The upside is it is really robust and easy to understand and debug.

Services should generally listen to INADDR_ANY (0.0.0.0) for robust binding to a socket and leave it to firewall rules to control accessability on various interfaces.

If that bothers you, I suggest binding OpenVPN to 127.0.0.1 and using NAT port forwarding from the WAN CARP address to that one.

[Zugschlus]

Did you explicitly specify the bind address for the instance as the CARP address on WAN?

I first though "of course, Idiot Me", but I didn't.

You cannot view this attachment.

Any other ideas?

By the way, your additional input that I didn't quote was wildly helpful for me to understand OPNsense's philosophy. Appreciated.

Greetings
Marc

[Patrick M. Hausen]

And if you click on the obvious "start" button, nothing changes?

Then it's time to check the logs on the standby, I guess, for why the services fail to start.