Fix OpenVPN GW Groups - pfSense 2.4.3-RELEASE-p3

issue9595.patch

From c46d0b12d606b2249f4b5305994e8c3e750634eb Mon Sep 17 00:00:00 2001
From: James Webb <james@ultra-horizon.com>
Date: Wed, 19 Jun 2019 14:12:30 +0100
Subject: [PATCH 1/2] Update openvpn.inc to allow OpenVPN instances to resync
 when running on a gateway group.

Implementation now checks if OpenVPN client/server running on gateway group should resync when IP changes occur or if cables are unplugged/replugged.
---
 src/etc/inc/openvpn.inc | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index ade002152a..174f44063e 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -1575,21 +1575,27 @@ function openvpn_resync_all($interface = "") {
 		log_error(gettext("Resyncing OpenVPN instances."));
 	}
 
+	// Check if OpenVPN clients and servers are running on the correct interfaces.
 	if (is_array($config['openvpn']['openvpn-server'])) {
 		foreach ($config['openvpn']['openvpn-server'] as & $settings) {
-			if ($interface <> "" && $interface != $settings['interface']) {
-				continue;
+			$mode_id = "server" . $settings['vpnid'];
+			$fpath = "{$g['varetc_path']}/openvpn/{$mode_id}.interface";
+			if (file_exists($fpath)) {
+				if (trim(file_get_contents($fpath), " \t\n") != get_failover_interface($settings['interface'])) {
+					openvpn_resync('server', $settings);
+				}
 			}
-			openvpn_resync('server', $settings);
 		}
 	}
-
 	if (is_array($config['openvpn']['openvpn-client'])) {
 		foreach ($config['openvpn']['openvpn-client'] as & $settings) {
-			if ($interface <> "" && $interface != $settings['interface']) {
-				continue;
+			$mode_id = "client" . $settings['vpnid'];
+			$fpath = "{$g['varetc_path']}/openvpn/{$mode_id}.interface";
+			if (file_exists($fpath)) {
+				if (trim(file_get_contents($fpath), " \t\n") != get_failover_interface($settings['interface'])) {
+					openvpn_resync('client', $settings);
+				}
 			}
-			openvpn_resync('client', $settings);
 		}
 	}
 

From 614ca41e090ae4ade5df5aaa341c01992bd18137 Mon Sep 17 00:00:00 2001
From: James Webb <james@ultra-horizon.com>
Date: Sun, 1 Sep 2019 00:39:24 +0100
Subject: [PATCH 2/2] Add else clause for cases when OpenVPN interface file
 does not exist.

- Prevents potential race condition at startup resulting in failure to start OpenVPN instances.
- In cases where interface file is not present the openvpn_resync function handles a restart correctly.
---
 src/etc/inc/openvpn.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 174f44063e..e37fc3763e 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -1584,6 +1584,8 @@ function openvpn_resync_all($interface = "") {
 				if (trim(file_get_contents($fpath), " \t\n") != get_failover_interface($settings['interface'])) {
 					openvpn_resync('server', $settings);
 				}
+			} else {
+				openvpn_resync('server', $settings);
 			}
 		}
 	}
@@ -1595,6 +1597,8 @@ function openvpn_resync_all($interface = "") {
 				if (trim(file_get_contents($fpath), " \t\n") != get_failover_interface($settings['interface'])) {
 					openvpn_resync('client', $settings);
 				}
+			} else {
+				openvpn_resync('client', $settings);
 			}
 		}
 	}

pfSenseOpenVPN.md

PfSense OpenVPN Gateway Groups Fix

Description

In pfSense 2.4.3-RELEASE-p3 (and prior versions) OpenVPN instances will failover to lower priority interfaces in a gateway group, but will never resync to a higher priority interface when a more preferable interface within the gateway group comes online.

Fix Instructions

1. Install the "Patches" package from the pfSense package catalogue.
2. Set the name of the patch to "Issue 9595"
3. Copy and paste the issue9595.patch file into the "Patch Contents" field.
4. Set "Path Strip Count" to 2.
5. Set "Base Directory" to /.
6. Check "Ignore Whitespace".
7. Uncheck "Auto Apply"
8. Save the patch.
9. Fetch the patch.
10. Test the patch.
11. Apply the patch.