On 6/18/09 4:36 AM, Tom wrote: >> # start openvpn >> # >> if [ -x /usr/local/sbin/openvpn ]; then >> /usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf && >> echo 'opening openvpn server...' & >> else >> echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.' >> fi > > Don't start openvpn there. Stick it in your /etc/hostname.tunX file like so: > > up > !/usr/local/sbin/openvpn --daemon openvpn --config > /opt/openvpn-2.0/server.conf > > > The reason being, is when OpenVPN starts, it destroys then recreates > the tun interface, which > makes pf throw a wobbler. > > I ran into this problem too. It also made other weird stuff happen, > like pfctl -vsq showing > an invalid file descriptor. Sticking it in the hostname.tun* file > sorts that problem out.
Thanks much. This never worked from rc.local, even though the package install says to do it that way. I always had to start OpenVPN manually after bootup. There is a race condition with the hostname.tun0 method when boxes also use carp and pfsync. After a reboot, a box initially comes up with carp interfaces in BACKUP state. The carp interfaces will quickly transition to MASTER state if they have the lowest advskew value, but before then hostname.tun0 has already tried and failed to get OpenVPN running. Here is the error log from OpenVPN: Thu Jun 18 13:44:34 2009 OpenVPN 2.1_rc15 i386-unknown-openbsd4.5 [SSL] [LZO1] built on Mar 1 2009 openvpn: writing to routing socket: No such process Thu Jun 18 13:44:34 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Thu Jun 18 13:44:34 2009 Diffie-Hellman initialized with 2048 bit key Thu Jun 18 13:44:34 2009 TLS-Auth MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Jun 18 13:44:34 2009 TCP/UDP: Socket bind failed on local address 10.0.0.1:53962: Can't assign requested address Thu Jun 18 13:44:34 2009 Exiting The (obfuscated) address of 10.0.0.1 is a problem -- that's a carp address, and at the time this is run the other carp/pfsync box owns it because it's in MASTER state. Not sure about the routing socket error on the second line. If I manually run 'sh /etc/netstart tun0' after the carp interfaces come up as MASTER all is good, but that's no better than starting manually as before. Thanks in advance for any clues on getting OpenVPN and carp/pfsync to play nice together. > > (I think this should be documented somewhere, maybe in the OpenBSD FAQ) It certainly belongs in the package documentation, which currently suggests adding startup lines into rc.local. I can write this up once I get it working with carp/pfsyc. dn > > Tom