Netgate SG-1000 microFirewall

Author Topic: OpenVPN GUI remote networks field is confusing with lots of remote networks  (Read 755 times)

0 Members and 1 Guest are viewing this topic.

Offline robi

  • Hero Member
  • *****
  • Posts: 1006
  • Karma: +77/-2
    • View Profile
It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

Whey is that exactly?  Why would a alias that consisted of networks ever need to be resolved?  And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down?  Not understanding what the 2 have to do with each other..

Yes stuff in alias table gets resolved every 5 minutes.  What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks?  I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

If you edit the alias and save it, the VPN would have to be reset, which is counterintuitive if you don't remember that the alias is used on that VPN, for example.
Also you can use hostnames in network aliases they just get a /32 mask, so they would still have to be hooked into the same process.
And if a hostname resolved to a new address, that means the contents of the alias changed, which means that the VPN needs to be restarted to pick up the contents of the alias to use for routes.

It isn't like pf where the changes can be picked up automatically on-the-fly, since OpenVPN has to manage its own routes internally.

For such cases I would just simply put a small waring in the alias edit page: "Warning: this alias is being used in the 'name-of-the-OpenVPN-instance' OpenVPN configuration. After changing values here it is recommended to to restart 'name-of-the-OpenVPN-instance'".

So I wouldn't restart any VPN automatically, just notify the user that the alias affects OpenVPN also - and let the user decide if he/she wants to restart it (to prevent interruptions for cases when pfSense itself is being managed via the OpenVPN connection).
The warning bar at the top could also be used for this after changing the alias, reminding the user that OpenVPNs restarting is due, even if he/she moves away from the aliases config page.