Project

General

Profile

Bug #7053

OpenVPN Client Specific Overrides - GUI Omissions and Errors

Added by Greg Siemon about 2 months ago. Updated 10 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
12/30/2016
Due date:
% Done:

100%

Affected version:
2.3.2
Affected Architecture:

Description

The OpenVPN Client Specific Overrides page under OpenVPN settings only has a single Tunnel Network field. In fact this field seems to be for an IPv4 address. There is currently no way to set up an IPv6 Tunnel Network without resorting to the advanced config fields. There should be separate IPv4 and IPv6 Tunnel Network fields as per the OpenVPN Server and Client setup pages.

Additionally, the descriptions on each of the fields under Tunnel Settings - Remote Networks could be clearer.

IPv4 Remote Networks
These are the IPv4 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.
NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.
This should say "the server" not "this client" as the Remote Networks specified here are local to the client. The Local and Remote networks are from the Server's perspective not the client. Maybe a short note to explain this would help to understand what to do here.

Similarly for IPv6 Remote Networks. The description also incorrectly refers to IPv4 and should be changed to IPv6.

Associated revisions

Revision e10a9781
Added by Jim Pingle about 2 months ago

Fix IPv4/IPv6 copy paste error in OpenVPN client-specific overrides. Ticket #7053

Revision 6bb91e08
Added by Jim Pingle about 2 months ago

Fix IPv4/IPv6 copy paste error in OpenVPN client-specific overrides. Ticket #7053

Revision 55e0a1a0
Added by Jim Pingle about 2 months ago

Fix IPv4/IPv6 copy paste error in OpenVPN client-specific overrides. Ticket #7053

Revision b6dd335e
Added by Jim Pingle about 2 months ago

Fix up OpenVPN CSC page help text, add IPv6 tunnel network. Fixes #7053

History

#1 Updated by Jim Pingle about 2 months ago

The wording of IPv4 Remote Networks is correct. The box defines a client-side network ("routed to this client") for iroute so the server knows how to reach it. Changing that to "the server" would be incorrect as that does not control routing to server-side networks, it controls routing to client-side networks.

The copy/paste error in IPv6 Remote Networks does need fixed, and adding the IPv6 tunnel network should be fairly easy though.

#2 Updated by Jim Pingle about 2 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.0

OpenVPN 2.4 makes it more obvious that you can't mix static IPv4 in an override with dynamic IPv6, so there is a greater need for that box on pfSense 2.4 since we switched.

Dec 30 10:42:05     openvpn     11654     jimp/198.51.100.6:4919 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.

#3 Updated by Greg Siemon about 2 months ago

Jim Pingle wrote:

The wording of IPv4 Remote Networks is correct. The box defines a client-side network ("routed to this client") for iroute so the server knows how to reach it. Changing that to "the server" would be incorrect as that does not control routing to server-side networks, it controls routing to client-side networks.

Apologies if I am misunderstanding but I can only get the VPN to pass traffic if I specify the Remote Networks as the ones local to the Client (ie remote from the server's perspective). Similarly, the Local Networks box needs to have the networks that are local to the Server (ie remote from the client's perspective). Hence the description seems to not match the intended data.

#4 Updated by Jim Pingle about 2 months ago

All of the settings are from the perspective of the server, even the override. The descriptions reflect this, they do not imply the opposite. They are settings for the client, but in the context of the server side. "Local" is local to the server, "Remote" is remote to the server (as in on the client side)

#5 Updated by Greg Siemon about 2 months ago

I think I understand why the text under Remote networks is written the way it is now. Apologies for the misunderstanding.

#6 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

#8 Updated by Jim Pingle 10 days ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF