Bug #12232
closed
OpenVPN status incorrect for TAP servers without a defined tunnel network
100%
Description
Creating an OpenVPN server TAP mode without specifying the IPv4 Tunnel Network will result in the Status>OpenVPN page not showing Client Connections. pfSense as a client on the other end of this tunnel will show that it is connected and traffic will pass successfully, but the server Status page doesn't see the connected client.
The settings I'm using to recreate it are:
UDP4 (1196)
Mode: Peer to Peer ( SSL/TLS )
Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC
Digest: SHA256
D-H Params: 2048 bits
2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLE
Files
| openvpn-config-tap-server-test.xml (2.23 KB) openvpn-config-tap-server-test.xml | |||
| tap-server-status.png (16.8 KB) tap-server-status.png | |||
| tap-client-status.png (20.9 KB) tap-client-status.png |
Related issues
Updated by Kris Phillips over 3 years ago
I'm not able to reproduce this bug on 21.05.1. This may be a CE-only issue as I can see a status page in TAP mode on both the server and the client without an IPv4 tunnel network specified.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Target version set to 2.6.0
- Plus Target Version set to 21.09
I can reproduce it here using the settings from the XML file already attached on the issue.
Client shows connected, server shows 0 connections.
I'll check it out.
Updated by Jim Pingle over 3 years ago
When in tap mode with an empty tunnel network, OpenVPN puts the tunnel into "point-to-point" mode which behaves like a static key tunnel or one with a subnet mask like /31 or /30. Basically it only allows one client even though it's SSL/TLS, so it isn't actually in "server" mode since the "server" directive requires a subnet on the interfafce.
I made some adjustments to the code to detect this case and now the status is properly reflected.
Updated by Jim Pingle over 3 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 6c3bfb7322105ea0ab6f0fa30a8f63787afbb76e.
Updated by Max Leighton over 3 years ago
- Status changed from Feedback to Resolved
Tested on:
2.6.0-DEVELOPMENT (amd64)
built on Thu Aug 12 01:16:53 EDT 2021
FreeBSD 12.2-STABLE
Looks good. I see the client status on the server now. Marking the ticket resolved.
Updated by Jim Pingle about 3 years ago
- Subject changed from TAP server doesn't show client connection without tunnel IP configured to OpenVPN status incorrect for TAP servers without a defined tunnel network
Updating subject for release notes.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Viktor Gurov over 2 years ago
- Related to Regression #12884: OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases added