Project

General

Profile

Actions

Bug #12232

closed

OpenVPN status incorrect for TAP servers without a defined tunnel network

Added by Max Leighton 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

Creating an OpenVPN server TAP mode without specifying the IPv4 Tunnel Network will result in the Status>OpenVPN page not showing Client Connections. pfSense as a client on the other end of this tunnel will show that it is connected and traffic will pass successfully, but the server Status page doesn't see the connected client.

The settings I'm using to recreate it are:

UDP4 (1196)
Mode: Peer to Peer ( SSL/TLS )
Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC
Digest: SHA256
D-H Params: 2048 bits

2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLE


Files

openvpn-config-tap-server-test.xml (2.23 KB) openvpn-config-tap-server-test.xml Max Leighton, 08/07/2021 02:28 PM
tap-server-status.png (16.8 KB) tap-server-status.png Max Leighton, 08/07/2021 02:28 PM
tap-client-status.png (20.9 KB) tap-client-status.png Max Leighton, 08/07/2021 02:28 PM
Actions #1

Updated by Kris Phillips 3 months ago

I'm not able to reproduce this bug on 21.05.1. This may be a CE-only issue as I can see a status page in TAP mode on both the server and the client without an IPv4 tunnel network specified.

Actions #2

Updated by Jim Pingle 3 months ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09

I can reproduce it here using the settings from the XML file already attached on the issue.

Client shows connected, server shows 0 connections.

I'll check it out.

Actions #3

Updated by Jim Pingle 3 months ago

When in tap mode with an empty tunnel network, OpenVPN puts the tunnel into "point-to-point" mode which behaves like a static key tunnel or one with a subnet mask like /31 or /30. Basically it only allows one client even though it's SSL/TLS, so it isn't actually in "server" mode since the "server" directive requires a subnet on the interfafce.

I made some adjustments to the code to detect this case and now the status is properly reflected.

Actions #4

Updated by Jim Pingle 3 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Max Leighton 2 months ago

  • Status changed from Feedback to Resolved

Tested on:

2.6.0-DEVELOPMENT (amd64)
built on Thu Aug 12 01:16:53 EDT 2021
FreeBSD 12.2-STABLE

Looks good. I see the client status on the server now. Marking the ticket resolved.

Actions #6

Updated by Jim Pingle about 2 months ago

  • Subject changed from TAP server doesn't show client connection without tunnel IP configured to OpenVPN status incorrect for TAP servers without a defined tunnel network

Updating subject for release notes.

Actions

Also available in: Atom PDF