Regression #12884
closed
OpenVPN status display for TAP mode services shows peer-to-peer instead of client list in certain cases
100%
Description
Problem: The webConfigurator OpenVPN status shows our TAP-mode "Remote Access (SSL/TLS + User Auth)" VPNs as peer-to-peer, when it should be displaying the list of connected clients. This affects both dashboard widget and Status|OpenVPN. Appears to have been introduced between pfSense Plus 21.05.2 and 22.01. Observed on Netgate 1541 hardware.
Expected behaviour (observed up to 21.05.2): As per attached screenshot from a pfSense Plus 21.02.2 device (different device but same VPN config approach), the TAP-mode service appears as a separate table, showing connected usernames and assigned IPs. We also see this behaviour on 21.05.2.
New behaviour (observed in 22.01): As per attached screenshot from a pfSense Plus 22.01 device, the section "Peer to Peer Server Instance Statistics" is present instead of the expected list of usernames/IPs.
Example sanitised config.xml extract attached as well. This was first observed when upgrading a device to 22.01 without changing the VPN config; I've just grabbed an extra screenshot from an older device to illustrate the previous behaviour.
Other observations:
Having looked at other bug reports etc., I think it's probably been introduced as part of this change:
https://redmine.pfsense.org/issues/12232
https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/6c3bfb7322105ea0ab6f0fa30a8f63787afbb76e/diff/src/etc/inc/openvpn.inc
The OpenVPN management socket still correctly reports connected users if queried directly through a shell connection (this using the logic from the openvpn_get_server_status function in that openvpn.inc file):
[22.01-RELEASE][admin@hostname]/root: nc -U /var/etc/openvpn/server4/sock >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info status 2 TITLE,OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 13 2022 TIME,2022-02-26 15:28:10,1645849690 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID,Data Channel Cipher CLIENT_LIST,username,192.0.2.103:44116,203.0.113.10,,6218,8916,2022-02-26 15:27:46,1645849666,username,2,0,AES-128-GCM HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,aa:bb:cc:dd:ee:ff@0,username,192.0.2.103:44116,2022-02-26 15:28:01,1645849681 GLOBAL_STATS,Max bcast/mcast queue length,1 END exit
Also just to explain the reasoning behind the configuration: We're using the TAP-mode service to bridge clients into a specific VLAN; the pfSense device has a physical connection but no assigned IP address. Clients get assigned an IP address by the OpenVPN service, but need to use a different device for the gateway after they're bridged into the VLAN. We need a custom server-bridge command to assign the custom gateway. We originally tried with an IP address assigned on the pfSense interface and using more of the built-in server bridge options, but that approach always assigned the pfSense interface IP as the gateway for clients.
Files
Related issues
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by 
