Project

General

Profile

Actions

Bug #12925

closed

FQDN in network alias is omitted from OpenVPN networks list

Added by Adrien Carlyle almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
Affected Architecture:
amd64

Description

I implemented this new feature (https://redmine.pfsense.org/issues/2668) on our OpenVPN server but have noticed some odd behavior.

On the configuration hint for IP Networks Aliases it says "Hostnames (FQDNs) may also be specified, using a /32 mask for IPv4 or /128 for IPv6"
If I add a hostname with a /32, I can see the relevant IP added to the alias if I look at Diagnostics -> Tables, but any entries using FQDN are excluded from the OS routing table updates when the client connects (windows 11).

If I instead put in the IP address with a /32, I can no longer see the entry in the tables list, but OpenVPN updates the routing table as expected.


Related issues

Related to Regression #12984: OpenVPN causes Crash Reports in the GUIResolvedViktor Gurov

Actions
Actions #1

Updated by Viktor Gurov almost 3 years ago

  • Assignee set to Viktor Gurov
Actions #2

Updated by Jim Pingle almost 3 years ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from OpenVPN to OpenVPN
  • Status changed from New to Pull Request Review
  • Target version set to 2.7.0
  • Affected Plus Version deleted (22.01)
  • Plus Target Version set to 22.05
Actions #3

Updated by Adrien Carlyle almost 3 years ago

Viktor Gurov wrote in #note-1:

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/667

That was fast!

Any chance this is something that I'm able to test on our production system?

Actions #4

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Viktor Gurov almost 3 years ago

Adrien Carlyle wrote in #note-3:

Viktor Gurov wrote in #note-1:

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/667

That was fast!

Any chance this is something that I'm able to test on our production system?

You can install the System Patches package:
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

and apply patch id 60c0b333c7ee5b951ad659a42693a1070a762ec1 to test this fix

Actions #6

Updated by Adrien Carlyle almost 3 years ago

I applied the patch and rebooted the system. There is no change in behavior.

Is there anything I can run on the appliance and provide to you to assist in tracking this down?

Actions #7

Updated by Viktor Gurov almost 3 years ago

Adrien Carlyle wrote in #note-6:

I applied the patch and rebooted the system. There is no change in behavior.

If there anything I can run on the appliance and provide to you to assist in tracking this down?

It looks like it can't resolve FQDNs on boot.
Does it works as expected after clicking the "save" button on the OpenVPN server configuration page?

Actions #8

Updated by Adrien Carlyle almost 3 years ago

I just noticed that this now shows in my OpenVPN client log when I try to connect while an FQDN entry is present in the alias.

2022-03-10 14:12:27 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]

Actions #9

Updated by Adrien Carlyle almost 3 years ago

I tracked this down, the FQDN entry isn't being resolved and passed to openvpn with a /32 mask

This is an FQDN/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 20.106.150.151 MASK 0.0.0.0 10.201.254.1
2022-03-10 14:30:01 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]
2022-03-10 14:30:01 Route addition via service failed

This is an IP/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 52.179.208.82 MASK 255.255.255.255 10.201.254.1
2022-03-10 14:30:01 Route addition via service succeeded

Actions #10

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Feedback to New

Adrien Carlyle wrote in #note-9:

I tracked this down, the FQDN entry isn't being resolved and passed to openvpn with a /32 mask

This is an FQDN/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 20.106.150.151 MASK 0.0.0.0 10.201.254.1
2022-03-10 14:30:01 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]
2022-03-10 14:30:01 Route addition via service failed

This is an IP/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 52.179.208.82 MASK 255.255.255.255 10.201.254.1
2022-03-10 14:30:01 Route addition via service succeeded

Thanks for testing!

fix is ready:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/677

Actions #11

Updated by Adrien Carlyle almost 3 years ago

Thanks for the quick fix. Let me know when the patch is updated and I'll re-apply and verify.

Actions #12

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Pull Request Review
Actions #13

Updated by Adrien Carlyle almost 3 years ago

Does the original patch get updated or would I need to apply a second or different one to test for you all?

Actions #14

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Pull Request Review to Feedback
Actions #15

Updated by Viktor Gurov almost 3 years ago

Adrien Carlyle wrote in #note-13:

Does the original patch get updated or would I need to apply a second or different one to test for you all?

you need to apply patch id 065e050890508ff0c97455a6352cdb914d34ddbd after 60c0b333c7ee5b951ad659a42693a1070a762ec1

Actions #16

Updated by Adrien Carlyle over 2 years ago

Thank you, I've just applied both and have confirmed that it is working as expected now.

Actions #17

Updated by Danilo Zrenjanin over 2 years ago

  • Status changed from Feedback to Resolved

Tested against:

2.7.0-DEVELOPMENT (amd64)
built on Thu Mar 24 06:14:56 UTC 2022
FreeBSD 12.3-STABLE

It works as expected. Marking this ticket resolved.

Actions #18

Updated by Viktor Gurov over 2 years ago

Actions #19

Updated by Jim Pingle over 2 years ago

  • Subject changed from FQDN in IP Network(s) Alias omitted from OpenVPN networks list to FQDN in network alias is omitted from OpenVPN networks list

Updating subject for release notes.

Actions

Also available in: Atom PDF