Bug #12925
closed
FQDN in network alias is omitted from OpenVPN networks list
Added by Adrien Carlyle over 2 years ago.
Updated over 2 years ago.
Plus Target Version:
22.05
Affected Architecture:
amd64
Description
I implemented this new feature (https://redmine.pfsense.org/issues/2668) on our OpenVPN server but have noticed some odd behavior.
On the configuration hint for IP Networks Aliases it says "Hostnames (FQDNs) may also be specified, using a /32 mask for IPv4 or /128 for IPv6"
If I add a hostname with a /32, I can see the relevant IP added to the alias if I look at Diagnostics -> Tables, but any entries using FQDN are excluded from the OS routing table updates when the client connects (windows 11).
If I instead put in the IP address with a /32, I can no longer see the entry in the tables list, but OpenVPN updates the routing table as expected.
- Assignee set to Viktor Gurov
- Project changed from pfSense Plus to pfSense
- Category changed from OpenVPN to OpenVPN
- Status changed from New to Pull Request Review
- Target version set to 2.7.0
- Affected Plus Version deleted (
22.01)
- Plus Target Version set to 22.05
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
I applied the patch and rebooted the system. There is no change in behavior.
Is there anything I can run on the appliance and provide to you to assist in tracking this down?
Adrien Carlyle wrote in #note-6:
I applied the patch and rebooted the system. There is no change in behavior.
If there anything I can run on the appliance and provide to you to assist in tracking this down?
It looks like it can't resolve FQDNs on boot.
Does it works as expected after clicking the "save" button on the OpenVPN server configuration page?
I just noticed that this now shows in my OpenVPN client log when I try to connect while an FQDN entry is present in the alias.
2022-03-10 14:12:27 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]
I tracked this down, the FQDN entry isn't being resolved and passed to openvpn with a /32 mask
This is an FQDN/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 20.106.150.151 MASK 0.0.0.0 10.201.254.1
2022-03-10 14:30:01 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]
2022-03-10 14:30:01 Route addition via service failed
This is an IP/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 52.179.208.82 MASK 255.255.255.255 10.201.254.1
2022-03-10 14:30:01 Route addition via service succeeded
- Status changed from Feedback to New
Adrien Carlyle wrote in #note-9:
I tracked this down, the FQDN entry isn't being resolved and passed to openvpn with a /32 mask
This is an FQDN/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 20.106.150.151 MASK 0.0.0.0 10.201.254.1
2022-03-10 14:30:01 ROUTE: route addition failed using service: The parameter is incorrect. [status=87 if_index=22]
2022-03-10 14:30:01 Route addition via service failed
This is an IP/32 entry:
2022-03-10 14:30:01 C:\WINDOWS\system32\route.exe ADD 52.179.208.82 MASK 255.255.255.255 10.201.254.1
2022-03-10 14:30:01 Route addition via service succeeded
Thanks for testing!
fix is ready:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/677
Thanks for the quick fix. Let me know when the patch is updated and I'll re-apply and verify.
- Status changed from New to Pull Request Review
Does the original patch get updated or would I need to apply a second or different one to test for you all?
- Status changed from Pull Request Review to Feedback
Adrien Carlyle wrote in #note-13:
Does the original patch get updated or would I need to apply a second or different one to test for you all?
you need to apply patch id 065e050890508ff0c97455a6352cdb914d34ddbd after 60c0b333c7ee5b951ad659a42693a1070a762ec1
Thank you, I've just applied both and have confirmed that it is working as expected now.
- Status changed from Feedback to Resolved
Tested against:
2.7.0-DEVELOPMENT (amd64)
built on Thu Mar 24 06:14:56 UTC 2022
FreeBSD 12.3-STABLE
It works as expected. Marking this ticket resolved.
- Subject changed from FQDN in IP Network(s) Alias omitted from OpenVPN networks list to FQDN in network alias is omitted from OpenVPN networks list
Updating subject for release notes.
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by