pfSense writes erroneous tunnel network in OpenVPN client configuration despite being provided a valid tunnel network
Please see the following Reddit post: https://www.reddit.com/r/PFSENSE/comments/11tyu6k/openvpn_site_to_site_ssltls_issue/.
A user reported an issue with an OpenVPN Client connection in pfSense following their upgrade to 23.01.
After completing the 23.01 upgrade, I hit what looks to be the same issue with OpenVPN following the upgrade to pfSense Plus 23.01 and found the post while searching for answers.
There looks to be an issue with the mechanism responsible for writing the Tunnel Network field in the WebGUI to the OVPN configuration file.
Upon entering a valid subnet into the field, the resulting configuration contains an invalid ifconfig line.
When a tunnel network is set in the OpenVPN Client configuration, say 10.0.8.0/24, pfSense writes to the OpenVPN configuration ifconfig 10.0.8.2 10.0.8.1, rather than the correct ifconfig 10.0.8.2 255.255.255.0.
This erroneous config entry results in OpenVPN failing to start while logging a line that shows pfSense trying to bring up the ovpnc1 connection using 10.0.21.2/-1.
Mar 17 22:40:56 openvpn 35224 TUN/TAP device ovpnc1 exists previously, keep at program end Mar 17 22:40:56 openvpn 35224 TUN/TAP device /dev/tun1 opened Mar 17 22:40:56 openvpn 35224 /sbin/ifconfig ovpnc1 10.0.21.2/-1 mtu 1500 up Mar 17 22:40:56 openvpn 35224 FreeBSD ifconfig failed: external program exited with error status: 1 Mar 17 22:40:56 openvpn 35224 Exiting due to fatal error
Whereas omitting the tunnel network allows the connection to succeed.
It's trivial to reproduce the issue, set up a remote access OpenVPN Server, then set up a remote access OpenVPN Client connection with the tunnel network defined in the WebGUI configuration. The connection will fail on the client side and log an error similar to the one shown above. Next, remove the tunnel network to resolve the issue; the connection will work as expected.