Bug #15676
open
OpenVPN not rendering alises in "IPv4 Local network" setting.
0%
Description
When using network aliases in "IPV4 Local network" OpenVPN setting, they are not rendered and they are sent to clients as plain text. This happens at every reboot of pfSense. If, after the boot, you go to OpenVPN settings' page and just save it, not changing anything, it successfully starts sending right aliases' values to clients.
Example:
After a pfSense reboot OpenVPN clients show this error:
Options error: route parameter network/IP 'LOCAL_NETWORKS' must be a valid address
Options error: route parameter network/IP 'OTHER_NETWORKS' must be a valid address
After saving again OpenVPN's config page, this issue is not happening and the correct routes are pushed to clients.
This issue happens also using a single alias in IPV4 Local network.
I saw that this issue happened to another user (see comment https://redmine.pfsense.org/issues/13624#note-12) but I didn't find a ticket referring to this specific issue, hence I'm opening this one.
Updated by Matteo Capuano 5 months ago
Here the relevant, and wrong, lines from config.ovpn after reboot:
push "route LOCAL_NETWORKS 0.0.0.0"
push "route OTHER_NETWORKS 0.0.0.0"
Updated by
Updated by Matteo Capuano 4 months ago
Thanks for your answer Marcos. Just a couple of questions:
- is there an ETA for this fix to be released on CE ?
- may I have access to 24.08-dev ?
Updated by dylan mendez 4 months ago
I'm unable to reproduce this issue on pfSense CE 2.7.2.
Updated by Matteo Capuano 4 months ago
We are able to reproduce the issue on differents installations but I forgot to mention that we are working with pfSense in HA. One of the two aliases is a nested alias but the other is directly defined.
I copy/paste here the relevant parts of pfSense config file:
<pfsense>
<version>23.3</version>
<lastchange></lastchange>
[...]
<aliases>
<alias>
<name>VRF_MAIN</name>
<type>network</type>
<address>100.64.0.0/10</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:12:28 +0000]]></detail>
</alias>
<alias>
<name>VRF_PROD</name>
<type>network</type>
<address>10.249.20.0/24</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:12:55 +0000]]></detail>
</alias>
<alias>
<name>VRF_RAN</name>
<type>network</type>
<address>172.24.254.0/23</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:13:24 +0000]]></detail>
</alias>
<alias>
<name>LOCAL_NETWORKS</name>
<type>network</type>
<address>VRF_MAIN VRF_RAN VRF_PROD OTHER_LOCALS</address>
<descr><![CDATA[Sum of all local vrf networks]]></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Thu, 08 Aug 2024 14:03:32 +0000]]></detail>
</alias>
<alias>
<name>OTHER_LOCALS</name>
<type>network</type>
<address>10.249.99.0/24 192.88.99.0/24</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:15:53 +0000||Entry added Thu, 08 Aug 2024 14:04:26 +0000]]></detail>
</alias>
<alias>
<name>OTHER_NETWORKS</name>
<type>network</type>
<address>10.249.0.0/16</address>
<descr><![CDATA[VPN_MORE_SPECIFIC]]></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:24:24 +0000]]></detail>
</alias>
</aliases>
[...]
<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls</mode>
<protocol>UDP4</protocol>
<dev_mode>tun</dev_mode>
<interface>_vip66b1e9f3b4989</interface>
<ipaddr>172.24.144.25</ipaddr>
<local_port>1194</local_port>
<description><![CDATA[stage_ovpn]]></description>
<custom_options>mssfix 1300;</custom_options>
<tls>++OMITTED++</tls>
<tls_type>auth</tls_type>
<tlsauth_keydir>default</tlsauth_keydir>
<caref>++OMITTED++</caref>
<crlref></crlref>
<ocspurl></ocspurl>
<certref>++OMITTED++</certref>
<dh_length>2048</dh_length>
<ecdh_curve>none</ecdh_curve>
<cert_depth>1</cert_depth>
<remote_cert_tls></remote_cert_tls>
<data_ciphers_fallback>AES-256-CBC</data_ciphers_fallback>
<digest>SHA256</digest>
<engine>none</engine>
<tunnel_network>10.249.99.0/24</tunnel_network>
<tunnel_networkv6></tunnel_networkv6>
<remote_network></remote_network>
<remote_networkv6></remote_networkv6>
<gwredir></gwredir>
<gwredir6></gwredir6>
<local_network>LOCAL_NETWORKS,OTHER_NETWORKS</local_network>
<local_networkv6></local_networkv6>
<maxclients>64</maxclients>
<connlimit>64</connlimit>
<allow_compression>no</allow_compression>
<compression></compression>
<compression_push></compression_push>
<passtos></passtos>
<client2client></client2client>
<dynamic_ip></dynamic_ip>
<topology>subnet</topology>
<serverbridge_dhcp></serverbridge_dhcp>
<serverbridge_interface>none</serverbridge_interface>
<serverbridge_routegateway></serverbridge_routegateway>
<serverbridge_dhcp_start></serverbridge_dhcp_start>
<serverbridge_dhcp_end></serverbridge_dhcp_end>
<dns_domain>soleng.lab</dns_domain>
<dns_server1>172.24.200.200</dns_server1>
<dns_server2></dns_server2>
<dns_server3></dns_server3>
<dns_server4></dns_server4>
<username_as_common_name><![CDATA[disabled]]></username_as_common_name>
<exit_notify>none</exit_notify>
<sndrcvbuf></sndrcvbuf>
<push_register_dns>yes</push_register_dns>
<netbios_enable></netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope></netbios_scope>
<create_gw>both</create_gw>
<verbosity_level>1</verbosity_level>
<duplicate_cn></duplicate_cn>
<data_ciphers>AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305</data_ciphers>
<ping_method>keepalive</ping_method>
<keepalive_interval>10</keepalive_interval>
<keepalive_timeout>60</keepalive_timeout>
<ping_seconds>10</ping_seconds>
<ping_push></ping_push>
<ping_action>ping_restart</ping_action>
<ping_action_seconds>60</ping_action_seconds>
<ping_action_push></ping_action_push>
<inactive_seconds>300</inactive_seconds>
</openvpn-server>
</openvpn>
[...]
<hasync>
<pfsyncenabled>on</pfsyncenabled>
<synchronizeusers>on</synchronizeusers>
<synchronizecerts>on</synchronizecerts>
<synchronizerules>on</synchronizerules>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizenat>on</synchronizenat>
<synchronizeopenvpn>on</synchronizeopenvpn>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizedhcrelay>on</synchronizedhcrelay>
<synchronizedhcrelay6>on</synchronizedhcrelay6>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizetrafficshaper>on</synchronizetrafficshaper>
<synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter>
<pfhostid>1</pfhostid>
<pfsyncpeerip>10.249.2.2</pfsyncpeerip>
<pfsyncinterface>opt1</pfsyncinterface>
<synchronizetoip>10.249.2.2</synchronizetoip>
<username>++OMITTED++</username>
<password>++OMITTED++</password>
<adminsync>on</adminsync>
</hasync>
Updated by Matteo Capuano 3 months ago
Hi, were you able to reproduce this issue?
Updated by
Updated by Matteo Capuano 3 months ago
I haven't any space in local networks or inside any alias' definition. You can see that in the config file on my previous message. When I manually fix this issue, I just save OpenVPN config without touching anything. Could be something else?