Bug #15676
open
OpenVPN not rendering alises in "IPv4 Local network" setting.
Added by Matteo Capuano 5 months ago.
Updated 3 months ago.
Affected Architecture:
amd64
Description
When using network aliases in "IPV4 Local network" OpenVPN setting, they are not rendered and they are sent to clients as plain text. This happens at every reboot of pfSense. If, after the boot, you go to OpenVPN settings' page and just save it, not changing anything, it successfully starts sending right aliases' values to clients.
Example:
After a pfSense reboot OpenVPN clients show this error:
Options error: route parameter network/IP 'LOCAL_NETWORKS' must be a valid address
Options error: route parameter network/IP 'OTHER_NETWORKS' must be a valid address
After saving again OpenVPN's config page, this issue is not happening and the correct routes are pushed to clients.
This issue happens also using a single alias in IPV4 Local network.
I saw that this issue happened to another user (see comment https://redmine.pfsense.org/issues/13624#note-12) but I didn't find a ticket referring to this specific issue, hence I'm opening this one.
Here the relevant, and wrong, lines from config.ovpn after reboot:
push "route LOCAL_NETWORKS 0.0.0.0"
push "route OTHER_NETWORKS 0.0.0.0"
- Status changed from New to Feedback
It seems like this has already been fixed - it's not reproducible in 24.08-dev.
Thanks for your answer Marcos. Just a couple of questions:
- is there an ETA for this fix to be released on CE ?
- may I have access to 24.08-dev ?
I'm unable to reproduce this issue on pfSense CE 2.7.2.
We are able to reproduce the issue on differents installations but I forgot to mention that we are working with pfSense in HA. One of the two aliases is a nested alias but the other is directly defined.
I copy/paste here the relevant parts of pfSense config file:
<pfsense>
<version>23.3</version>
<lastchange></lastchange>
[...]
<aliases>
<alias>
<name>VRF_MAIN</name>
<type>network</type>
<address>100.64.0.0/10</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:12:28 +0000]]></detail>
</alias>
<alias>
<name>VRF_PROD</name>
<type>network</type>
<address>10.249.20.0/24</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:12:55 +0000]]></detail>
</alias>
<alias>
<name>VRF_RAN</name>
<type>network</type>
<address>172.24.254.0/23</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:13:24 +0000]]></detail>
</alias>
<alias>
<name>LOCAL_NETWORKS</name>
<type>network</type>
<address>VRF_MAIN VRF_RAN VRF_PROD OTHER_LOCALS</address>
<descr><![CDATA[Sum of all local vrf networks]]></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Tue, 06 Aug 2024 13:14:52 +0000||Entry added Thu, 08 Aug 2024 14:03:32 +0000]]></detail>
</alias>
<alias>
<name>OTHER_LOCALS</name>
<type>network</type>
<address>10.249.99.0/24 192.88.99.0/24</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:15:53 +0000||Entry added Thu, 08 Aug 2024 14:04:26 +0000]]></detail>
</alias>
<alias>
<name>OTHER_NETWORKS</name>
<type>network</type>
<address>10.249.0.0/16</address>
<descr><![CDATA[VPN_MORE_SPECIFIC]]></descr>
<detail><![CDATA[Entry added Tue, 06 Aug 2024 13:24:24 +0000]]></detail>
</alias>
</aliases>
[...]
<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls</mode>
<protocol>UDP4</protocol>
<dev_mode>tun</dev_mode>
<interface>_vip66b1e9f3b4989</interface>
<ipaddr>172.24.144.25</ipaddr>
<local_port>1194</local_port>
<description><![CDATA[stage_ovpn]]></description>
<custom_options>mssfix 1300;</custom_options>
<tls>++OMITTED++</tls>
<tls_type>auth</tls_type>
<tlsauth_keydir>default</tlsauth_keydir>
<caref>++OMITTED++</caref>
<crlref></crlref>
<ocspurl></ocspurl>
<certref>++OMITTED++</certref>
<dh_length>2048</dh_length>
<ecdh_curve>none</ecdh_curve>
<cert_depth>1</cert_depth>
<remote_cert_tls></remote_cert_tls>
<data_ciphers_fallback>AES-256-CBC</data_ciphers_fallback>
<digest>SHA256</digest>
<engine>none</engine>
<tunnel_network>10.249.99.0/24</tunnel_network>
<tunnel_networkv6></tunnel_networkv6>
<remote_network></remote_network>
<remote_networkv6></remote_networkv6>
<gwredir></gwredir>
<gwredir6></gwredir6>
<local_network>LOCAL_NETWORKS,OTHER_NETWORKS</local_network>
<local_networkv6></local_networkv6>
<maxclients>64</maxclients>
<connlimit>64</connlimit>
<allow_compression>no</allow_compression>
<compression></compression>
<compression_push></compression_push>
<passtos></passtos>
<client2client></client2client>
<dynamic_ip></dynamic_ip>
<topology>subnet</topology>
<serverbridge_dhcp></serverbridge_dhcp>
<serverbridge_interface>none</serverbridge_interface>
<serverbridge_routegateway></serverbridge_routegateway>
<serverbridge_dhcp_start></serverbridge_dhcp_start>
<serverbridge_dhcp_end></serverbridge_dhcp_end>
<dns_domain>soleng.lab</dns_domain>
<dns_server1>172.24.200.200</dns_server1>
<dns_server2></dns_server2>
<dns_server3></dns_server3>
<dns_server4></dns_server4>
<username_as_common_name><![CDATA[disabled]]></username_as_common_name>
<exit_notify>none</exit_notify>
<sndrcvbuf></sndrcvbuf>
<push_register_dns>yes</push_register_dns>
<netbios_enable></netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope></netbios_scope>
<create_gw>both</create_gw>
<verbosity_level>1</verbosity_level>
<duplicate_cn></duplicate_cn>
<data_ciphers>AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305</data_ciphers>
<ping_method>keepalive</ping_method>
<keepalive_interval>10</keepalive_interval>
<keepalive_timeout>60</keepalive_timeout>
<ping_seconds>10</ping_seconds>
<ping_push></ping_push>
<ping_action>ping_restart</ping_action>
<ping_action_seconds>60</ping_action_seconds>
<ping_action_push></ping_action_push>
<inactive_seconds>300</inactive_seconds>
</openvpn-server>
</openvpn>
[...]
<hasync>
<pfsyncenabled>on</pfsyncenabled>
<synchronizeusers>on</synchronizeusers>
<synchronizecerts>on</synchronizecerts>
<synchronizerules>on</synchronizerules>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizenat>on</synchronizenat>
<synchronizeopenvpn>on</synchronizeopenvpn>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizedhcrelay>on</synchronizedhcrelay>
<synchronizedhcrelay6>on</synchronizedhcrelay6>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizetrafficshaper>on</synchronizetrafficshaper>
<synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter>
<pfhostid>1</pfhostid>
<pfsyncpeerip>10.249.2.2</pfsyncpeerip>
<pfsyncinterface>opt1</pfsyncinterface>
<synchronizetoip>10.249.2.2</synchronizetoip>
<username>++OMITTED++</username>
<password>++OMITTED++</password>
<adminsync>on</adminsync>
</hasync>
Hi, were you able to reproduce this issue?
I'm seeing this on 24.03 only the config doesn't populate the alias when a space precedes the entry used in local networks. Remove the space, save and then the correct subnet/netmask are populated in the server config.
I haven't any space in local networks or inside any alias' definition. You can see that in the config file on my previous message. When I manually fix this issue, I just save OpenVPN config without touching anything. Could be something else?
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by