Project

General

Profile

Actions

Bug #16073

open

Nested aliases used with OpenVPN do not always load routes

Added by Chris W 2 months ago. Updated 6 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Given:
- Alias AliasParent contains various other aliases AliasChild1, AliasChild2, etc., however all children are either an IP address or subnet (iow, none of the children contain further aliases).
- AliasParent is used in OpenVPN server's IPv4 Local network(s) field.

The routes can unpredictably disappear from the server configuration so are not pushed to clients. When this happens, only the name of AliasParent appears. Example:

push "route 10.2.0.0 255.255.0.0" 
push "route 10.10.0.0 255.255.255.0" 
...

becomes this in the VPN server configuration file:
push "route AliasParent 0.0.0.0" 

The client sees:

Feb 28 17:09:34 90saioid nm-openvpn[365694]: [...] Peer Connection Initiated with [AF_INET] ...:1194
Feb 28 17:09:36 90saioid nm-openvpn[365694]: Options error: route parameter network/IP 'AliasParent' must be a valid address

This is temporarily fixed by editing AliasParent and re-saving it without making any changes.

Possibly related: https://redmine.pfsense.org/issues/13624


Files

Actions #2

Updated by Chris W 2 months ago

  • Description updated (diff)
Actions #3

Updated by Chris W 2 months ago

  • Description updated (diff)
Actions #4

Updated by aleksei prokofiev 2 months ago

Tested on 24.11, I can confirm this.

Actions #5

Updated by Gerard Alcorlo about 1 month ago

This fix would be very useful for simplifying remote VPN management. If it were working as expected, the same alias could be used both for the firewall rules allowing the traffic and for the route injection with OpenVPN to configure the routes to the client connected to the VPN. This way, adding or removing an IP range from the VPN would only require modifying the alias.

Actions #7

Updated by Gerard Alcorlo about 1 month ago

I've verified every time I reboot the firewall, OpenVPN configuration contains the alias instead of the alias values.

I've been checking the source code and I think it could be a problem related to the boot order.
https://github.com/pfsense/pfsense/blob/3b681a5bd7b5788ef8593a28a7431b4d6a0921cf/src/etc/inc/util.inc#L3512

If OpenVPN service starts before aliases have been loaded into the variable $aliastable, the function alias_to_subnets_recursive will return an empty array and the function openvpn_gen_route_ipv4 will write a config line with the alias as-is without replacing it. And this is exactly the reported bug on this ticket.
I've seen the boot service order is managed by /etc/rc.bootup and it seems OpenVPN starts before having aliases loaded... Not sure which is the cleanest way to fix this.

Actions #8

Updated by Chris W 6 days ago

  • Description updated (diff)
Actions #9

Updated by Chris W 6 days ago

The next time you see this happen, please run these from the php shell in the console menu (option 12) and let us know whether the routes are then restored to the server config file or if it still shows only the alias.

require_once("/etc/inc/openvpn.inc");

openvpn_resync_all();

Actions #10

Updated by Steve Wheeler 6 days ago

Or from the webgui Diag > Command Prompt page like:

That will reload all OpenVPN instances so be aware.

Actions

Also available in: Atom PDF