Bug #16073
open
Nested aliases used with OpenVPN do not always load routes
0%
Description
Given:
- Alias AliasParent contains various other aliases AliasChild1, AliasChild2, etc., however all children are either an IP address or subnet (iow, none of the children contain further aliases).
- AliasParent is used in OpenVPN server's IPv4 Local network(s) field.
The routes can unpredictably disappear from the server configuration so are not pushed to clients. When this happens, only the name of AliasParent appears. Example:
push "route 10.2.0.0 255.255.0.0" push "route 10.10.0.0 255.255.255.0" ...
becomes this in the VPN server configuration file:
push "route AliasParent 0.0.0.0"
The client sees:
Feb 28 17:09:34 lpf59mbj6 nm-openvpn[365694]: [...] Peer Connection Initiated with [AF_INET] ...:1194 Feb 28 17:09:36 lpf59mbj6 nm-openvpn[365694]: Options error: route parameter network/IP 'AliasParent' must be a valid address
This is temporarily fixed by editing AliasParent and re-saving it without making any changes.
Possibly related: https://redmine.pfsense.org/issues/13624
Updated by
Updated by aleksei prokofiev about 2 months ago
Tested on 24.11, I can confirm this.
Updated by Gerard Alcorlo 25 days ago
This fix would be very useful for simplifying remote VPN management. If it were working as expected, the same alias could be used both for the firewall rules allowing the traffic and for the route injection with OpenVPN to configure the routes to the client connected to the VPN. This way, adding or removing an IP range from the VPN would only require modifying the alias.
Updated by Gerard Alcorlo 25 days ago
Relates to: https://redmine.pfsense.org/issues/2668
Updated by Gerard Alcorlo 17 days ago
I've verified every time I reboot the firewall, OpenVPN configuration contains the alias instead of the alias values.
I've been checking the source code and I think it could be a problem related to the boot order.
https://github.com/pfsense/pfsense/blob/3b681a5bd7b5788ef8593a28a7431b4d6a0921cf/src/etc/inc/util.inc#L3512
If OpenVPN service starts before aliases have been loaded into the variable $aliastable, the function alias_to_subnets_recursive will return an empty array and the function openvpn_gen_route_ipv4 will write a config line with the alias as-is without replacing it. And this is exactly the reported bug on this ticket.
I've seen the boot service order is managed by /etc/rc.bootup and it seems OpenVPN starts before having aliases loaded... Not sure which is the cleanest way to fix this.