Project

General

Profile

Actions

Bug #16428

closed

OpenVPN does not add "Inter-client communication" to configuration for Peer-to-Peer SSL/TLS servers

Added by Afonso Turcato 18 days ago. Updated 13 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.11
Release Notes:
Default
Affected Version:
2.8.x
Affected Architecture:

Description

The Inter-client communication option in the OpenVPN server configuration does not function properly .
The XML file shows yes if it's checked, but does not add the line client-to-client to the server config file at /var/etc/openvpn/server1.conf.

But, if I add "client-to-client" in the Advanced Configuration/Custom Options, the communication between clients works fine!

OS.: Similar bug had been reported at https://redmine.pfsense.org/issues/572)


Files

clipboard-202509160959-gxqex.png (6.45 KB) clipboard-202509160959-gxqex.png aleksei prokofiev, 09/16/2025 07:00 AM
clipboard-202509160810-0jgmk.png (8.53 KB) clipboard-202509160810-0jgmk.png Afonso Turcato, 09/16/2025 11:10 AM
clipboard-202509160810-jfvgi.png (73 KB) clipboard-202509160810-jfvgi.png Afonso Turcato, 09/16/2025 11:10 AM
clipboard-202509160811-ztiuj.png (22.5 KB) clipboard-202509160811-ztiuj.png Afonso Turcato, 09/16/2025 11:11 AM
clipboard-202509160814-6jm8k.png (8.35 KB) clipboard-202509160814-6jm8k.png Afonso Turcato, 09/16/2025 11:14 AM
clipboard-202509160815-c9iiw.png (20.9 KB) clipboard-202509160815-c9iiw.png Afonso Turcato, 09/16/2025 11:15 AM
clipboard-202509160816-g7cfh.png (72.3 KB) clipboard-202509160816-g7cfh.png Afonso Turcato, 09/16/2025 11:16 AM
clipboard-202509160818-bijwm.png (8.14 KB) clipboard-202509160818-bijwm.png Afonso Turcato, 09/16/2025 11:18 AM
clipboard-202509160819-zven3.png (24.1 KB) clipboard-202509160819-zven3.png Afonso Turcato, 09/16/2025 11:19 AM
clipboard-202509160821-cwtnk.png (74 KB) clipboard-202509160821-cwtnk.png Afonso Turcato, 09/16/2025 11:21 AM
OpenVPN_Server.xml (2.39 KB) OpenVPN_Server.xml Afonso Turcato, 09/17/2025 12:10 AM
Actions #1

Updated by aleksei prokofiev 16 days ago

Tested on
2.8.0-RELEASE (amd64)
built on Thu May 22 3:12:00 +04 2025
FreeBSD 15.0-CURRENT

25.07.1-RELEASE (amd64)
built on Wed Aug 20 16:17:00 +04 2025
FreeBSD 15.0-CURRENT

I can't reproduce the issue, as soon as I enable the "Inter-client communication" option it appears in the configuration.

Actions #2

Updated by Afonso Turcato 16 days ago

aleksei prokofiev wrote in #note-1:

Tested on
2.8.0-RELEASE (amd64)
built on Thu May 22 3:12:00 +04 2025
FreeBSD 15.0-CURRENT

25.07.1-RELEASE (amd64)
built on Wed Aug 20 16:17:00 +04 2025
FreeBSD 15.0-CURRENT

I can't reproduce the issue, as soon as I enable the "Inter-client communication" option it appears in the configuration.

Tested ON
2.7.2 RELEASE (amd64)

I CAN reproduce the issue.
See the SCENARIOS below.

---------------------------------------------------------------------------------------------
SCENARIO 1 - communication between clients DOES NOT WORK

---------------------------------------------------------------------------------------------
SCENARIO 2 - communication between clients DOES NOT WORK

---------------------------------------------------------------------------------------------
SCENARIO 3 - communication between clients WORKS

---------------------------------------------------------------------------------------------
P.S: The same occurs with 2.8.0 version!

Actions #3

Updated by Jim Pingle 16 days ago

What mode is the server set to use?

Can you share the contents of the server instance configuration in XML (you can redact/hide private info, but don't remove any tags completely)?

Looking at the code, it appears that the GUI offers that option when the mode is set to "Peer to Peer (SSL/TLS)" but the backend code doesn't add it when the server mode is set to that value.

If that is the case, this change should correct the behavior.

diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index f4f1be71bb..7b5c9c3329 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -1146,6 +1146,7 @@ function openvpn_reconfigure($mode, $settings) {
                }

                switch ($settings['mode']) {
+                       case 'p2p_tls':
                        case 'server_tls':
                        case 'server_user':
                        case 'server_tls_user':

Actions #4

Updated by Afonso Turcato 16 days ago

Jim Pingle wrote in #note-3:

What mode is the server set to use?

Can you share the contents of the server instance configuration in XML (you can redact/hide private info, but don't remove any tags completely)?

Looking at the code, it appears that the GUI offers that option when the mode is set to "Peer to Peer (SSL/TLS)" but the backend code doesn't add it when the server mode is set to that value.

If that is the case, this change should correct the behavior.

[...]

See the attached file OpenVPN_Server.xml

Actions #5

Updated by Jim Pingle 15 days ago

  • Subject changed from OpenVPN Inter-client communication option doesn't work to OpenVPN does not add "Inter-client communication" to configuration for Peer-to-Peer SSL/TLS servers
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.9.0
  • Plus Target Version set to 25.11
  • Affected Version changed from 2.8.0 to 2.8.x

Looks like that matches my suspicion, it isn't added to the configuration for Peer-to-Peer SSL/TLS servers. I was able to reproduce it here using that mode, and also confirmed that the patch I posted fixes it. I'll commit that momentarily.

Actions #6

Updated by Jim Pingle 15 days ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle 15 days ago

Now that the fix has been committed, you can install the System Patches package and then create an entry for f234af29d5105f4e034c6250772c8c2099fb2884 to apply the fix.

Actions #8

Updated by Georgiy Tyutyunnik 13 days ago

  • Status changed from Feedback to Resolved

changeset fixes the issue
tested on:
25.11-DEVELOPMENT (amd64)
built on Thu Sep 18 18:57:00 UTC 2025
FreeBSD 15.0-PRERELEASE

Actions

Also available in: Atom PDF