Bug #16705
closed
Automatic gateways for OpenVPN peer-to-peer servers with a ``/30`` tunnel network do not use the peer address
100%
Description
re-created from https://redmine.netgate.com/issues/22042
OpenVPN SSL/TLS Site-2-Site scenario with /30 subnet and only one client behaves differently in 25.11.1 in comparison to 24.11
Previously you didn't need to manually create gateways and cso to communicate with 1 peer using the server with /30 subnet.
OpenVPN config and resulting interfaces and gateways from 24.11 and 25.11 attached
consistently reproducable this behavior.
Environment:
OpenVPN site-to-site configuration
Two peers only
Tunnel network defined as: 192.168.72.0/30
Interface type: assigned OpenVPN (ovpns) interface
Behavior in 24.11-RELEASE Expected / Working
The assigned OpenVPN (ovpns) interface received:
Interface IP: 192.168.72.1
Gateway: 192.168.72.2 (remote peer tunnel IP)
Static routes that used the OpenVPN gateway worked correctly.
Connectivity to the remote peer’s local subnet was fully functional (ping and routing OK).
Interfaces, gateways, openvpn configs and screenshots are attached
Files
Updated by Jim Pingle 2 days ago
Could be related to the recent changes in OpenVPN gateways in #16351
Updated by Danilo Zrenjanin 1 day ago
I replicated this behaviour.
Environment
- OpenVPN site-to-site configuration
- Two peers only
- Tunnel network defined as: 192.168.72.0/30
- Interface type: assigned OpenVPN (ovpns) interface
Behavior in 24.11-RELEASE Expected / Working¶
The assigned OpenVPN (ovpns) interface received:
- Interface IP: 192.168.72.1
- Gateway: 192.168.72.2 (remote peer tunnel IP)
- Static routes that used the OpenVPN gateway worked correctly.
- Connectivity to the remote peer’s local subnet using static routes was fully functional (ping and routing OK).
Behavior After Upgrade to 25.11.1-RELEASE (Incorrect)¶
- The OpenVPN gateway is now automatically set to: 192.168.72.1 (the local ovpns interface address)
- Previously, it was correctly set to 192.168.72.2 (the remote peer tunnel address)
Because of this change:
- Static routes point to the wrong gateway.
- Traffic to the remote peer’s local subnet fails.
- Ping and routing over the site-to-site tunnel no longer work.
Updated by Marcos M 1 day ago
- Subject changed from OpenVPN s2s interface and gateway assignment to Gateways for OpenVPN S2S Servers are not created with the peer address
- Status changed from Confirmed to Feedback
- Assignee set to Marcos M
- Target version set to 2.9.0
- % Done changed from 0 to 100
- Plus Target Version set to 26.03
- Affected Version set to 2.9.0
Fixed with a1314269b3a21bd28ae5f1bc6f2a58308f366f92.
Updated by Danilo Zrenjanin about 10 hours ago
- Status changed from Feedback to Resolved
The patch fixes it.
Thanks!
I am closing this case as resolved.
Updated by Jim Pingle about 7 hours ago
- Subject changed from Gateways for OpenVPN S2S Servers are not created with the peer address to Automatic gateways for OpenVPN peer-to-peer servers with a ``/30`` tunnel network do not use the peer address