Bug #16705
closed
Automatic gateways for OpenVPN peer-to-peer servers with a ``/30`` tunnel network do not use the peer address
Added by Georgiy Tyutyunnik 2 days ago.
Updated about 9 hours ago.
Plus Target Version:
26.03
Description
re-created from https://redmine.netgate.com/issues/22042
OpenVPN SSL/TLS Site-2-Site scenario with /30 subnet and only one client behaves differently in 25.11.1 in comparison to 24.11
Previously you didn't need to manually create gateways and cso to communicate with 1 peer using the server with /30 subnet.
OpenVPN config and resulting interfaces and gateways from 24.11 and 25.11 attached
consistently reproducable this behavior.
Environment:
OpenVPN site-to-site configuration
Two peers only
Tunnel network defined as: 192.168.72.0/30
Interface type: assigned OpenVPN (ovpns) interface
Behavior in 24.11-RELEASE Expected / Working
The assigned OpenVPN (ovpns) interface received:
Interface IP: 192.168.72.1
Gateway: 192.168.72.2 (remote peer tunnel IP)
Static routes that used the OpenVPN gateway worked correctly.
Connectivity to the remote peer’s local subnet was fully functional (ping and routing OK).
Interfaces, gateways, openvpn configs and screenshots are attached
Files
Could be related to the recent changes in OpenVPN gateways in #16351
I replicated this behaviour.
Environment
- OpenVPN site-to-site configuration
- Two peers only
- Tunnel network defined as: 192.168.72.0/30
- Interface type: assigned OpenVPN (ovpns) interface
Behavior in 24.11-RELEASE Expected / Working¶
The assigned OpenVPN (ovpns) interface received:
- Interface IP: 192.168.72.1
- Gateway: 192.168.72.2 (remote peer tunnel IP)
- Static routes that used the OpenVPN gateway worked correctly.
- Connectivity to the remote peer’s local subnet using static routes was fully functional (ping and routing OK).
Behavior After Upgrade to 25.11.1-RELEASE (Incorrect)¶
- The OpenVPN gateway is now automatically set to: 192.168.72.1 (the local ovpns interface address)
- Previously, it was correctly set to 192.168.72.2 (the remote peer tunnel address)
Because of this change:
- Static routes point to the wrong gateway.
- Traffic to the remote peer’s local subnet fails.
- Ping and routing over the site-to-site tunnel no longer work.
- Subject changed from OpenVPN s2s interface and gateway assignment to Gateways for OpenVPN S2S Servers are not created with the peer address
- Status changed from Confirmed to Feedback
- Assignee set to Marcos M
- Target version set to 2.9.0
- % Done changed from 0 to 100
- Plus Target Version set to 26.03
- Affected Version set to 2.9.0
- Status changed from Feedback to Resolved
The patch fixes it.
Thanks!
I am closing this case as resolved.
- Subject changed from Gateways for OpenVPN S2S Servers are not created with the peer address to Automatic gateways for OpenVPN peer-to-peer servers with a ``/30`` tunnel network do not use the peer address
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
