Project

General

Profile

Actions

Bug #1806

closed

OpenVPN Tunnel Network label configuration creates a wrong configuration file when using TAP device mode

Added by Rino Santilli over 13 years ago. Updated over 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
08/19/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

When creating a layer 2 tunnel using TAP devices in peer-to-peer shared key mode you get a warning in the OpenVPN logs because of the incorrect use of the ifconfig statement.
In fact, while when using TUN devices, ifconfig statement uses the l and rn arguments as local (server) ip and remote (clients) ip, when using TAP devices it expects a subnet mask as the second argument.

From the openvpn man page: "--ifconfig l rn : TUN: configure device to use IP address l as a local endpoint and rn as a remote endpoint. l & rn should be swapped on the other peer. l & rn must be private addresses outside of the subnets used by either peer. TAP: configure device to use IP address l as a local endpoint and rn as a subnet mask."

Regards

Actions #1

Updated by Rino Santilli over 13 years ago

Those lines are from the OpenVPN log

/sbin/ifconfig ovpns2 3.3.3.5 netmask 3.3.3.6 mtu 1500 up
/usr/local/sbin/ovpn-linkup ovpns2 1500 1592 3.3.3.5 3.3.3.6 init
WARNING: 'ifconfig' is used inconsistently, local='ifconfig 3.3.3.4 3.3.3.6', remote='ifconfig 3.3.3.4 3.3.3.5'

This is the pfSense version:

2.0-RC3 (i386)
built on Thu Aug 18 00:28:50 EDT 2011

Regards

Actions #2

Updated by Ermal Luçi over 13 years ago

  • Priority changed from High to Normal

Can you try this?

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 285a65f..1cd25fc 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -394,7 +394,10 @@ function openvpn_reconfigure($mode, $settings) {
                                $baselong = ip2long32($ip) & ip2long($mask);
                                $ip1 = long2ip32($baselong + 1);
                                $ip2 = long2ip32($baselong + 2);
-                               $conf .= "ifconfig $ip1 $ip2\n";
+                               if ($dev_mode == "tap")
+                                       $conf .= "ifconfig $ip1 netmask $ip2\n";
+                               else
+                                       $conf .= "ifconfig $ip1 $ip2\n";
                                break;
                        case 'server_tls':
                        case 'server_user':
Actions #3

Updated by Ermal Luçi over 13 years ago

  • Status changed from New to Feedback
Actions #4

Updated by Rino Santilli over 13 years ago

Did it with success, but with a little modification about the netmask. In fact to make it work I had to use the $mask variable and not the netmask string you told me to use.
Now OpenVPN doesn't complain abount anything in the logs, but i think that the $ip2 variable, before the else statement, is useless (tested with success too).

Maybe something have to be modified on the client mode too, or maybe that, being the tunnel network as a non mandatory field on the client configuration, it's enough, because it will try the autoconfiguration of the interface network address and netmask after the connection.

Unfortunately while testing I found another small bug. It's about openvpn too.
If you create an openvpn server as p2p_shared, delete it and then recreate it, the ifconfig fails because it doesn't get the right interface and the service wouldn't start.

Regards
Rino Santilli

Actions #5

Updated by Chris Buechler over 13 years ago

  • Target version changed from 2.0 to 2.0.1
Actions #6

Updated by Chris Buechler about 13 years ago

  • Target version deleted (2.0.1)
Actions #7

Updated by Jim Pingle over 12 years ago

  • Status changed from Feedback to Resolved

Tap support was cleaned up in 2.1, this is all working there.

Actions

Also available in: Atom PDF