Bug #1806
closed
OpenVPN Tunnel Network label configuration creates a wrong configuration file when using TAP device mode
Added by Rino Santilli over 13 years ago.
Updated over 12 years ago.
Description
When creating a layer 2 tunnel using TAP devices in peer-to-peer shared key mode you get a warning in the OpenVPN logs because of the incorrect use of the ifconfig statement.
In fact, while when using TUN devices, ifconfig statement uses the l and rn arguments as local (server) ip and remote (clients) ip, when using TAP devices it expects a subnet mask as the second argument.
From the openvpn man page: "--ifconfig l rn : TUN: configure device to use IP address l as a local endpoint and rn as a remote endpoint. l & rn should be swapped on the other peer. l & rn must be private addresses outside of the subnets used by either peer. TAP: configure device to use IP address l as a local endpoint and rn as a subnet mask."
Regards
Those lines are from the OpenVPN log
/sbin/ifconfig ovpns2 3.3.3.5 netmask 3.3.3.6 mtu 1500 up
/usr/local/sbin/ovpn-linkup ovpns2 1500 1592 3.3.3.5 3.3.3.6 init
WARNING: 'ifconfig' is used inconsistently, local='ifconfig 3.3.3.4 3.3.3.6', remote='ifconfig 3.3.3.4 3.3.3.5'
This is the pfSense version:
2.0-RC3 (i386)
built on Thu Aug 18 00:28:50 EDT 2011
Regards
- Priority changed from High to Normal
Can you try this?
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 285a65f..1cd25fc 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -394,7 +394,10 @@ function openvpn_reconfigure($mode, $settings) {
$baselong = ip2long32($ip) & ip2long($mask);
$ip1 = long2ip32($baselong + 1);
$ip2 = long2ip32($baselong + 2);
- $conf .= "ifconfig $ip1 $ip2\n";
+ if ($dev_mode == "tap")
+ $conf .= "ifconfig $ip1 netmask $ip2\n";
+ else
+ $conf .= "ifconfig $ip1 $ip2\n";
break;
case 'server_tls':
case 'server_user':
- Status changed from New to Feedback
Did it with success, but with a little modification about the netmask. In fact to make it work I had to use the $mask variable and not the netmask string you told me to use.
Now OpenVPN doesn't complain abount anything in the logs, but i think that the $ip2 variable, before the else statement, is useless (tested with success too).
Maybe something have to be modified on the client mode too, or maybe that, being the tunnel network as a non mandatory field on the client configuration, it's enough, because it will try the autoconfiguration of the interface network address and netmask after the connection.
Unfortunately while testing I found another small bug. It's about openvpn too.
If you create an openvpn server as p2p_shared, delete it and then recreate it, the ifconfig fails because it doesn't get the right interface and the service wouldn't start.
Regards
Rino Santilli
- Target version changed from 2.0 to 2.0.1
- Target version deleted (
2.0.1)
- Status changed from Feedback to Resolved
Tap support was cleaned up in 2.1, this is all working there.
Also available in: Atom
PDF