Bug #2432
closed
OpenVPN Client Specific Override ifconfig-push
0%
Description
Hello,
I'm using a snapshot of pfSense 2.1 (20120419-1059). My pfSense installation holds two distinct VPN servers (both configured in tun mode).
When using the Client Specific Override tab in OpenVPN configuration, the Tunnel Network setting is not correctly handled. In openvpn.inc file, inside openvpn_resync_csc function, there is a test against $settings['dev_mode'] to see if the ifconfig-push setting should be written using the netmask (tap mode) or using the 2 tunnel adresses (tun mode).
The problem is that $settings['dev_mode'] is empty. The 'dev_mode' setting is a server setting, located inside each server configuration ($config['openvpn']['openvpn-server'][N]['dev_mode']). Disabling the test works for me since i don't use a server in tap mode but this is not a long term solution.
When searching how to solve this bug, i have also noticed that the directory holding client specific override is the same for all the vpn servers configured (/var/etc/openvpn-csc). Not really a problem but that could lead to weird things if one uses a specific client config with the wrong server (assuming at least 2 servers running).
To solve this issue, maybye the Client Specific Override should be server dependant ? At least in the GUI in order to use the correct dev_mode setting ?
Regards.
Updated by Jim Pingle almost 13 years ago
- Target version deleted (
2.1)
Not sure that making them server-specific will be feasible. At the very least, that will cause problems for upgrade users.
Perhaps a drop-down that lets them apply to "all" or a specific server could work around that though, but that would require a bit of work in the backend to make sure that they all go to separate CSC directories and such.
It would be easier to put a drop-down on there to choose tun/tap there also, but I'm not sure that's the best way either.
For the short term I switched the test so it assumes tun instead of tap.
It can be worked around for someone who wants tap to manually put in the ifconfig push statement in the advanced options.
Updated by Davy Gigan almost 13 years ago
I understand your concern about upgrade users since i appreciate when upgrade runs smoothly.
I've looked at the diff. You've changed 3 things :
change test == to !=
change value tun to tap
swapping ifconfig-push config lines
Maybye i'm wrong but i'm not sure that's what you intended to do.
The openvpn tun mode client config uses the ifconfig-push {$clientip} {$serverip} config line, tap mode uses netmask. The current code will do the opposite.
Updated by Jim Pingle almost 13 years ago
Yeah you're right I started to fix it one way then changed my mind halfway, but didn't back out the original change. Fixed it in e052047