Bug #3713
closedGateways missing for OpenVPN server (shared key or /30s)
100%
Updated by Renato Botelho over 10 years ago
- Target version changed from 2.2 to Future
Can you please add more information about what issue you are trying to get fixed here?
Updated by Renato Botelho over 10 years ago
Maybe you were seeing issues like #3475?
Updated by Chris Buechler over 10 years ago
- Target version changed from Future to 2.2
This should be an easy fix. Where you have a tap OpenVPN server configured, a dynamic gateway is added that has no IP assigned for the gateway in rules.debug. It should just skip adding dynamic gateways for all OpenVPN servers, right now it only skips that for those with tun interfaces. For instance, this (after filling in a shared key) will show the issue:
<openvpn-server> <vpnid>3</vpnid> <mode>p2p_shared_key</mode> <protocol>UDP</protocol> <dev_mode>tap</dev_mode> <ipaddr/> <interface>wan</interface> <local_port>1201</local_port> <description><![CDATA[UDP shared key tap test]]></description> <custom_options/> <shared_key></shared_key> <crypto>AES-256-CBC</crypto> <digest>SHA1</digest> <engine>none</engine> <tunnel_network/> <tunnel_networkv6/> <remote_network/> <remote_networkv6/> <gwredir/> <local_network/> <local_networkv6/> <maxclients/> <compression/> <passtos/> <client2client/> <dynamic_ip/> <pool_enable>yes</pool_enable> <topology_subnet/> <serverbridge_dhcp/> <serverbridge_interface/> <serverbridge_dhcp_start/> <serverbridge_dhcp_end/> <netbios_enable/> <netbios_ntype>0</netbios_ntype> <netbios_scope/> </openvpn-server>
Updated by Renato Botelho over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Pull request has been merged
Updated by Anonymous over 10 years ago
Applied in changeset 8ff231b430864a08040c22518fde9bdfff54be0a.
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved
Updated by Jim Pingle almost 10 years ago
- Status changed from Resolved to Confirmed
- % Done changed from 100 to 0
The fix for this is incorrect. It also excludes tun servers, not only tap servers as the ticket title stated was a problem.
Gateways are valid and required for tun-based OpenVPN servers. At least for those using Shared Key, or SSL/TLS with a /30 tunnel network.
Updated by Chris Buechler almost 10 years ago
- Subject changed from Do not generate gateways for OpenVPN server TAP endpoints to Gateways missing for OpenVPN server (shared key or /30s)
- Affected Version changed from All to 2.2
Updated by Chris Buechler almost 10 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 687ff78c96938e1bc6175b293e83079abdb704a4.
Updated by Chris Buechler almost 10 years ago
Pretty sure this should be fine now. Leaving for sanity check from JimP.
Updated by Jim Pingle almost 10 years ago
I created and assigned a tun and a tap static key and the tun received a gateway, the tap did not.
There are cases where tap might use a gateway but the old behavior wouldn't have worked properly for that anyhow as far as I can see, since it was putting in a bogus/incorrect auto entry. Looks good for now, can probably close it out.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
yeah the tap scenario before would result in an invalid ruleset previously. This brings back the same behavior as prior releases in every circumstance I can think of.