Bug #6883

OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases

Added by Dmitry Ivanov 12 months ago. Updated 11 months ago.

Target version:
Start date:
Due date:
% Done:


Affected version:
Affected Architecture:


openvpn - UDP/TUN (TAP works)
clients connect to server, in the logs everything is fine, but no access anywhere.
without "ifconfig-push" it works

from server log when a client connects:
MULTI_sva: pool returned IPv4=
as it should be without "ifconfig-push"

but i push and client gets


#1 Updated by Jim Pingle 12 months ago

  • Category set to OpenVPN
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Unless this was a working configuration on a previous version, it's more likely to be a configuration error. There is not nearly enough detail here about the specifics of the setup or how to duplicate the problem.

#2 Updated by Dmitry Ivanov 12 months ago

it works on 2.3.*
i installed 2.4, and restored config from 2.3.3

openvpn server UDP/TUN
Server mode - Remote Access (User Auth)
tunnel network -

in "client specific overrides" i added only "ifconfig-push;" for a single user. this user (windows client or android... does not matter) connects and gets this ip. but have no access.
other users without "ifconfig-push" are working fine.

#3 Updated by Jim Pingle 12 months ago

Still not enough info. Need to know all settings all the way down the page, especially the topology type. Would also help to see the generated server config from /var/etc/openvpn/

#4 Updated by Dmitry Ivanov 12 months ago

dev ovpns7
verb 1
dev-type tun
dev-node /dev/tun7
writepid /var/run/
#user nobody
#group nobody
script-security 3
keepalive 10 60
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/
client-disconnect /usr/local/sbin/
local IP
engine cryptodev
client-config-dir /var/etc/openvpn-csc/server7
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server7 1200" via-env
lport 1200
management /var/etc/openvpn/server7.sock unix
push "route"
push "dhcp-option DOMAIN gormost.lan"
push "dhcp-option DNS"
push "register-dns"
push "dhcp-option WINS"
ca /var/etc/openvpn/
cert /var/etc/openvpn/server7.cert
key /var/etc/openvpn/server7.key
dh /etc/dh-parameters.1024
comp-lzo yes
topology subnet

#5 Updated by Dmitry Ivanov 12 months ago

when i try to connect to pfsense web interface, there is block entry in firewall log:
lo0 (pfsense web interface)

in 2.3.3 there is no such entries

#6 Updated by Jim Pingle 12 months ago

  • Subject changed from OpenVPN "ifconfig-push" drop all traffic on client to OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases
  • Target version set to 2.4.0

I ran some tests and can confirm the issue on 2.4 only.

2.3.3 and 2.4 run the same version of OpenVPN and have identical options for compiling the port, but behave differently at runtime.

The generated configurations we make are identical, but the only difference I see is in the routing table.

2.3.3 (working):         UGS      ovpns1         link#8             UHS         lo0         link#8             UH       ovpns1

2.4 (broken):         UGS         lo0         link#11            UHS         lo0         link#11            UH       ovpns1

Given the other routing changes, I wonder if this might be related to #6828 in some way.

#7 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Confirmed

#8 Updated by Jim Pingle 12 months ago

This appears to be a general problem with OpenVPN on FreeBSD 11:

There is a workaround mentioned among the problem reports of removing the route and manually re-adding it, but it's not ideal. It needs a proper fix either in OpenVPN or FreeBSD. It looks as though it's getting some recent attention from both camps, hopefully that results in a solution we can use soon.

#9 Updated by Jim Thompson 12 months ago

  • Assignee set to Renato Botelho

#10 Updated by Renato Botelho 11 months ago

  • Status changed from Confirmed to Feedback

I've imported a patch from OpenVPN development list:

Next round of snapshots, with OpenVPN 2.3.12_2 will have it

#11 Updated by Dmitry Ivanov 11 months ago

thank you very much!)

#12 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

The route now appears on the OpenVPN interface as expected, and clients can connect/pass traffic with static addresses. Looks good.

Also available in: Atom PDF