Project

General

Profile

Actions

Bug #6883

closed

OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases

Added by Dmitry Ivanov over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
11/01/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:

Description

openvpn - UDP/TUN (TAP works)
clients connect to server, in the logs everything is fine, but no access anywhere.
without "ifconfig-push" it works

from server log when a client connects:
MULTI_sva: pool returned IPv4=10.0.7.2
as it should be without "ifconfig-push"

but i push 10.0.7.100 and client gets 10.0.7.100

Actions #1

Updated by Jim Pingle over 7 years ago

  • Category set to OpenVPN
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Unless this was a working configuration on a previous version, it's more likely to be a configuration error. There is not nearly enough detail here about the specifics of the setup or how to duplicate the problem.

Actions #2

Updated by Dmitry Ivanov over 7 years ago

it works on 2.3.*
i installed 2.4, and restored config from 2.3.3

openvpn server UDP/TUN
Server mode - Remote Access (User Auth)
tunnel network - 10.0.7.0/24

in "client specific overrides" i added only "ifconfig-push 10.0.7.100 255.255.255.0;" for a single user. this user (windows client or android... does not matter) connects and gets this ip. but have no access.
other users without "ifconfig-push" are working fine.

Actions #3

Updated by Jim Pingle over 7 years ago

Still not enough info. Need to know all settings all the way down the page, especially the topology type. Would also help to see the generated server config from /var/etc/openvpn/

Actions #4

Updated by Dmitry Ivanov over 7 years ago

dev ovpns7
verb 1
dev-type tun
dev-node /dev/tun7
writepid /var/run/openvpn_server7.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local IP
engine cryptodev
tls-server
server 10.0.7.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server7
client-cert-not-required
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server7 1200" via-env
lport 1200
management /var/etc/openvpn/server7.sock unix
push "route 10.10.96.0 255.255.240.0"
push "dhcp-option DOMAIN gormost.lan"
push "dhcp-option DNS 10.10.111.1"
push "register-dns"
push "dhcp-option WINS 10.10.111.1"
client-to-client
ca /var/etc/openvpn/server7.ca
cert /var/etc/openvpn/server7.cert
key /var/etc/openvpn/server7.key
dh /etc/dh-parameters.1024
comp-lzo yes
topology subnet

Actions #5

Updated by Dmitry Ivanov over 7 years ago

when i try to connect to pfsense web interface, there is block entry in firewall log:
lo0 10.10.111.231:81 (pfsense web interface) 10.0.7.100:52069

in 2.3.3 there is no such entries

Actions #6

Updated by Jim Pingle over 7 years ago

  • Subject changed from OpenVPN "ifconfig-push" drop all traffic on client to OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases
  • Target version set to 2.4.0

I ran some tests and can confirm the issue on 2.4 only.

2.3.3 and 2.4 run the same version of OpenVPN and have identical options for compiling the port, but behave differently at runtime.

The generated configurations we make are identical, but the only difference I see is in the routing table.

2.3.3 (working):

10.5.201.0/24      10.5.201.1         UGS      ovpns1
10.5.201.1         link#8             UHS         lo0
10.5.201.2         link#8             UH       ovpns1

2.4 (broken):

10.7.100.0/24      10.7.100.1         UGS         lo0
10.7.100.1         link#11            UHS         lo0
10.7.100.2         link#11            UH       ovpns1

Given the other routing changes, I wonder if this might be related to #6828 in some way.

Actions #7

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Confirmed
Actions #8

Updated by Jim Pingle over 7 years ago

This appears to be a general problem with OpenVPN on FreeBSD 11:

https://forums.freebsd.org/threads/58019/
https://community.openvpn.net/openvpn/ticket/425#comment:14
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831

There is a workaround mentioned among the problem reports of removing the route and manually re-adding it, but it's not ideal. It needs a proper fix either in OpenVPN or FreeBSD. It looks as though it's getting some recent attention from both camps, hopefully that results in a solution we can use soon.

Actions #9

Updated by Jim Thompson over 7 years ago

  • Assignee set to Renato Botelho
Actions #10

Updated by Renato Botelho over 7 years ago

  • Status changed from Confirmed to Feedback

I've imported a patch from OpenVPN development list:

https://github.com/pfsense/FreeBSD-ports/commit/153999c431c59ac95d71f3214a48d9032a566c58

Next round of snapshots, with OpenVPN 2.3.12_2 will have it

Actions #11

Updated by Dmitry Ivanov over 7 years ago

thank you very much!)

Actions #12

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

The route now appears on the OpenVPN interface as expected, and clients can connect/pass traffic with static addresses. Looks good.

Actions

Also available in: Atom PDF