Bug #6883
closed
OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases
0%
Description
openvpn - UDP/TUN (TAP works)
clients connect to server, in the logs everything is fine, but no access anywhere.
without "ifconfig-push" it works
from server log when a client connects:
MULTI_sva: pool returned IPv4=10.0.7.2
as it should be without "ifconfig-push"
but i push 10.0.7.100 and client gets 10.0.7.100
Updated by Jim Pingle about 8 years ago
- Category set to OpenVPN
- Status changed from New to Feedback
- Priority changed from High to Normal
Unless this was a working configuration on a previous version, it's more likely to be a configuration error. There is not nearly enough detail here about the specifics of the setup or how to duplicate the problem.
Updated by Dmitry Ivanov about 8 years ago
it works on 2.3.*
i installed 2.4, and restored config from 2.3.3
openvpn server UDP/TUN
Server mode - Remote Access (User Auth)
tunnel network - 10.0.7.0/24
in "client specific overrides" i added only "ifconfig-push 10.0.7.100 255.255.255.0;" for a single user. this user (windows client or android... does not matter) connects and gets this ip. but have no access.
other users without "ifconfig-push" are working fine.
Updated by Jim Pingle about 8 years ago
Still not enough info. Need to know all settings all the way down the page, especially the topology type. Would also help to see the generated server config from /var/etc/openvpn/
Updated by Dmitry Ivanov about 8 years ago
dev ovpns7
verb 1
dev-type tun
dev-node /dev/tun7
writepid /var/run/openvpn_server7.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local IP
engine cryptodev
tls-server
server 10.0.7.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server7
client-cert-not-required
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server7 1200" via-env
lport 1200
management /var/etc/openvpn/server7.sock unix
push "route 10.10.96.0 255.255.240.0"
push "dhcp-option DOMAIN gormost.lan"
push "dhcp-option DNS 10.10.111.1"
push "register-dns"
push "dhcp-option WINS 10.10.111.1"
client-to-client
ca /var/etc/openvpn/server7.ca
cert /var/etc/openvpn/server7.cert
key /var/etc/openvpn/server7.key
dh /etc/dh-parameters.1024
comp-lzo yes
topology subnet
Updated by Dmitry Ivanov about 8 years ago
when i try to connect to pfsense web interface, there is block entry in firewall log:
lo0 10.10.111.231:81 (pfsense web interface) 10.0.7.100:52069
in 2.3.3 there is no such entries
Updated by Jim Pingle about 8 years ago
- Subject changed from OpenVPN "ifconfig-push" drop all traffic on client to OpenVPN puts subnet on lo0 on FreeBSD 11, breaks in certain cases
- Target version set to 2.4.0
I ran some tests and can confirm the issue on 2.4 only.
2.3.3 and 2.4 run the same version of OpenVPN and have identical options for compiling the port, but behave differently at runtime.
The generated configurations we make are identical, but the only difference I see is in the routing table.
2.3.3 (working):
10.5.201.0/24 10.5.201.1 UGS ovpns1 10.5.201.1 link#8 UHS lo0 10.5.201.2 link#8 UH ovpns1
2.4 (broken):
10.7.100.0/24 10.7.100.1 UGS lo0 10.7.100.1 link#11 UHS lo0 10.7.100.2 link#11 UH ovpns1
Given the other routing changes, I wonder if this might be related to #6828 in some way.
Updated by Jim Pingle about 8 years ago
- Status changed from Feedback to Confirmed
Updated by Jim Pingle about 8 years ago
This appears to be a general problem with OpenVPN on FreeBSD 11:
https://forums.freebsd.org/threads/58019/
https://community.openvpn.net/openvpn/ticket/425#comment:14
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831
There is a workaround mentioned among the problem reports of removing the route and manually re-adding it, but it's not ideal. It needs a proper fix either in OpenVPN or FreeBSD. It looks as though it's getting some recent attention from both camps, hopefully that results in a solution we can use soon.
Updated by
Updated by Renato Botelho about 8 years ago
- Status changed from Confirmed to Feedback
I've imported a patch from OpenVPN development list:
https://github.com/pfsense/FreeBSD-ports/commit/153999c431c59ac95d71f3214a48d9032a566c58
Next round of snapshots, with OpenVPN 2.3.12_2 will have it
Updated by Jim Pingle about 8 years ago
- Status changed from Feedback to Resolved
The route now appears on the OpenVPN interface as expected, and clients can connect/pass traffic with static addresses. Looks good.