Bug #7053
closed
OpenVPN Client Specific Overrides - GUI Omissions and Errors
Added by Greg Siemon almost 8 years ago.
Updated almost 8 years ago.
Description
The OpenVPN Client Specific Overrides page under OpenVPN settings only has a single Tunnel Network field. In fact this field seems to be for an IPv4 address. There is currently no way to set up an IPv6 Tunnel Network without resorting to the advanced config fields. There should be separate IPv4 and IPv6 Tunnel Network fields as per the OpenVPN Server and Client setup pages.
Additionally, the descriptions on each of the fields under Tunnel Settings - Remote Networks could be clearer.
IPv4 Remote Networks
These are the IPv4 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.
NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.
This should say "the server" not "this client" as the Remote Networks specified here are local to the client. The Local and Remote networks are from the Server's perspective not the client. Maybe a short note to explain this would help to understand what to do here.
Similarly for IPv6 Remote Networks. The description also incorrectly refers to IPv4 and should be changed to IPv6.
The wording of IPv4 Remote Networks is correct. The box defines a client-side network ("routed to this client") for iroute so the server knows how to reach it. Changing that to "the server" would be incorrect as that does not control routing to server-side networks, it controls routing to client-side networks.
The copy/paste error in IPv6 Remote Networks does need fixed, and adding the IPv6 tunnel network should be fairly easy though.
- Assignee set to Jim Pingle
- Target version set to 2.4.0
OpenVPN 2.4 makes it more obvious that you can't mix static IPv4 in an override with dynamic IPv6, so there is a greater need for that box on pfSense 2.4 since we switched.
Dec 30 10:42:05 openvpn 11654 jimp/198.51.100.6:4919 MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.
Jim Pingle wrote:
The wording of IPv4 Remote Networks is correct. The box defines a client-side network ("routed to this client") for iroute so the server knows how to reach it. Changing that to "the server" would be incorrect as that does not control routing to server-side networks, it controls routing to client-side networks.
Apologies if I am misunderstanding but I can only get the VPN to pass traffic if I specify the Remote Networks as the ones local to the Client (ie remote from the server's perspective). Similarly, the Local Networks box needs to have the networks that are local to the Server (ie remote from the client's perspective). Hence the description seems to not match the intended data.
All of the settings are from the perspective of the server, even the override. The descriptions reflect this, they do not imply the opposite. They are settings for the client, but in the context of the server side. "Local" is local to the server, "Remote" is remote to the server (as in on the client side)
I think I understand why the text under Remote networks is written the way it is now. Apologies for the misunderstanding.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
- Target version changed from 2.4.0 to 2.3.3
Also available in: Atom
PDF
Updated by 
Updated by