OPNsense Forum

after I upgrade my OPNSense to 21.1.8_1 my OpenVPN server can't start again. when I revert back to my last snapshot it works fine.
I did update again issue come back.
I will attach the logs when I tried to run the server manually.

Screenshots of your Server config please

https://forum.opnsense.org/index.php?topic=23855.0
same issue?

Sounds like .. yes

it looks like the pool size check appeared in 2.5
https://github.com/OpenVPN/openvpn/blob/release/2.4/src/openvpn/pool.c
https://github.com/OpenVPN/openvpn/blob/release/2.5/src/openvpn/pool.c

so /29 tunnel with net30 is the problem now

I don't know if it's worth adding such a validation in vpn_openvpn_server.php
and it seems to me that it's time to remove the unused pool_enable parameter from vpn_openvpn_server.php

I think Ad would be more than happy to review a PR :)

@mimugmail, hi)
PR to get rid of an "Address Pool" option is not a problem.
but i'm really not sure about network check:

-I can't understand why openvpn-guys decided to require at least 2 free client addresses
(moreover, this part of the code appeared from the ipv6 thread)
https://github.com/OpenVPN/openvpn/commit/1379e5271d0057fcaed82d6985e614ca2ed8c265#diff-c352dbfea84a922bc7cc7d59c2bdab978a438266607404943bd6451d99de4e06

-I do not fully understand their calculations of the pool size and results yet

No idea, I always use topology cause I want to filter by IP via CSC :)

Quote from: Fright on July 16, 2021, 09:03:07 AM
it looks like the pool size check appeared in 2.5
https://github.com/OpenVPN/openvpn/blob/release/2.4/src/openvpn/pool.c
https://github.com/OpenVPN/openvpn/blob/release/2.5/src/openvpn/pool.c

so /29 tunnel with net30 is the problem now

I don't know if it's worth adding such a validation in vpn_openvpn_server.php
and it seems to me that it's time to remove the unused pool_enable parameter from vpn_openvpn_server.php

Yes , you are correct the problem was with /29 because when I changed it to less than 29 it works fine  for example  /24  or /28.
also I don't know why when we use /30 remote host can't get an IP address.

@mimugmail
same here
just wondered why something that worked stopped working
since i got this answer
https://github.com/OpenVPN/openvpn/pull/153
i can try to make a PR for ipv4 tunnel check: allow only <29 prefix for 30net and <30 prefix for topology

@hamadabsi
openvpn-guys decided that 1-client pool size is not useful..

I also dont find it useful, just use /24 and client isolation, saves addresses

Quote from: Fright on July 17, 2021, 10:07:30 AM
i can try to make a PR for ipv4 tunnel check: allow only <29 prefix for 30net and <30 prefix for topology

Yes please. <3


Cheers,
Franco

in the process  ;). will also add this check to the wizard

https://github.com/opnsense/core/pull/5112
https://github.com/opnsense/core/pull/5114

now there is a question about an unused "Address Pool" option in server config gui )
Is it better to get rid of it or try to use it for nopool flag in server option and add the ability to add a pool for the ifconfig-pool command?
Or is it better to create a ticket?