Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
OpenVPN startup incompatible with WireGuard already running multiple tunnels
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN startup incompatible with WireGuard already running multiple tunnels (Read 3182 times)
whit
Newbie
Posts: 35
Karma: 1
OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
on:
September 23, 2019, 09:35:55 pm »
This is a new thread based on "OpenVPN from Linux client -- also server fails to start with tun1 error".
In summary, WireGuard starts tunnels using tun devices, renaming them to wg0, wg1 ... wgN. OpenVPN also uses tun devices. In a system with existing wg0, wg1 and wg2 devices, the OpenVPN server startup currently tries to use tun1, which is not available, as already in use as wg1. So OpenVPN simply fails.
Presumably this would not result if only a single wgN device were running based on a renamed tun0, and it's doable in WireGuard to have multiple tunnels based on a single wgN device. But the current OPNsense setup requires each remote endpoint have its own tunN (wgN) device on OPNsense, so that's not a viable workaround when multiple WireGuard tunnels are required.
It's possible that starting OpenVPN before WireGuard would avoid this. Haven't tested that. The system where this has become evident is in production, and the WireGuard tunnels are of higher value to us than OpenVPN access. In any case, the current setup is clearly a bug in the OpenVPN startup, which should be smart enough, on failing to use tun1, to increment N until tunN is found available to it.
«
Last Edit: September 23, 2019, 10:44:01 pm by whit
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #1 on:
September 23, 2019, 10:33:09 pm »
Can you post a link to the other thread?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
whit
Newbie
Posts: 35
Karma: 1
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #2 on:
September 23, 2019, 10:36:04 pm »
The problem comes in at line 546 in openvpn.inc:
if (!does_interface_exist($devname)) {
if (!file_exists("/dev/{$devnode}")) {
mwexecf('/sbin/ifconfig %s create', array($devnode));
}
The problem is that does_interface_exist looks specifically for tun devices named ovpnsN and ovpncN, so entirely misses that tunN is in use when it's been renamed wgN instead of ovpnsN or ovpncN for server or client. What's needed is a test for the interface's current use that works no matter what the device may have been renamed to after creation. When tun1 has been renamed wg1, as in my case, this code misses it as it assumes that the only consumer of tunN interfaces is OpenVPN.
Logged
whit
Newbie
Posts: 35
Karma: 1
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #3 on:
September 23, 2019, 10:38:04 pm »
Quote from: mimugmail on September 23, 2019, 10:33:09 pm
Can you post a link to the other thread?
https://forum.opnsense.org/index.php?topic=14282.0
Logged
whit
Newbie
Posts: 35
Karma: 1
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #4 on:
September 23, 2019, 11:05:04 pm »
ifconfig -g tun
will list all devices in the "tun" group, which looks sufficient. So the code could call that, then take the numbers from those, and go +1 from the highest number returned for the next tunN to use from OpenVPN. Or perhaps it should start with the highest returned, try that, and go up +1 only if that turns out to be already in use.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #5 on:
September 24, 2019, 05:33:35 am »
Maybe it's worth open a feature request in GitHub core for OpenVPN.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: OpenVPN startup incompatible with WireGuard already running multiple tunnels
«
Reply #6 on:
September 24, 2019, 07:41:56 am »
OpenVPN code has always been a little dirty in his regard not playing nice with other tun/tap consumers. GitHub issue appreciated.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
OpenVPN startup incompatible with WireGuard already running multiple tunnels