OpenVPN can't start again

Started by hamadabsi, July 15, 2021, 09:37:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 15, 2021, 09:37:59 AM
after I upgrade my OPNSense to 21.1.8_1 my OpenVPN server can't start again. when I revert back to my last snapshot it works fine.
I did update again issue come back.
I will attach the logs when I tried to run the server manually.
July 15, 2021, 03:22:19 PM #1
Screenshots of your Server config please
July 15, 2021, 05:39:20 PM #2
July 15, 2021, 06:49:32 PM #3
Sounds like .. yes
July 16, 2021, 09:03:07 AM #4
it looks like the pool size check appeared in 2.5
https://github.com/OpenVPN/openvpn/blob/release/2.4/src/openvpn/pool.c
https://github.com/OpenVPN/openvpn/blob/release/2.5/src/openvpn/pool.c

so /29 tunnel with net30 is the problem now

I don't know if it's worth adding such a validation in vpn_openvpn_server.php
and it seems to me that it's time to remove the unused pool_enable parameter from vpn_openvpn_server.php
July 16, 2021, 10:41:28 AM #5
I think Ad would be more than happy to review a PR :)
July 16, 2021, 07:21:51 PM #6
@mimugmail, hi)
PR to get rid of an "Address Pool" option is not a problem.
but i'm really not sure about network check:

-I can't understand why openvpn-guys decided to require at least 2 free client addresses
(moreover, this part of the code appeared from the ipv6 thread)
https://github.com/OpenVPN/openvpn/commit/1379e5271d0057fcaed82d6985e614ca2ed8c265#diff-c352dbfea84a922bc7cc7d59c2bdab978a438266607404943bd6451d99de4e06

-I do not fully understand their calculations of the pool size and results yet
July 16, 2021, 10:38:57 PM #7
No idea, I always use topology cause I want to filter by IP via CSC :)
July 17, 2021, 09:06:46 AM #8
Quote from: Fright on July 16, 2021, 09:03:07 AM
it looks like the pool size check appeared in 2.5
https://github.com/OpenVPN/openvpn/blob/release/2.4/src/openvpn/pool.c
https://github.com/OpenVPN/openvpn/blob/release/2.5/src/openvpn/pool.c

so /29 tunnel with net30 is the problem now

I don't know if it's worth adding such a validation in vpn_openvpn_server.php
and it seems to me that it's time to remove the unused pool_enable parameter from vpn_openvpn_server.php

Yes , you are correct the problem was with /29 because when I changed it to less than 29 it works fine  for example  /24  or /28.
also I don't know why when we use /30 remote host can't get an IP address.
July 17, 2021, 10:07:30 AM #9
@mimugmail
same here
just wondered why something that worked stopped working
since i got this answer
https://github.com/OpenVPN/openvpn/pull/153
i can try to make a PR for ipv4 tunnel check: allow only <29 prefix for 30net and <30 prefix for topology

@hamadabsi
openvpn-guys decided that 1-client pool size is not useful..
July 17, 2021, 11:05:26 AM #10
I also dont find it useful, just use /24 and client isolation, saves addresses
July 19, 2021, 09:45:48 AM #11
Quote from: Fright on July 17, 2021, 10:07:30 AM
i can try to make a PR for ipv4 tunnel check: allow only <29 prefix for 30net and <30 prefix for topology

Yes please. <3


Cheers,
Franco
July 19, 2021, 06:46:12 PM #12
in the process  ;). will also add this check to the wizard
July 24, 2021, 06:29:51 PM #13
https://github.com/opnsense/core/pull/5112
https://github.com/opnsense/core/pull/5114

now there is a question about an unused "Address Pool" option in server config gui )
Is it better to get rid of it or try to use it for nopool flag in server option and add the ability to add a pool for the ifconfig-pool command?
Or is it better to create a ticket?
Print
Go Up Pages1
User actions