Summary: | security/openvpn: incorrect self route when using subnet topology | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Anton Saietskii <vsasjason> |
Component: | Individual Port(s) | Assignee: | Matthias Andree <mandree> |
Status: | Closed FIXED | ||
Severity: | Affects Some People | CC: | gert |
Priority: | --- | Flags: | vsasjason:
maintainer-feedback?
(mandree) |
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Anton Saietskii
2014-11-01 19:35:09 UTC
Auto-assigned to maintainer mandree@FreeBSD.org forwarded upstream as <https://community.openvpn.net/openvpn/ticket/481#ticket> https://community.openvpn.net/openvpn/ticket/55 might be related. upstream added 2.3.7 as milestone to fix this. some discussion/progress in https://community.openvpn.net/openvpn/ticket/481 A commit references this bug: Author: mandree Date: Fri May 22 21:39:39 UTC 2015 New revision: 387083 URL: https://svnweb.freebsd.org/changeset/ports/387083 Log: Add experimental patch by Gert D?ring to fix PR #194745. Must be enabled through the options framework ("make config"). PR: 194745 Changes: head/security/openvpn/Makefile head/security/openvpn/files/EF-subnet.patch Anton, please: 1. upgrade your ports tree such that you get openvpn 2.3.6_5 2. run "make config" and enable the SUBNETFIX option 3. recompile, reinstall, and see if that fixes the bug for you, 4. report back. Thank you. Upstream release 2.3.7 is imminent - it would be nice to hear back whether the fix works for you... I've tested proposed patch, and now host can ping/etc himself. I also have some thoughts: 1. Can exist another way without halving effective address space? 2. Will OpenVPN server know about 2 used addresses by client, eg server=192.168.0.1(+192.168.0.2). First client connects and pulls 192.168.0.3 addr. The second client will get 192.168.0.4 or 192.168.0.5? Unfortunately, I cannot test this right now. (In reply to Anton Sayetsky from comment #8) Good to hear that it's working for you. As far as the "halving effective address space" - it isn't. This is *subnet* mode, so the whole subnet is always on the tun interface (like, a /24 or /27) - and the "second address" is not used by the client, it's just there to fulfill the requirement "a peer to peer address must be specified that is on the other side of the tun". As in subnet mode, *all* addresses out of the subnet except the one assigned to the host itself are "on the other side of the tun", this is not actually changing anything - it is just making FreeBSD understand which address is "mine" and which is "someone elses". As there is no layer 2 resolving (ARP) on a tun interface, all that matters in the end is "which routes are pointing to tun<x>" - and that the other end knows which addresses are "its", and which addresses are "mine". Yes, it's a hack, but keep that in mind: as long as the client's address is understood to be "local", and all the rest of the subnet is routed into the tun (as single host routes or subnet route), things will do what is needed in subnet mode. The older --topology net30 mode actually needed a /30 for each client (so you automatically had "local" and "remote" addresses available) - but that still confused people as the "remote" address never pings in point-to-multipoint mode... Port upgraded to 2.3.7 release. A commit references this bug: Author: mandree Date: Wed Jun 10 19:18:57 UTC 2015 New revision: 389128 URL: https://svnweb.freebsd.org/changeset/ports/389128 Log: Update to new upstream release 2.3.7. Fixes PR: 194745 Changes: head/security/openvpn/Makefile head/security/openvpn/distinfo head/security/openvpn/files/EF-subnet.patch head/security/openvpn/files/EF1.patch head/security/openvpn/files/EF2.patch head/security/openvpn/files/EF3.patch |