recent change to ifconfig breaks OpenVPN?

Matthias Andree matthias.andree at
Thu Jul 30 08:11:29 UTC 2009

Dear Jim and other OpenVPN hackers,

there is an OpenVPN regression, apparently affecting 2.1 on FreeBSD-8, and  
caused by OpenVPN configuring the local address on a P2P interface for the  
local AND ALSO the remote address.

and followups for details.

Am 30.07.2009, 08:40 Uhr, schrieb Stefan Bethke <stb at>:

> I'm not sure if that is a more general problem with OpenVPN (at least in  
> --topology subnet mode), or a specific problem in the FreeBSD-specific  
> code.  I just looked at a Linux box connected to the same OpenVPN  
> server, and their ifconfig invocation looks different from ours, so the  
> FreeBSD-specific code at least plays some role.
> I'd still like to know whether the change to the routing code is  
> intentional or a regression.


Which version of OpenVPN are you using?

It might seem that this is a FreeBSD regression, as OpenVPN assumes this  
about --topology subnet, so that the using of the local address as remote  
is intentional.

(This is from the current OpenVPN 2.1-RC manpage):

               subnet  -- Use a subnet rather than a point-to-point  
topology by
               configuring the tun interface with a local IP address and  
               mask,  similar  to  the  topology used in --dev tap and  
               bridging mode.  This mode allocates a single IP address per  
               necting  client  and  works  on Windows as well.  Only  
               when server and clients are OpenVPN 2.1 or  higher,  or   
               2.0.x which has been manually patched with the --topology  
               tive code.  When used on Windows, requires version 8.2 or  
               of  the  TAP-Win32 driver.  When used on *nix, requires that  
               tun driver supports an ifconfig(8) command which sets  a   
               instead of a remote endpoint IP address.

I see this in the ChangeLog:

2006.04.05 -- Version 2.1-beta12
* "topology subnet" fix for FreeBSD (Benoit Bourdin).

And it appears that exactly this patch may be the culprit. This is from  
the OpenVPN 2.1 source repository:

r986 | james | 2006-04-05 08:28:19 +0200 (Wed, 05 Apr 2006) | 2 lines
Changed paths:
    M /branches/BETA21/openvpn/tun.c

"topology subnet" fix for FreeBSD (Benoit Bourdin).


Index: tun.c
--- tun.c	(Revision 985)
+++ tun.c	(Revision 986)
@@ -795,19 +795,42 @@
-      else
-	openvpn_snprintf (command_line, sizeof (command_line),
+      else {
+	if (tt->topology == TOP_SUBNET)
+            openvpn_snprintf (command_line, sizeof (command_line),
+                              IFCONFIG_PATH " %s %s %s netmask %s mtu %d  
+                              actual,
+                              ifconfig_local,
+                              ifconfig_local,
+                              ifconfig_remote_netmask,
+                              tun_mtu
+                              );
+	else
+  	    openvpn_snprintf (command_line, sizeof (command_line),
  			  IFCONFIG_PATH " %s %s netmask %s mtu %d up",
+      }
        msg (M_INFO, "%s", command_line);
        system_check (command_line, es, S_FATAL, "FreeBSD ifconfig failed");
        tt->did_ifconfig = true;

+	/* Add a network route for the local tun interface */
+      if (!tun && tt->topology == TOP_SUBNET)
+        {
+          struct route r;
+          CLEAR (r);
+          r.defined = true;
+ = tt->local & tt->remote_netmask;
+          r.netmask = tt->remote_netmask;
+          r.gateway = tt->local;
+          add_route (&r, tt, 0, es);
+        }
  #elif defined (WIN32)

Matthias Andree

More information about the freebsd-current mailing list