recent change to ifconfig breaks OpenVPN?
Stefan Bethke
stb at lassitu.de
Wed Jul 29 18:30:08 UTC 2009
Am 29.07.2009 um 20:12 schrieb Julian Elischer:
> Stefan Bethke wrote:
>> I just updated this afternoon (r195941), and after rebooting,
>> OpenVPN has problems ifconfig'ing a tun interface.
>> With sources from about one week ago, this is working:
>> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/ifconfig tun1
>> 44.128.127.2 44.128.127.2 netmask 255.255.255.0 mtu 1500 up
>> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/route add -net
>> 44.128.127.0 44.128.127.2 255.255.255.0
>> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/route add -net
>> 44.128.64.0 44.128.127.1 255.255.192.0
>> Now, the same sequence fails:
>> Jul 29 17:31:41 diesel openvpn_zs64[1855]: /sbin/ifconfig tun1
>> 44.128.127.2 44.128.127.2 netmask 255.255.255.0 mtu 1500 up
>> Jul 29 17:31:41 diesel openvpn_zs64[1855]: FreeBSD ifconfig failed:
>> external program exited with error status: 1
>> Trying the same command manually gets me:
>> /sbin/ifconfig tun1 44.128.127.2 44.128.127.2 netmask 255.255.255.0
>> mtu
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^
>
> have you tried it without using the same address on both ends?
Sure, I changed to a custom up script that configures a different
address for the other end. The question is: is this an intended
change, and does OpenVPN need to be changed?
Note that the addresses OpenVPN passed to ifconfig are determined
automatically based on various config parameters (both on the client
and on the server), so it's not a simple configuration change.
It used to be that ifconfig would assign the local address to the p2p
interface, and would add a route to the VPN block via that one
address. This is from a 7-stable machine connected to the same server:
$ ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 44.128.127.14 --> 44.128.127.14 netmask 0xffffff00
Opened by PID 760
$ netstat -rnfinet
...
44.128.127.0/24 44.128.127.14 UGS 2 499 tun0
44.128.127.14 44.128.127.14 UH 1 0 tun0
...
I'm guessing that adding that host route is not working anymore, and
that's why ifconfig is failing.
The end result necessary for an OpenVPN setup like mine ("topology
subnet") is a tun interface with the local address assigned by the
server configuration, and a route to the server-configured subnet
going out via the tun interface. The remote address on the tun
interface does not actually matter, and no host route is necessary.
I have a feeling OpenVPN needs to be changed wrt computing the proper
ifconfig parameters.
Stefan
--
Stefan Bethke <stb at lassitu.de> Fon +49 151 14070811
More information about the freebsd-current
mailing list