openVPN client/server bridge : need to specify server subnet.
Closed, ResolvedPublic

Description

When configuring an openvpn server bridge instance, the GUI reject the commit if 'server subnet' is not set.
I have to configure it with dummy values ('192.168.1.10/24')
This parameter should be required only for non bridge openvpn server.

set interfaces openvpn vtun11 bridge-group bridge 'br11'
set interfaces openvpn vtun11 local-port '2003'
set interfaces openvpn vtun11 mode 'server'
set interfaces openvpn vtun11 server subnet '192.168.1.10/24'
set interfaces openvpn vtun11 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun11 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun11 tls dh-file '/config/auth/dh1024.pem'
set interfaces openvpn vtun11 tls key-file '/config/auth/server.key'

When looking at the related openvpn command, this parameter is not present:

$ ps -eaf | grep vtun11
root 4722 1 0 11:14 ? 00:00:22 /usr/sbin/openvpn --daemon openvpn-vtun11 --verb 3 --writepid /var/run/openvpn-vtun11.pid --status /opt/vyatta/etc/openvpn/status/vtun11.status 30 --dev-type tap --dev vtun11 --mode server --tls-server --topology subnet --keepalive 10 60 --lport 2003 --ca /config/auth/opl-rmm-ovpn/ca.crt --cert /config/auth/server.crt --key /config/auth//server.key --dh /config/auth/dh1024.pem --management /tmp/openvpn-mgmt-intf unix --server-bridge nogw --client-config-dir /opt/vyatta/etc/openvpn/ccd/vtun11

Details

Difficulty level
Normal (likely a few hours)
Version
1.1.5

I don't have a platform to test right now but I think the issue is in

https://github.com/vyos/vyatta-openvpn/blob/current/lib/Vyatta/OpenVPN/Config.pm

Lines 867 to 879, the tests for subnet values should be inside the test for bridge mode. not before.

Ie something like

if ($self->{_bridge}) {
    $cmd .= " --server-bridge nogw";
} else {

    return (undef, 'Must specify "server subnet" option in server mode')
        if (!defined($self->{_server_def}));
    my $s = new NetAddr::IP "$self->{_server_subnet}";
    my $n = $s->addr();
    my $m = $s->mask();
    my $l = $s->masklen();
    return (undef, 'Must define "server subnet mask" 255.255.255.248 (/29) or lower')
        if ($l gt "29" && !defined($self->{_bridge}) && !defined($self->{_device_type}));
    $cmd .= " --server $n $m";
}

instead of

return (undef, 'Must specify "server subnet" option in server mode')
    if (!defined($self->{_server_def}));
my $s = new NetAddr::IP "$self->{_server_subnet}";
my $n = $s->addr();
my $m = $s->mask();
my $l = $s->masklen();
return (undef, 'Must define "server subnet mask" 255.255.255.248 (/29) or lower')
    if ($l gt "29" && !defined($self->{_bridge}) && !defined($self->{_device_type}));
if ($self->{_bridge}) {
    $cmd .= " --server-bridge nogw";
} else {
    $cmd .= " --server $n $m";
}

hey @thomas.courbon, thanks for sharing this,
just wondering if you have interest in join to development,
I guess we can setup with @dmbaturin test and build environments for you
Thanks!

Hi @syncer. I'll say... Why not :-)
Is there a way you could contact me directly ?

syncer assigned this task to UnicronNL.
syncer edited subscribers, added: Maintainers; removed: dmbaturin, syncer, VyOS 1.1.x.
syncer added subscribers: UnicronNL, dmbaturin.

Another good candidate for 1.1.8,
@UnicronNL @dmbaturin can you confirm and move to backlog

@thomas.courbon i missed your reply somehow, if you still interest join, drop me email to yuriy@vyos.io

dmbaturin closed this task as Resolved.Oct 12 2017, 6:17 AM

Fixed in both 1.1.8 and current.

syncer added a project: VyOS 1.2.x.
syncer moved this task from Need Triage to Finished on the VyOS 1.2.x board.