Page MenuHomeVyOS Platform

Typo in openvpn server client config for IPv6 iroute
Closed, ResolvedPublic

Description

In the server client config which is generated from 'server client <client> subnet <ipv6addr/prefix>' the resultant line is 'iroute ipv6addr/prefix', which is obviously wrong, it should be 'iroute-ipv6'.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

jjakob changed the task status from Open to In progress.Jan 14 2021, 8:46 PM
jjakob triaged this task as Normal priority.
jjakob created this task.
jjakob created this object in space S1 VyOS Public.

Backported to equuleus branch

c-po changed the task status from In progress to Needs testing.Jan 15 2021, 4:12 PM

Do I need to test the image before closing the task? I'm on a older image version and I manually applied the patch which works. Otherwise I'd need to upgrade the image which I won't have time for in the near future.

If you could extend the smoketest that would be even better, local test is okay, too

Server:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '10.2.0.15'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2'
set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64'
set interfaces openvpn vtun10 server subnet '10.140.0.0/20'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ea1/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ea1/central.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ea1/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ea1/central.key'

ccd file configuration, does show only iroute not iroute-ipv6

vyos@vyos6# less /run/openvpn/ccd/vtun10/client1
### Autogenerated by interfaces-openvpn.py ###

ifconfig-push 2001:470:1f14:af1::2 255.255.240.0
iroute 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::

Version:

vyos@vyos6# run sh ver

Version:          VyOS 1.3.0-rc5
Release Train:    equuleus

@SrividyaA does this configuration work or not?

As I understand there are 2 bugs:

  1. It expected --iroute-ipv6, i.e
iroute-ipv6 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::
  1. Something wrong with such format (ipv6 address/ ipv4 mask)
ifconfig-push 2001:470:1f14:af1::2 255.255.240.0

Also, maybe it needs to use --ifconfig-ipv6-push

I don't think so the configuration is working, the interface is down. It is not assigning the ipv6 addresses to the tunnel interfaces.

Also it shows incorrect config in the file as mentioned by @Viacheslav in his post.
Initially, the task was opened stating that 'iroute ipv6addr/prefix' should be replaced with 'iroute-ipv6'. Still showing as iroute.

I also can not configure just the ipv6 subnet, it needs ipv4 subnet as well.
As a result it is pointing the ipv4 subnet in the ifconfig-push setting.

Server side:

vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.255.214/24                u/u
eth1             10.2.0.15/24                      u/u
                 2001:db8::1/64
eth2             172.16.0.1/24                     u/u
eth3             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vtun10           -                                 u/D

no output in openvpn server status:

vyos@vyos# run sh openvpn server

[edit]
vyos@vyos#
vyos@vyos# del interfaces openvpn vtun10 server subnet '10.140.0.0/24'
[edit]
vyos@vyos# commit

IPv6 server requires an IPv4 server subnet

Why it is mandate to have the ipv4 subnet as well ?

I see these error in the openvpn log:

Aug  7 14:21:31 vyos openvpn-vtun10[22029]: Options error: --server-ipv6 is incompatible with 'nopool' option
Aug  7 14:21:31 vyos openvpn-vtun10[22029]: Use --help for more information.
Aug  7 14:21:31 vyos systemd[1]: openvpn@vtun10.service: Main process exited, code=exited, status=1/FAILURE
Aug  7 14:21:31 vyos systemd[1]: openvpn@vtun10.service: Failed with result 'exit-code'.

So I configured the following option but still it does not help:

set interfaces openvpn vtun10 server client-ipv6-pool base '2001:470:1f14:af1::/64'

Existing server configuration:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '2001:db8::1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2'
set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server client-ipv6-pool base '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64'
set interfaces openvpn vtun10 server subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server subnet '10.140.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/openvpn_server.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ovpn/dh2048.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/openvpn_server.key'
set interfaces openvpn vtun10 use-lzo-compression

Am I missing any configuration part ? Any advice would be grateful .

dmbaturin set Issue type to Unspecified (please specify).
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).