Page MenuHomeVyOS Platform

Bridging OpenVPN tap with no local-address breaks
Open, Requires assessmentPublicBUG

Description

If you create an OpenVPN interface with no local-address set you usually get the following

Must specify "local-address" or add interface to bridge

However if you add it to a bridge and do not set local-address as well then the following commit failure occurs

VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest stable version of VyOS
  the code is available at https://downloads.vyos.io/?dir=release/current
- Contact us using the online help desk
  https://support.vyos.io/
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2021-07-15 22:59:21
Image Version:    VyOS 1.3-beta-202107121144
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Tue 13 Jul 2021 03:42 UTC
Build UUID:       1acfd1ce-c432-4fbf-9e9e-2933807e5e5f
Build Commit ID:  2ba1cbb93659bc

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    Unknown

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 511, in <module>
    verify(c)
  File "/usr/libexec/vyos/conf_mode/interfaces-openvpn.py", line 121, in verify
    if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1:
KeyError: 'local_address'



[[interfaces openvpn vtun0]] failed
Commit failed

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-beta-202107121144
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

@Scoopta Can you share commands on how to reproduce it?
It will be easier for developers to reproduce this bug.

In my test configuration all works fine.

set interfaces bridge br0 address '10.0.0.1/30'
set interfaces bridge br0 member interface vtun0
set interfaces openvpn vtun0 device-type 'tap'
set interfaces openvpn vtun0 encryption cipher 'aes128'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server subnet '192.168.1.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/openvpn/central.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/openvpn/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/openvpn/central.key'

Bridge

vyos@r4-1.3:~$ sudo brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.923f3607f0dc	no		vtun0

My config which breaks

set interfaces openvpn vtun2 device-type tap
set interfaces openvpn vtun2 mode site-to-site 
set interfaces openvpn vtun2 persistent-tunnel
set interfaces openvpn vtun2 shared-secret-key-file /config/auth/ovpn.key
set interfaces bridge br3 member interface vtun2

My config which breaks

set interfaces openvpn vtun2 device-type tap
set interfaces openvpn vtun2 mode site-to-site

Did this work in work in 1.2 or any other version?

I'm not sure, I haven't tried it. Thing is if I add

set interfaces openvpn vtun2 local-address fe80::1

it no longer breaks. For now I'm setting local-address and then adding it to a bridge which while pointless works as a workaround. If it is an issue with site-to-site it specifically has to do with not having local-address set while attempting to bridge. The reason I want to use site-to-site is so I can use static keys as I only have 2 hosts on the tunnel anyway. If needed I can test on v1.2 or v1.4. v1.3 is my first VyOS deployment but I'm in an IPv6 only environment running IS-IS across VPN tunnels and vxlans which is a rather unconventional configuration so I've broken VyOS quite a lot with this setup.