Hi All
I believe I've found another issue with VyOS 1.4-rc1; this time with OpenVPN.
Firstly, because I've been using lots of different rolling versions (both 1.4 and 1.5) my config turned fairly messy and so I essentially started all my again. This was certainly required when I moved to 1.5-rolling as there were many changes such as with firewalls and QoS.
..so I've worked a little bit backwards from 1.5 with the following OpenVPN config in 1.4-rc1:
set interfaces openvpn vtun10 encryption cipher 'aes256' set interfaces openvpn vtun10 encryption ncp-ciphers 'aes256' set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 openvpn-option '--data-ciphers aes-256-cbc' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server domain-name 'monck.com.au' set interfaces openvpn vtun10 server name-server '192.168.0.5' set interfaces openvpn vtun10 server name-server '192.168.10.247' set interfaces openvpn vtun10 server push-route 0.0.0.0/0 set interfaces openvpn vtun10 server push-route ::/0 set interfaces openvpn vtun10 server subnet '192.168.7.0/24' set interfaces openvpn vtun10 server subnet '2403:5815:6df3:7::/64' set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls auth-key 'openvpn_auth_key' set interfaces openvpn vtun10 tls ca-certificate 'ca' set interfaces openvpn vtun10 tls certificate 'central' set interfaces openvpn vtun10 tls dh-params 'dh'
However with this config OpenVPN won't start with the following error:
Options error: --server-ipv6 is incompatible with 'nopool' option
This is the config produced in vtun10.conf:
### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun10 persist-key proto udp multihome lport 1194 persist-tun disable-dco # # OpenVPN Server mode # mode server tls-server topology subnet server 192.168.7.0 255.255.255.0 nopool push "route 0.0.0.0 0.0.0.0 vpn_gateway 0" push "route-ipv6 ::/0" ifconfig-pool 192.168.7.2 192.168.7.253 255.255.255.0 server-ipv6 2403:5815:6df3:7::/64 keepalive 10 600 management /run/openvpn/openvpn-mgmt-intf unix push "dhcp-option DNS 192.168.0.5" push "dhcp-option DNS 192.168.10.247" push "dhcp-option DOMAIN monck.com.au" # TLS options ca /run/openvpn/vtun10_ca.pem cert /run/openvpn/vtun10_cert.pem key /run/openvpn/vtun10_cert.key dh /run/openvpn/vtun10_dh.pem tls-auth /run/openvpn/vtun10_auth.key 0 # Encryption options cipher AES-256-CBC data-ciphers AES-256-CBC # https://vyos.dev/T5027 # Required to support BF-CBC (default ciphername when none given) providers legacy default
It seems this issue was already fixed in 1.5 as the changes I can see is the removal of the 'nopool' option, and the removal of the ifconfig-pool line:
### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun10 persist-key proto udp multihome lport 1194 persist-tun disable-dco # # OpenVPN Server mode # mode server tls-server topology subnet server 192.168.7.0 255.255.255.0 push "route 0.0.0.0 0.0.0.0 vpn_gateway 0" push "route-ipv6 ::/0" server-ipv6 2403:5815:6df3:7::/64 keepalive 10 600 management /run/openvpn/openvpn-mgmt-intf unix push "dhcp-option DNS 192.168.0.5" push "dhcp-option DNS 192.168.10.247" push "dhcp-option DOMAIN monck.com.au" # TLS options ca /run/openvpn/vtun10_ca.pem cert /run/openvpn/vtun10_cert.pem key /run/openvpn/vtun10_cert.key dh /run/openvpn/vtun10_dh.pem tls-auth /run/openvpn/vtun10_auth.key 0 # Encryption options cipher AES-256-CBC data-ciphers AES-256-CBC providers default
If I make those changes in the 1.4-rc1 config then all works again, so it seems a bug has made its way back into 1.4-rc1 (or I guess never fixed in1.4).
Thanks
Chris..