After upgrade to 2.3 Client Specific Overrides wont work
-
Hi,
After the 2.3 Upgrade my Client Specific Overrides wont work anymore, befor the upgrad everything worked great :(
I get this error: Warning: route gateway is not reachable on any active network adapters:
And the Client get the wrong ip adress: 192.168.202.0 :(
If i Disable Client Specific Overrides it works fine.
Anyone know whats wrong ?
Thanks
-
Futureman, I run into the same issue too. I get "FreeBSD route add command failed: external program exited with error status: 1" when it try to point to the GW that doesn't exist and had to manually point it it to right OPVN GW.
-
Check your main OpenVPN server settings. We saw one case where it did not properly carry over the user's Topology setting. If you did not have "Topology Subnet" checked on 2.2.x, it should be showing "net30". If it does not, save the setting and then try to connect again.
If that is the case, please do a config diff (Diag > Backup/Restore, Config History tab) to show what that config change did.
-
Check your main OpenVPN server settings. We saw one case where it did not properly carry over the user's Topology setting. If you did not have "Topology Subnet" checked on 2.2.x, it should be showing "net30". If it does not, save the setting and then try to connect again.
Add another one to that list…
Topology was also lost here after upgrade.
Was using /30 before and it changed to Single IP after upgrade.
Changed it back to /30 and everything was working again. -
Jimp. In my case, it did that all and even clear out the VPN tunnel on the remote side. Also made sure itnet30.
Mine showed that it pointing to gw of 10.9.9.1 when it should be pointing to 10.9.9.9. I had to manually point it to 10.9.9.9
/sbin/ifconfig ovpnc1 10.9.9.8 10.9.9.9 mtu 1500 netmask 255.255.255.252 up
/sbin/route add -net 10.9.9.8 10.9.9.8 255.255.255.252
/usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.9.9.8 255.255.255.252 init
/sbin/route add -net 192.168.1.0 10.9.9.1 255.255.255.0
ERROR: FreeBSD route add command failed: external program exited with error status: 1
/sbin/route add -net 10.5.0.0 10.9.9.1 255.255.248.0
ERROR: FreeBSD route add command failed: external program exited with error status: 1 -
So i switch the Topology from Subnet to net30 and it works.
But Subnet dosent work. -
Are your client specific overrides using "tunnel network" to define the client addresses, or manually entered ifconfig commands in the advanced options?
If using 'tunnel network', the firewall will calculate the subnet mask and/or gateway based on the settings of the server now, which it didn't always do properly on 2.2.x. If you have it entered manually in the advanced options, it will always break on one or the other, the firewall won't touch your advanced options and the syntax is only valid on one type or the other.
For those that got it working by changing your topology, please do the config diff steps I asked above so we can see what changed in the config to fix the upgrade code.
-
I didnt use the Advanced settings at all.
I just used the normal "Tunnel Settings> Tunnel Network " and added there the ip/mask.I make the conf diff later, now i go home :)
edit: well sorry i did so much changes in OpenVPN (to test etc). and now i did not have the 2.2 settings annymore.:(
-
Interesting. When I was 2.2x it worked flawlessly… I had the below settings:
Server side(hub),
Main tunnel network: 10.9.9.0/24
client A (spoke) override, tunnel network would be broken down to /30 10.9.9.0/30
client B (spoke) override, tunnel network would be broken down to /30 10.9.9.4/30
client C (spoke) override, tunnel network would be broken down to /30 10.9.9.8/30Since I specific broke it down to /30 on the client override tunnel network, I wonder I should set typology to subnet instead to net30.
-
If you are using net30 then each client gets a /30 and that's how it should work with overrides that have a tunnel network set to use /30 there (but the main server would still show something like a /24 for example).
If the server is set to /30 the override should be using the correct syntax. Did you edit/save the override after fixing the server setting?
-
Config diff with the relevant section as requested:
2.2 Config is gone too.@@ -3666,25 +3666,25 @@ <tunnel_networkv6><remote_network><remote_networkv6>- <gwredir>+ <local_network>192.168.130.0/24</local_network> <local_networkv6><maxclients><compression>adaptive</compression> - <passtos>+ <passtos></passtos> <client2client>yes</client2client> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> - <serverbridge_dhcp>+ <topology>net30</topology> + <serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end>- <netbios_enable>+ <netbios_enable></netbios_enable> <netbios_ntype>0</netbios_ntype> <netbios_scope>- <no_tun_ipv6>+ <verbosity_level>1</verbosity_level> - <topology>subnet</topology></no_tun_ipv6></netbios_scope></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6>
Altough i am absolutly sure that is was set to /30 before the upgrade. it seems that the topology was switched to subnet somehow.
even every override was set to a specific /30 inside the /24 openvpn network. and each host has a specific gateway and host ip assigned.Example:
Network: 10.246.195.12/30
Advanced: ifconfig push 10.246.195.14 10.246.195.13; -
Hmm, do you happen to have a copy of the config in the history from before the 2.3 upgrade to check a diff of that section? For example, select the older config and then one just after the upgrade, see what value was there on 2.2.x.
Also if you had to switch the topology, the CSC files probably all need resynced, so a reboot would do that, or Diag > Command, PHP exec:
require_once("openvpn.inc"); openvpn_resync_all();
I'm looking at a better automated fix for that for 2.3.1, but I'd like to get this issue nailed down first.
-
Nope sorry… no old config available.
But i do have the old installation media for the 2.2.6 and i'm setting up a little vm environment atm to check if i can reproduce that errorUpdate: Ok. VM is off limits atm...
Does the 2.3 Update affect both nanobsd slices at once? if not i can switch to the other slice and look into the old configPS: SSH Login is broken too... Putty error: expected key exchange group packet from server
-
The config is in /conf/, not one of the OS slices, and some older revisions are in in /conf/backup/, but only 5 since NanoBSD does not keep them. So if you didn't keep a config backup, it may be lost. I was just hoping to see what your config was to start with for OpenVPN so I could see how it ended up switching unexpectedly.
SSH isn't broken, but you might have to update your PuTTY config to accept a stronger cipher or key exchange (e.g. DH 14). Default PuTTY should work though, unless maybe it was a very old config that started it. Check under the session settings, connection, SSH, and then under Kex beneath that. Make sure it's set to SSH2. On my PuTTY config that works, Encryption cipher selection is set to "AES (SSH-2 only), Blowfish, 3DES", Kex is set to DH Group exchange, DH group 14, DH group 1, then RSA.
-
what i do have is a config (don't yell at me… it worked fine all the time so i had no need to make a config backup) from june 2014...
now comes the strange thing.
The OpenVPN server behaved as it was set to /30 mode.
BUT the topology_subnet tag is set to empty... don't know what it meant back then... but i think it was just a checkbox if it sould use the whole subnet or not<openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port>1194</local_port> <description><custom_options><caref>5303e959aac29</caref> <crlref>5303e9a03ad5c</crlref> <certref>5303e97c2736c</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <crypto>AES-128-CBC</crypto> <engine>none</engine> <tunnel_network>10.246.195.0/24</tunnel_network> <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>192.168.130.0/24</local_network> <local_networkv6><maxclients><compression>yes</compression> <passtos><client2client>yes</client2client> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></passtos></maxclients></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></custom_options></description></ipaddr></openvpn-server></openvpn>
–--- Update
Ok managed to get my fingers on a recent config diff with version change from 12 to 15
First Version: 4/11/16 08:13:52 12.0 407 KiB admin@192.168.131.2: Creating restore point before package installation.
Second Version: 4/13/16 12:38:28 15.0 403 KiB (system): Upgraded config version level from 12.0 to 15.0Altough the openvpn server is only particialy configured...
<openvpn><openvpn-server>@@ -1726,7 +1732,6 @@ <client2client><dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> - <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start>@@ -1736,6 +1741,7 @@ <netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level> + <topology>subnet</topology></no_tun_ipv6></netbios_scope></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></client2client></openvpn-server> <openvpn-csc><custom_options>ifconfig push 192.168.254.246 192.168.254.245;</custom_options> @@ -1754,9 +1760,6 @@</openvpn-csc></openvpn>
-
I managed to get a config from another source and found the problem with the upgrade code. It was testing that value incorrectly.
Once you fix the value on the server and re-save the CSCs (or use that code I posted earlier, or reboot), everything should be OK.
-
I found also my old Config:
<openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls_user</mode> <authmode>Local Database</authmode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>any</interface> <local_port>33119</local_port> <custom_options>route 192.168.201.0 255.255.255.0;route 192.168.202.0 255.255.255.0;</custom_options> <caref>561365821e077</caref> <crlref><certref>561367656e6cf</certref> <dh_length>4096</dh_length> <cert_depth>2</cert_depth> <strictusercn><crypto>AES-256-CBC</crypto> <digest>SHA512</digest> <engine>none</engine> <tunnel_network>192.168.200.0/24</tunnel_network> <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network><local_networkv6><maxclients>15</maxclients> <compression>adaptive</compression> <passtos><client2client>yes</client2client> <dynamic_ip><pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level> <duplicate_cn></duplicate_cn></no_tun_ipv6></netbios_scope></netbios_enable></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></dynamic_ip></passtos></local_networkv6></local_network></gwredir></remote_networkv6></remote_network></tunnel_networkv6></strictusercn></crlref></ipaddr></openvpn-server> <openvpn-csc><custom_options>iroute 192.168.201.0 255.255.255.0</custom_options> <common_name>handyvpn</common_name> <block><tunnel_network>192.168.201.0/24</tunnel_network> <local_network>192.168.131.0/24,192.168.133.0/24,192.168.130.0/24</local_network> <local_networkv6><remote_network><remote_networkv6><gwredir><push_reset><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></push_reset></gwredir></remote_networkv6></remote_network></local_networkv6></block></openvpn-csc> <openvpn-csc><custom_options>iroute 192.168.202.0 255.255.255.0</custom_options> <common_name>workvpn</common_name> <block><tunnel_network>192.168.202.0/24</tunnel_network> <local_network>192.168.131.0/24,192.168.133.0/24,192.168.130.0/24,192.168.134.0/24</local_network> <local_networkv6><remote_network><remote_networkv6><gwredir><push_reset><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></push_reset></gwredir></remote_networkv6></remote_network></local_networkv6></block></openvpn-csc></openvpn>
Maybe it helps….
But anyways thanks for your work. -
yep got the error too…
default was to provide a /30 subnet to every client wich corresponds to <topology_subnet>in the config.
if you set it to only provide one single ip to a client it switches to <topology_subnet>yes</topology_subnet>reboot was not necessary... just had to switch the openvpn config back to net30 and restart the openvpn server. everything worked from then on</topology_subnet>
-
jimp., i tried the command below from both the server side the client side and I am still experiencing the same issue. Still end up ending putting the route command on the client side to the correct /30 gw ip.
require_once("openvpn.inc");
openvpn_resync_all(); -
jimp., i tried the command below from both the server side the client side and I am still experiencing the same issue. Still end up ending putting the route command on the client side to the correct /30 gw ip.
require_once("openvpn.inc");
openvpn_resync_all();Sorry if i'm repeating, thread is long and I've been answering dozens of them today.
Check the server, make sure it's on net30, check the client, make sure it's on net30 (if it's on 2.3, if it's on 2.2 there was no client option for that).
Check a CSO/CSC, make sure it's only got a value in the tunnel network, not ifconfig in the advanced options. Save on there to be certain it's fresh.
Check /var/openvpn-csc/server<id>/ <name>and make sure the ifconfig looks OK there
Edit and save the client to ensure it's interface is rebuilt, maybe even try rebooting the client.</name></id>