Upgrade to 2.3 and /30 topology

krasykp

Hi there,

I'm using pfsense (2.2.6) as openvpn server, and my topology is /30.

I sow that in 2.3 there is a "Changed the default behavior of the OpenVPN server to use topology subnet, not net30", but i hoped, that this is just "default", but when I upgraded the pfsense i saw that the topology is changed for me. With this configuration the clients cannot reach the servers, located behind the openVPN.
I tried to change the topology to /30, but the clients still complained with "no service"

I checked the firewall,NAT, routing … everything was OK (the rules are per subnet /20, there is no /32 rules), and I decided to roll back to 2.2.6 because the service is critical.

For each client I'm using "Client Specific Override" option, and the address in CSC is /30. I believe, this was the problem, but i'm not sure, because i didn't had enough time to investigate.
The question is: is there a howto procedure to upgrade pfsense to 2.3 if openVPN is used? I tried to find but, nothing interesting.

georgeman

https://forum.pfsense.org/index.php?topic=110242.msg613866#msg613866

On each override, make sure that the OpenVPN server is selected. That's it.

It seems that when no servers are selected (so the overrides apply to all of them), the subnet topology is assumed.

krasykp

Thanks georgeman

I selected the server, but the problem was not solved. A reboot the entire serve, and then everything was OK. I changed the topology to 1 IP and then to net30, and everything was OK (I'm still using net 30 topology).

One more question. I want to change the topology to one IP per client. In this case what subnet must be used for each client?

My current config is (net30):

Server IPv4 Tunnel Network : 10.17.16.0/20

Client Specific Override for one client - Tunnel Network  - 10.17.31.208/30 (for example)

When I change the topology to "one IP per client", i believe the server Tunnel Network will be the same, but what exactly i must use in the Client Specific Override?

For this client what network to put if I want this client to use the same IP address (10.17.31.210)?  10.17.31.210/20 or what?
I tried to put only 10.17.31.210 for test, but pfsense returned a error: "The field 'Tunnel network' must contain only valid ipv4 CIDR range(s) separated by commas."

Thanks again :)

georgeman

I haven't tested it, but I guess you should use a /32 mask to indicate a single address

krasykp

I tried now with /32, but not working. With /20 is OK, but for now I will stay on net30 topology, because i don't like the idea to change every Client Specific Override if I decide to change the subnet range.

I believe there is a lot of issues with this new topology (its not so new, but was not recommended if i remember correctly), like lack of documentation, the issue with "no selected server" and maybe more hidden bugs.

Thanks again.

cmb

We intended to config upgrade existing systems to retain net30, but a bug in that config upgrade code prevented it from doing so. Those who upgrade to 2.3.1 and newer from 2.2.x will have that changed to retain the former behavior.

There isn't anything inherently wrong with using net30, if you're fine with it, use it.

PfsenseServer350

We are having a similar issue.

We are using net30 and are unable to access any internal resources.

Pfsense version: 2.3
tunnel network: 10.14.0.0/21

CSO: 10.14.7.12/30 with the correct openvpn server selected.

When we connect to the vpn we get the correct IP address for the machine. ex: 10.14.7.14
With the gateway pointing to 10.14.7.13. But we cannot reach any internal resources. We can reach google fine. We even made a firewall rule to allow traffic from that subnet. But nothing seems to work. There are not any denies in the firewall logs or anything else that we can see.

Our lan ip address is: 192.168.32.2/24

We are currently setting routes through the advanced configuration in the openvpn server with this code:
push "route 192.168.0.0 255.255.255.0";

We are trying to access servers on the 192.168.0.0 subnet.

Where should we start?

Thanks

bleeuw

Hello,

Just wanted to let know we're encountering the same issues with the /30 settings.
However, some client-VPN's (with SSL/TLS) are still working, while peer2peer with static key VPN's are 'broke'. Still investigating…

Yesterday i re-loaded the V2.2.6 config into an already V2.3.1 updated machine and one of the two p2p-static VPN's was working again.
After a few hours: no traffic. Any suggestions on this?

2chemlud

Hi!

I have a client on 2.3.1 (was doing fine for at least a week on 2.3), but after updating the openVPN server yesterday to 2.3.1 (from 2.2.6, full x64, serial kernel) the traffic via the tunnel stopped last night. Nothing in the logs, nowhere…

A reboot of the server resolved the problem for now. Will see how it works on the long run.

OpenVPN tunnels have been rock solid now for months. First problem with the upgrade from 2.2.6 to 2.3.1 on the sever-side...

cmb

The original issue here is fixed in 2.3.1, the config upgrade will now appropriately set your topology to stay the same as it was previously. 2.3.1 also has the latest OpenVPN 2.3.11, though I don't see anything between 2.3.10 and 2.3.11 that'd be relevant.
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23