SOMETHING IS BROKEN AFTER 2.3.3-RELEASE-p1 UPGRADE



  • Hello, im using a site to site (remote server) configuration in the following way:

    on IPv4 Remote network(s) im putting public ip adress of the server, so i can bypass firewall rules and encrypt all the comunication between site(LAN) to site (remote server). It was working without any issues until i update to 2.3.3-RELEASE-p1 last time. If i check routes, and configurations between different firewall releases i see them matching, but with the latest release this escenario isnt working.

    I have the following diagnose:

    pinging from server to site LAN its working, but pinging from LAN to server isnt.

    Traceroute from server to LAN works well one leg of the vpn to the other leg and then the ip on the LAN, tracing from lan to server or even from firewall to server doesnt gives any result

    Trying to add an interface associated with the vpn tunnel, and manually adding the route on routing, doesnt help neither
    (with all the need firewall rules also)

    Server its running openvpn-2.3.14

    Any clue on this? anyway to do an small rollback without reinstalling

    Regards, Jose



  • VERSION WORKING: 2.2.5-RELEASE
    VERSION NOT WORKING: 2.3.3-RELEASE


  • Rebel Alliance Developer Netgate

    Put this into the advanced options on the client:

    allow-recursive-routing;
    

    OpenVPN changed their code to stop allowing the use of the VPN endpoint address inside the VPN, since in most cases it is not a valid configuration and can lead to a loop.

    –allow-recursive-routing
                  When this option is set, OpenVPN will not drop incoming tun
                  packets with same destination as host.



  • That completly solve the problem, hope openvpn configuration can have a checkbox to enable this option in the future, and hope information in this topic can help anyone else in the same situation after the upgrade.

    Thanks Jimp!


Log in to reply