• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN GUI remote networks field is confusing with lots of remote networks

Scheduled Pinned Locked Moved 2.4 Development Snapshots
16 Posts 6 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    luckman212 LAYER 8
    last edited by Oct 12, 2017, 4:37 AM

    or… use some commandline tools

    printf "192.168.4.0/24,10.10.10.0/22,192.168.161.224/29,10.0.10.32/27" | tr ',' '\n' >networks.txt
    

    make your edits in your comfortable text editor of choice, then

    cat networks.txt | tr '\n' ','
    
    1 Reply Last reply Reply Quote 0
    • P
      pete35
      last edited by Oct 12, 2017, 10:00 AM

      I removed some of the remote networks by aggregating, thanks to johnpoz, but this field is much too small for reliable work.
      Editing it outside the gui is really better, but my intention was to improve the gui at this field.
      Should be easy to do, as lots of good lists are available within pfsense.

      Thanks!

      <a href="https://carsonlam.ca">bintang88</a>
      <a href="https://carsonlam.ca">slot88</a>

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Oct 12, 2017, 10:07 AM

        Nothing wrong with ability to use alias there… That would make editing easier sure.

        Put in feature request on https://redmine.pfsense.org/

        Post a bounty also another option.. Or you could even write the code yourself and submit it.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Oct 12, 2017, 1:06 PM

          You could also put the routes in the advanced box manually if you prefer

          route x.x.x.0 255.255.255.0;
          route x.x.y.0 255.255.255.0;
          route x.x.z.0 255.255.255.0;
          [...]
          

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            robi
            last edited by Oct 14, 2017, 8:49 PM

            @johnpoz:

            Nothing wrong with ability to use alias there… That would make editing easier sure.

            Put in feature request on https://redmine.pfsense.org/

            Already there, since 5 years originally by Phil Davis, added again by me about 1 year ago:
            https://redmine.pfsense.org/issues/2668
            https://redmine.pfsense.org/issues/6754

            With the real power of aliases being nested, it would be awesome…

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Oct 14, 2017, 9:06 PM

              It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R
                robi
                last edited by Oct 15, 2017, 7:10 AM

                @Derelict:

                It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

                Including a function to check if the alias being changed is present in any OpenVPN configuration, bounce only VPNs affected by that certain alias.  8)

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Oct 15, 2017, 7:55 AM

                  And so on and so on.

                  The real answer is a solid design and supernetting into OpenVPN with CSOs.

                  I would rather see something like some smarts to change from the text field to a textarea if there are more than x commas than a bunch of alias hackery.

                  But that's just my opinion.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Oct 15, 2017, 9:35 AM

                    @Derelict:

                    It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

                    Whey is that exactly?  Why would a alias that consisted of networks ever need to be resolved?  And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down?  Not understanding what the 2 have to do with each other..

                    Yes stuff in alias table gets resolved every 5 minutes.  What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks?  I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Oct 15, 2017, 1:14 PM

                      @johnpoz:

                      @Derelict:

                      It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

                      Whey is that exactly?  Why would a alias that consisted of networks ever need to be resolved?  And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down?  Not understanding what the 2 have to do with each other..

                      Yes stuff in alias table gets resolved every 5 minutes.  What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks?  I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

                      If you edit the alias and save it, the VPN would have to be reset, which is counterintuitive if you don't remember that the alias is used on that VPN, for example.
                      Also you can use hostnames in network aliases they just get a /32 mask, so they would still have to be hooked into the same process.
                      And if a hostname resolved to a new address, that means the contents of the alias changed, which means that the VPN needs to be restarted to pick up the contents of the alias to use for routes.

                      It isn't like pf where the changes can be picked up automatically on-the-fly, since OpenVPN has to manage its own routes internally.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • P
                        pete35
                        last edited by Oct 15, 2017, 4:12 PM

                        My main point is, that the field is too small for lots of networks
                        as that comma-separated field is a constant reason for false entries.

                        A large field list, as it exists for the alias function, will make it better. I understand that an alias
                        will make more waves to the whole system, but this is not needed to reduce the errors.

                        Jimp gives a good solution, thanks for that,  just enter the routes into the advanced box.

                        Thanks!

                        <a href="https://carsonlam.ca">bintang88</a>
                        <a href="https://carsonlam.ca">slot88</a>

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by Oct 15, 2017, 8:31 PM

                          Thanks jimp.. But I was more just thinking of it as a openvpn section under the alias section for remote networks.  Where you would put networks.. You sure wouldn't put in a fqdn for a remote network even it could resolve to a /32.. To me that is not a remote network.

                          But I guest you could put in a host route to /32 - so guess valid point there.

                          Thanks for the detailed info as always - to shoo away the cobwebs of my brain not thinking that early in the morning ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • J
                            jimp Rebel Alliance Developer Netgate
                            last edited by Oct 16, 2017, 1:00 PM

                            I'd be in favor of making those network boxes larger in some way. At least longer. The problem with making it a textarea is that people will, inevitably, think that putting entries on new lines instead of using commas is the way it works.

                            It would be great if we could have multiple rowhelper style controls on a page but currently only one is possible.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • R
                              robi
                              last edited by Oct 24, 2017, 9:33 AM

                              @jimp:

                              @johnpoz:

                              @Derelict:

                              It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

                              Whey is that exactly?  Why would a alias that consisted of networks ever need to be resolved?  And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down?  Not understanding what the 2 have to do with each other..

                              Yes stuff in alias table gets resolved every 5 minutes.  What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks?  I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

                              If you edit the alias and save it, the VPN would have to be reset, which is counterintuitive if you don't remember that the alias is used on that VPN, for example.
                              Also you can use hostnames in network aliases they just get a /32 mask, so they would still have to be hooked into the same process.
                              And if a hostname resolved to a new address, that means the contents of the alias changed, which means that the VPN needs to be restarted to pick up the contents of the alias to use for routes.

                              It isn't like pf where the changes can be picked up automatically on-the-fly, since OpenVPN has to manage its own routes internally.

                              For such cases I would just simply put a small waring in the alias edit page: "Warning: this alias is being used in the 'name-of-the-OpenVPN-instance' OpenVPN configuration. After changing values here it is recommended to to restart 'name-of-the-OpenVPN-instance'".

                              So I wouldn't restart any VPN automatically, just notify the user that the alias affects OpenVPN also - and let the user decide if he/she wants to restart it (to prevent interruptions for cases when pfSense itself is being managed via the OpenVPN connection).
                              The warning bar at the top could also be used for this after changing the alias, reminding the user that OpenVPNs restarting is due, even if he/she moves away from the aliases config page.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received