OpenVPN Peer to Peer issues with pfSense 2.7.0
-
I've noticed issues with our OpenVPN Peer to Peer client configurations with the pfSense 2.7.0 update. Previously we set the tunnel network in the client configuration and this seemed to work fine.
OpenVPN 2.5.4 amd64-portbld-freebsd1 2.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
openvpn[3465]: /sbin/ifconfig ovpnc5 10.8.4.2 10.8.4.1 mtu 1500 netmask 255.255.255.255 upBut with the latest update I see:
openvpn[5814]: OpenVPN 2.6.4 amd64-portbld-freebsd1 4.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
openvpn[6542]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You a
re using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
openvpn[6542]: /sbin/ifconfig ovpnc2 10.8.4.2 255.255.255.0 mtu 1500 netmask 255.255.255.255 upThe second IP address argument to ifconfig becomes 255.255.255.0 instead of 10.8.4.1.
We've had to remove the tunnel address from the client config and manually add
ifconfig 10.8.4.2 10.8.4.1
to the client openvpn config options.
If I simply remove the tunnel option from the client I get:
openvpn[21632]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Should I file a bug or ?
-
It's almost certainly a problem with your configuration. Check one of the other many threads in this category where people also claimed to have issues, they have all turned out to be broken configurations that worked in the past by sheer luck/coincidence.
As OpenVPN matures they deprecate certain behaviors or make things more strict which can be confusing at times. There are also sometimes changes in the base OS that come into play. But in each case so far it's been something wrong in the configuration.
The other threads are full of suggestions of things to look for and adjust.
