OpenVPN ifconfig warning



  • I'm running 2.0-RC1 (i386) built on Thu Mar 17 08:29:17 EDT 2011.

    No biggie. Just curious about this one…

    I've been running OpenVPN in site-to-site mode for quite a while now. There is one warning message that I've seen in the OpenVPN logs that I've chosen to ignore for awhile because I've had no problems with my tunnels. Nevertheless, I'm curious about it. Here's the warning message:

    WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.9.5.1 10.9.5.2'
    

    I've looked at both the local and remote config files generated by the pfSense GUI by browsing to them with Diagnostics | Edit File. Here's the ifconfig line in the local one:

    ifconfig 10.9.5.1 10.9.5.2

    And here's the ifconfig line in the remote one:

    ifconfig 10.9.5.2 10.9.5.1

    I realize that the two addresses are reversed between the two lines but: 1) This line is auto-generated by the GUI and 2) the OpenVPN man page says this about the ifconfig setting "The IP addresses may be consecutive and should have their order reversed on the remote peer."

    So I don't think anything is wrong. Why the warning? And would there be any downside to putting "ifconfig-nowarn" in the Advanced Configuration box to suppress the warning?


  • Rebel Alliance Developer Netgate

    Are you using shared key or PKI for your site-to-site setup?



  • @jimp:

    Are you using shared key or PKI for your site-to-site setup?

    For this one we are using PKI. But I think I have seen this behavior with shared key too.


  • Rebel Alliance Developer Netgate

    With PKI you usually don't have an ifconfig line on the client, it's supplied automatically by the server, and if you want a static IP for a PKI client you set that up as a CSC/CSO tab entry for the common name of the client.



  • @jimp:

    With PKI you usually don't have an ifconfig line on the client

    I guess that's my point. I did not put an ifconfig line in the Advanced Configuration settings. The GUI seems to be putting it in automatically when it generates the config file. However, it doesn't seem to do any harm other than the warning.


  • Rebel Alliance Developer Netgate

    Are you specifying an address pool/tunnel subnet on both sides? That's where the ifconfig line is made from.



  • @jimp:

    Are you specifying an address pool/tunnel subnet on both sides? That's where the ifconfig line is made from.

    Both sides, I think. Can't check right now because the client side's router is in a box on some Fedex truck right now. LOL!

    I just noticed that the Tunnel Network setting is only boldface on the server side so that would indicate it's only required on the server side, as you suggested. I will try removing that setting on the client side when the router arrives to see if it gets rid of the warning.

    Thanks Jimp!



  • @cyboc:

    @jimp:

    Are you specifying an address pool/tunnel subnet on both sides? That's where the ifconfig line is made from.

    Both sides, I think. Can't check right now because the client side's router is in a box on some Fedex truck right now. LOL!

    I just noticed that the Tunnel Network setting is only boldface on the server side so that would indicate it's only required on the server side, as you suggested. I will try removing that setting on the client side when the router arrives to see if it gets rid of the warning.

    Thanks Jimp!

    The client side's router arrived yesterday and we hooked it up right away. The Tunnel Network setting was indeed configured on both sides. So, I tried removing it from the client side and I restarted the tunnel. The good news is that this got rid of the ifconfig line in the client side's GUI-generated OpenVPN config file. The bad news is: 1) I still continued to see the ifconfig warning and 2) I could not ping across the tunnel any more.

    So, for now, I'll put the Tunnel Network setting back on the client side. I guess I can live with the warning message as long as the tunnel works. No biggie.


Locked