OpenVPN and 1.0-BETA1
-
Well, to keep my sanity, for now I think I'll go ahead and mount hte hard drive in the system with the old configs and re-establish the openvpn using those configs, and see if I can't set up rules to allow traffic to and from the interface that isn't listed for the moment. Keeps me from hosing config.xml any further until you give me a more implicit way to screw up config.xml. ;)
-
Well, progress, and none.
I copied my configs from the hard drive to the floppy, and ran my typical openvpn –config, and then tunnel came up in an hurry. Of course, I can't send any traffic across the tunnel because there's no rule for it. I ssh into the firewall (I'm still 3 hours away from it), and run assign interfaces. It says tun0 is an invalid interface, despite being able to ifconfig tun0 just fine. hmmm????
I could manually hack in a pair of <opt2>tags and set it to tun0, but I'm quaking in my boots to do that remotely only to find that it doesn't like the interface and the firewall doesn't come the rest of the way back up. Eep!
So...thoughts? What makes the firewall consider an interface to be "valid"?</opt2>
-
Okay, I just gave myself a terrible crash course in m0n0wall-ese.
There are a bunch of *.inc php files in /etc/inc. Amongst these is util.inc. That file has a function that makes itself available (when included, either directly or indirectly) get_interface_list.
As shown in the file:
/*
* get_interface_list() - Return a list of all physical interfaces * along with MAC and status.
*
* $mode = "active" - use ifconfig -lu
* "media" - use ifconfig to check physical connection
* status (much slower)
*/
function get_interface_list($mode = "active", $keyby = "physical", $vfaces = "")So by default, the system just uses the output of ifconfig -lu. If I run that on the box (where tun0 is active), I get this output:
xl0 xl1 sis0 ng1
In plain english, WAN, LAN, OPT1, and my current PPTP session. tun0 is nowhere to be found.
The other option uses ifconfig -l and some filtering. ifconfig -l gives me a huge list, including every interface, virtual or not, up or down. Later in this same function we have:
if(!$vfaces) {
$vfaces = array(
'ppp',
'sl',
'gif',
'faith',
'lo',
'ng',
'vlan',
'tun',
'pflog',
'pfsync',
'carp'
);
}Now, I'm a perl coder here, so let me see if I'm reading this right - if $vfaces is not defined (not populated?), then store this list of strings (interface/driver names) as an array in $vfaces.
I didn't really get much farther than this. I did two really dirty hacks to test my theory on this. I commented out 'tun' from the array, and changed the $mode to media, saved the file in /conf, and did an ln -fs /conf/util.inc /etc/inc/util.inc.
That worked, tun0 now appears. I tried to create rules as usual, however whatever I name the interface, OPT2, MyHome, or whatever, I get a macro error stating that the macros (whatever name I gave it) does not exist.
I think that's enough hacking for one night. I'm a network engineer, not a php coder. :) The other guy working on this probably got much farther than myself. I haven't even gotten to the point where I'd understand how openvpn settings in config.xml could be read at boot time and multiple tun interfaces brought up prior to the firewall rules getting applied. :)
-
Finally!
Here's the long-expected patch, I hope it will work out!
Sorry for the delay!regards,
Marc -
Applied cleanly to RELENG_1 and has been commited.
However, only 10% applied on -HEAD. I'll work on it.
-
That worked, tun0 now appears. I tried to create rules as usual, however whatever I name the interface, OPT2, MyHome, or whatever, I get a macro error stating that the macros (whatever name I gave it) does not exist.
I think the problem with this error was, that pf seems to be expecting interface names in uppercase. Otherwise you'll get the macro errors - it just wants to state that it can't dereference the interface name.
That's what my config.xml section looks like, after successful OpenVPN configuration:
<opt2><descr>TUN0</descr>
<if>tun0</if>
<ipaddr>172.19.100.1</ipaddr>
<bridge><subnet>24</subnet>
<enable><ovpn>server_tun0</ovpn></enable></bridge></opt2>regards,
Marc -
Actually, it had nothing to do with that.
I just had the chance to take a look at how pfctl takes things in, and I was looking at rules.debug.
What happened is really quite simple. When you create an opt interface, an alias is created: $WhateverNameYouGaveTheInterface. :)
In this case $OPT2, then $MyHome.
I had these already:
System Aliases
lan = "{ xl1 }"
wan = "{ xl0 }"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
OPT1 = "{ sis0 }"It was complaining that there was no alias for OPT2, and that was because, well, there was no alias created for OPT2 in the ruleset! I have no idea why this is, all I did was allow get_interface_list() to see tun0, everything else should have gone by the book. I added this line:
OPT2 = "{ tun0 }"
to the file and ran pfctl -f rules.debug
Lo and behold, the tunnel now works!
So did I find a bug in my hack, or a hack in my bug? ;D
-
In /etc/inc/filter.inc there is a routine that creates the aliases. Simply modify that to detect openvpn and create the alias.
BTW: I got you're work commited to HEAD finally as well.
-
Well no wonder! :o
foreach ($ifdescrs as $ifdescr => $ifname) {
/* do not process tun interfaces */
if(stristr(filter_opt_interface_to_real($ifname), "tun") == true) continue;LOL, we're intentaionally NOT writing tun aliases? :D
Was this due to problems with openvpn, thus a safety valve to keep people from using them, or is there some other reason we're doing this?
That's in filter.inc, btw.
Also, could someone tell me if I'm wasting time or if what I'm doing is at all pertinent? I can stop anytime….I do notice that any time I reload the firewall rules, tun0 goes down, and I have to HUP the openvpn process.
-
Woops, I'll get that removed. I honestly cannot remember why we did this other than hiding the interfaces that the user doesn't use to K.I.S.S.
-
K. For grins I went ahead and copied filter.inc to /conf, modified it and did an ln -fs. Nothing died. I haven't attemped a rules change yet, will here in a few moments, see if the rules apply successfully now. I would think they would. I'm doing a hard drive install on the box here in about an hour or so, so we'll see how stable this is. I just really wish I knew why openvpn has to keep being -HUP'ed every time I make a rules change. :\
-
Hupping it every time you make a change does sound rather strange to me.
Perhaps you could detect that openvpn is running in filter_configure_sync() and HUP it at the end of the routine before it returns.
-
Huh?
I thought I have already addressed these problems!- processing of tun interfaces in filter.inc
- reloading openvpn every time pf reloads in rc.reload_interfaces
Or - am I missing the point here? ???
Marc
-
Huh?
I thought I have already addressed these problems!- processing of tun interfaces in filter.inc
- reloading openvpn every time pf reloads in rc.reload_interfaces
Or - am I missing the point here? ???
Marc
Yep, I looked at the code after replying and you indeed have taken care of this.
-
Applied cleanly to RELENG_1 and has been commited.
RELENG_1 = Beta 1/Release 1?
Is there still enough time to do some further modifications to get the client part running? (my enthusiasm has grown again) :)
Will the modifications I've made and openvpn be kept for 1.0?
I've read in some other thread that you were planning to remove openvpn completely for 1.0, so I hope to have been able to avoid this! ;)BTW: I got you're work commited to HEAD finally as well.
Fine! As far as you can see - are there any problems to be expected?
I mean - there seems to have been some reason to exclude tun interfaces from creation in util.inc.
I've been thinking of other VPN types like IPSEC, PPTP etc which might be also using tun interfaces… -
I mean - there seems to have been some reason to exclude tun interfaces from creation in util.inc.
I've been thinking of other VPN types like IPSEC, PPTP etc which might be also using tun interfaces……and in filter.inc ...
-
It's already in RELENG_1 which is beta 1 / release branch. There is no plans on "removing" it, just removing the menu item that points to it which has already been done.
However, if you can get this thing working solid enough then we will definately revisit including it. However we'll need to backport the interface renumber code from HEAD which fixes the problem when you remove an interface.
-
Okay, I need to clarify a few things, as I've seriously muddied the waters here. My config is as follows:
Stock 1.0-BETA1, now installed to hard disk.
Modified util.inc to allow tun interfaces to be detected.
Modified filter.inc, again, to allow tun interfaces not to filtered from aliases generation.Created /usr/local/etc/rc.d/openvpn.sh, then when run from rc with "start" appended (as with normal freebsd rc.d stuff) starts all of my tunnels (all one of them at this point).
Everything seems to be humming along fine. I haven't attempted to apply the patches that were posted to this thread yet. I was just doing an independent dig-through of what was required to get openvpn to run from the console, hoping that my conclusions would help.
(After going back and reading the recent posting barrage….)
Do I need to make an additional modification to prevent the tunnel from going down upon a reload? It seems you adjusted an rc script to do this....
It appears we all more or less wound up in the same place, albeit that he's starting openvpn the "right" way, and I'm not. ;)
So the next step is for me to use his patch and set it up the right way. Won't happen today, perhaps later this week though?
-
I'm debating as to whether I have time to mess with this tonight or not. I have an extra net4501 laying here that's taunting me.
What issues are left after all of the patches are applied in this thread? Is it stable enough to make 1.0 final (without the developer tag)?
-
Do I need to make an additional modification to prevent the tunnel from going down upon a reload? It seems you adjusted an rc script to do this….
Hi,
I had to modify the rc.reload_interfaces.inc script to restart openvpn:
In certain cases (I don't remember now), when pf needs to restart (and reload all interfaces) the openvpn and the tun0 interface would still be running, but no connections are being accepted any more. The system log also doesn't reveal any openvpn activity at this point.
It seems reasonable to reload the tun interface (thus restart openvpn) when pfsense needs to reload all other interfaces, so I would have come to this point either way. ;)You said, that openvpn would also reload on changing of firewall rules on the tun0 interface.
I'll check this the next few days and keep you informed!Marc