Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ovpns -> OPT interface netmask error

    2.1 Snapshot Feedback and Problems - RETIRED
    2
    8
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m.algoe
      last edited by

      When assigning ovpns port to OPT interface, even though the tunnel network is configured as /30 the OPT interface gets a /32.

      The tunnel works fine (passes traffic as expected) but I cannot assign a gateway on the remote site since the remote tunnel IP is not in the OPT interface network. "The gateway address 192.168.17.2 does not lie within the chosen interface's subnet '192.168.xx.1/32'."
      If i go to Status -> Interfaces the OPT interface is listed with netmask 255.255.255.255.
      In VPN -> OpenVPN -> Edit server the IPv4 tunnel network has a /30 mask.

      I'm running the latest version:
      2.1-DEVELOPMENT (amd64)
      built on Thu May 10 13:27:30 EDT 2012
      FreeBSD 8.3-RELEASE-p1

      The remote site is running 2.0.1 and seems to have the same netmask listed (255.255.255.255) but it automatically added a gateway on the local site when assigned an OPT interface.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you assign an OpenVPN interface, never give it an IP. Set it to an IP type of "none".

        You can't add a gateway for policy routing to an OpenVPN server that way. A client gets an automatic gateway, not sure we we don't do the same for a server if it's shared key or a /30 though.

        If you need to route via OpenVPN, add a route statement into OpenVPN's config, don't rely on system gateways.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          m.algoe
          last edited by

          I set it to none, but in the listing it gets assigned the openvpn automatically.

          The reason for wanting to add a gateway on the server towards the client is that it is a site-to-site tunnel with multiple networks on both sides and i thought it'd be easier to add routes under System -> Routing.

          What I'd really like is to use some routing protocol but I'm having some trouble getting any of them to work. Not sure if it's 2.1 or meย  ;D

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Never, ever add routes for OpenVPN to system > routing โ€“ always do those with route statements in OpenVPN's config.

            Quagga-OSPF works fine on 2.1, though you may have to manually "pkg_add -r quagga" from the shell if it doesn't actually install the binaries properly.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              m.algoe
              last edited by

              OK, I'll give Quagga a try.

              What is the reason for never, ever adding OpenVPN routes in system -> routing? The only reason i can think of is dead routes if the tunnel goes down, but isn't that handled by gateway up/down detection?

              Edit: thanks for the add_pkg -r tip, that worked wonders!
              Now I've got some OSPF problems, but I'll keep them in the packages-forum (http://forum.pfsense.org/index.php/topic,49648.0.html) :)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The tun interfaces handled by OpenVPN are special. They don't do link detection like normal interfaces do. The gateway detection might get certain things right, but there are situations you could fall into where the routes may not properly be reapplied if the service was started and stopped. Plus, it's a lot more overhead to add those to the GUI than just simply add a route statement to OpenVPN.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • M
                  m.algoe
                  last edited by

                  Thanks for the info :)

                  A problem i seem to get a lot with 2.1 is that every change, for example now adding route statements to the openvpn config, requires a restart to work properly. The tunnel got disconnected/reconnected when i changed the config, but then only the last route statement was applied and all others ignored. Reboot fixed it.
                  I had some problems getting ospf working, but after a couple of reboots it worked fine. (that and the pkg_add -r stuff, thanks again :) )

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Hmm, when you edit/save OpenVPN it should restart that instance. Even if that doesn't, you can use Status > Services to stop and restart the VPN instance.

                    If you had any static routes or gateways defined that should really be in the VPN config you will want to remove those, as that's probably the source of the issue with needing to reboot to fix the routing table.

                    (side note: quagga should be better now)

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.