Ovpns -> OPT interface netmask error
-
When assigning ovpns port to OPT interface, even though the tunnel network is configured as /30 the OPT interface gets a /32.
The tunnel works fine (passes traffic as expected) but I cannot assign a gateway on the remote site since the remote tunnel IP is not in the OPT interface network. "The gateway address 192.168.17.2 does not lie within the chosen interface's subnet '192.168.xx.1/32'."
If i go to Status -> Interfaces the OPT interface is listed with netmask 255.255.255.255.
In VPN -> OpenVPN -> Edit server the IPv4 tunnel network has a /30 mask.I'm running the latest version:
2.1-DEVELOPMENT (amd64)
built on Thu May 10 13:27:30 EDT 2012
FreeBSD 8.3-RELEASE-p1The remote site is running 2.0.1 and seems to have the same netmask listed (255.255.255.255) but it automatically added a gateway on the local site when assigned an OPT interface.
-
If you assign an OpenVPN interface, never give it an IP. Set it to an IP type of "none".
You can't add a gateway for policy routing to an OpenVPN server that way. A client gets an automatic gateway, not sure we we don't do the same for a server if it's shared key or a /30 though.
If you need to route via OpenVPN, add a route statement into OpenVPN's config, don't rely on system gateways.
-
I set it to none, but in the listing it gets assigned the openvpn automatically.
The reason for wanting to add a gateway on the server towards the client is that it is a site-to-site tunnel with multiple networks on both sides and i thought it'd be easier to add routes under System -> Routing.
What I'd really like is to use some routing protocol but I'm having some trouble getting any of them to work. Not sure if it's 2.1 or meย ;D
-
Never, ever add routes for OpenVPN to system > routing โ always do those with route statements in OpenVPN's config.
Quagga-OSPF works fine on 2.1, though you may have to manually "pkg_add -r quagga" from the shell if it doesn't actually install the binaries properly.
-
OK, I'll give Quagga a try.
What is the reason for never, ever adding OpenVPN routes in system -> routing? The only reason i can think of is dead routes if the tunnel goes down, but isn't that handled by gateway up/down detection?
Edit: thanks for the add_pkg -r tip, that worked wonders!
Now I've got some OSPF problems, but I'll keep them in the packages-forum (http://forum.pfsense.org/index.php/topic,49648.0.html) :) -
The tun interfaces handled by OpenVPN are special. They don't do link detection like normal interfaces do. The gateway detection might get certain things right, but there are situations you could fall into where the routes may not properly be reapplied if the service was started and stopped. Plus, it's a lot more overhead to add those to the GUI than just simply add a route statement to OpenVPN.
-
Thanks for the info :)
A problem i seem to get a lot with 2.1 is that every change, for example now adding route statements to the openvpn config, requires a restart to work properly. The tunnel got disconnected/reconnected when i changed the config, but then only the last route statement was applied and all others ignored. Reboot fixed it.
I had some problems getting ospf working, but after a couple of reboots it worked fine. (that and the pkg_add -r stuff, thanks again :) ) -
Hmm, when you edit/save OpenVPN it should restart that instance. Even if that doesn't, you can use Status > Services to stop and restart the VPN instance.
If you had any static routes or gateways defined that should really be in the VPN config you will want to remove those, as that's probably the source of the issue with needing to reboot to fix the routing table.
(side note: quagga should be better now)
