OpenVPN route problem

i have installed ns7b2 ad my gw at home/lab: 1 red, 1 green , 1 green (with some other subnet)
no problem with the same config with ns6.8

problem1 (maybe a bug):
error while connecting connecting openvpn (client is a fedora24):

Wed Sep 28 15:53:57 2016 Options error: route parameter network/IP '192.168.101.0/24' must be a valid address

changed /etc/openvpn/host-to-net.conf

from:
push “route 192.168.101.0/24”
to
push “route 192.168.101.0 255.255.255.0”
and restarting openvpn@host-to-net.service seems to solve the error…

problem 2: on ns6.8 i must create a firewall rule like this to reach the subnet behind the 2nd green eth
but when i try to create it:

while in /etc/shorewall/rules:

#
# 60rules
#
?COMMENT RULE#8.
{source:ivpn,lvpn, dest:znonn, time:-, action:ACCEPT:info}

any idea? (yes i know i should rethink my home network :slight_smile: )

1 Like

I can’t reproduce the problem. I tried both from command line and using Network Manager on a Fedora 24:

  • openvpn-2.3.12-1.fc24.x86_64
  • NetworkManager-1.2.4-2.fc24.x86_64

This is a bug, check out the fix:

I’m really really proud of all great bug hunters we have in this community! :wink:

1 Like

Me too!

1 Like

starting from problem 2: the good
see github, tnx! bug fixed but some doubts:
while retrying new packages i’ve noted that Role VPN didn’t exist if i install only openvpn… it’s the normal behavior?
to replicate…
installed openvpn
configured and enabled 1 user (vpn only) + openvpn roadwarrior
create a zone ztest 192.168.101.0/24
trying to create new rule in firewall rule with source Role VPN but no ROle VPN zone exists
reboot
check existence of Role VPN in Firewall Rule NO
installed IPsec VPN
now i have Role Vpn
create new rule in firewall rule with source Role VPN, destination zone ztest: as expected BUG replicated
deleted rule
install new packages
create new rule in firewall rule with source Role VPN, destination zone ztest: new rule created correctly

problem 1: the bad
if you have done the steps of problem 2
in /etc/openvpn/host-to-net.conf
after the cert you will see something like:

push "dhcp-option NBT 2"
push “route 192.168.200.0 255.255.255.0”

now add a static route
recheck the /etc/openvpn/host-to-net.conf and now you have also the push of the static route:

push "dhcp-option NBT 2"
push "route 192.168.40.0/24 "
push “route 192.168.100.0 255.255.255.0”

that’s ok, only that openvpn client didn’t like the CIDR notation
i suppose the problem is around here: https://github.com/NethServer/nethserver-openvpn/blob/master/root/etc/e-smith/templates/etc/openvpn/host-to-net.conf/40route#L42-L52

problem 3: the ugly
in two of my test i’ve updated a vm and a HP N36L installed with the first nDPI packages (and kernel 4.4.19)
update was ok (also new kernel 4.4.22-1.el7.elrepo.x86_64), but at boot always start the 4.4.19…
so i changed grub default to start with 4.4.2
on VM all ok
on HP crash at boot

i’ll do some other test on HP… while listening The Ecstasy of Gold :grin:

tnx

1 Like

update:
following on “problem 2” test…
yes rule is created but, it seems to me that Role VPN create a rule only for ipsec, so in /etc/shorewall/rule i have

?COMMENT RULE#11
{source:ivpn, dest:znonn, time:-, action:ACCEPT:none}

while my traffic from openvpn is still blocked

Oct 3 08:29:55 colombo3 kernel: Shorewall:ovpn2znonn:REJECT:IN=tun0 OUT=enp2s0f0 MAC= SRC=10.3.100.6 DST=192.168.101.9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=51112 DF PROTO=ICMP TYPE=8 CODE=0 ID=5334 SEQ=22

i’m doing something wrong? i’m sure it worked on 6.8 but i haven’t anymore a ns6.8 with this config… if needed i can setup a new one…

1 Like

You’re right, another fix was missing.
Check latest packages from testing:

  • nethserver-firewall-base-3.1.0-1.4.gbd9f255.ns7.noarch.rpm
  • nethserver-firewall-base-ui-3.1.0-1.4.gbd9f255.ns7.noarch.rpm

You nailed it! I was missing the “create static route” step.
Here’s the fix:

This behavior is present only on testing environment :wink:

2 Likes

Great! test in progress… :slight_smile:
done… see github and tnx!
now openvpn is up and working as my old config on 6.8 and also ipsec is working with pfSense on the other side…
just one last doubt :blush: I didn’t note before as it’s not really a problem for me, but creating a rule from “Role VPN” will accept (or deny/etc) traffic from both ipsec and openvpn… it would not be better split them?

1 Like