Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Page MenuHomeVyOS Platform
Create Task
Maniphest T3219

Typo in openvpn server client config for IPv6 iroute
Closed, ResolvedPublic
Actions

Description

In the server client config which is generated from 'server client <client> subnet <ipv6addr/prefix>' the resultant line is 'iroute ipv6addr/prefix', which is obviously wrong, it should be 'iroute-ipv6'.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

jjakob created this task.Jan 14 2021, 8:46 PM
jjakob changed the task status from Open to In progress.
jjakob triaged this task as Normal priority.
jjakob created this object in space S1 VyOS Public.
pasik subscribed.Jan 15 2021, 3:25 PM
Restricted Repository Identity mentioned this in rVYOSONEX9c810c6e68b1: Merge pull request #681 from jjakob/T3219-openvpn-ipv6-iroute.Jan 15 2021, 4:12 PM
jjakob mentioned this in rVYOSONEXfe2efbfb1a5b: openvpn: T3219: fix for server client subnet IPv6 iroute.Jan 15 2021, 4:12 PM
c-po subscribed.Jan 15 2021, 4:12 PM

Backported to equuleus branch

c-po changed the task status from In progress to Needs testing.Jan 15 2021, 4:12 PM
c-po mentioned this in rVYOSONEX489f6c17244f: openvpn: T3219: fix for server client subnet IPv6 iroute.Jan 15 2021, 4:12 PM
c-po moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus board.Jan 15 2021, 6:43 PM
jjakob added a comment.Jan 15 2021, 8:14 PM

Do I need to test the image before closing the task? I'm on a older image version and I manually applied the patch which works. Otherwise I'd need to upgrade the image which I won't have time for in the near future.

c-po added a comment.Jan 16 2021, 9:50 AM

If you could extend the smoketest that would be even better, local test is okay, too

dmbaturin reassigned this task from jjakob to SrividyaA.Jul 29 2021, 8:58 AM
dmbaturin added a project: test.
SrividyaA added a comment.Aug 4 2021, 5:15 PM

Server:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '10.2.0.15'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2'
set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64'
set interfaces openvpn vtun10 server subnet '10.140.0.0/20'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ea1/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ea1/central.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ea1/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ea1/central.key'

ccd file configuration, does show only iroute not iroute-ipv6

vyos@vyos6# less /run/openvpn/ccd/vtun10/client1
### Autogenerated by interfaces-openvpn.py ###

ifconfig-push 2001:470:1f14:af1::2 255.255.240.0
iroute 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::

Version:

vyos@vyos6# run sh ver

Version:          VyOS 1.3.0-rc5
Release Train:    equuleus
c-po added a comment.Aug 4 2021, 6:37 PM

@SrividyaA does this configuration work or not?

Viacheslav subscribed.Aug 5 2021, 7:58 AM

As I understand there are 2 bugs:

  1. It expected --iroute-ipv6, i.e
iroute-ipv6 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::
  1. Something wrong with such format (ipv6 address/ ipv4 mask)
ifconfig-push 2001:470:1f14:af1::2 255.255.240.0

Also, maybe it needs to use --ifconfig-ipv6-push

SrividyaA added a comment.Aug 7 2021, 1:59 PM

I don't think so the configuration is working, the interface is down. It is not assigning the ipv6 addresses to the tunnel interfaces.

Also it shows incorrect config in the file as mentioned by @Viacheslav in his post.
Initially, the task was opened stating that 'iroute ipv6addr/prefix' should be replaced with 'iroute-ipv6'. Still showing as iroute.

I also can not configure just the ipv6 subnet, it needs ipv4 subnet as well.
As a result it is pointing the ipv4 subnet in the ifconfig-push setting.

Server side:

vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.255.214/24                u/u
eth1             10.2.0.15/24                      u/u
                 2001:db8::1/64
eth2             172.16.0.1/24                     u/u
eth3             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vtun10           -                                 u/D

no output in openvpn server status:

vyos@vyos# run sh openvpn server

[edit]
vyos@vyos#
vyos@vyos# del interfaces openvpn vtun10 server subnet '10.140.0.0/24'
[edit]
vyos@vyos# commit

IPv6 server requires an IPv4 server subnet

Why it is mandate to have the ipv4 subnet as well ?

SrividyaA added a comment.Aug 7 2021, 2:55 PM

I see these error in the openvpn log:

Aug  7 14:21:31 vyos openvpn-vtun10[22029]: Options error: --server-ipv6 is incompatible with 'nopool' option
Aug  7 14:21:31 vyos openvpn-vtun10[22029]: Use --help for more information.
Aug  7 14:21:31 vyos systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Aug  7 14:21:31 vyos systemd[1]: [email protected]: Failed with result 'exit-code'.

So I configured the following option but still it does not help:

set interfaces openvpn vtun10 server client-ipv6-pool base '2001:470:1f14:af1::/64'

Existing server configuration:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '2001:db8::1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2'
set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server client-ipv6-pool base '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64'
set interfaces openvpn vtun10 server subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server subnet '10.140.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/openvpn_server.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ovpn/dh2048.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/openvpn_server.key'
set interfaces openvpn vtun10 use-lzo-compression

Am I missing any configuration part ? Any advice would be grateful .

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
syncer moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Oct 17 2021, 12:10 PM
dmbaturin closed this task as Resolved.Oct 17 2021, 12:13 PM
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
syncer moved this task from In Progress to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Oct 17 2021, 12:14 PM