pivpn icon indicating copy to clipboard operation
pivpn copied to clipboard

Published 20 hours ago verified publisher icon pivpn

[BUG] Install script hangs generating subnet when physical interface range is 10.0.0.0/8

Open orazioedoardo opened this issue 3 years ago • 12 comments

Discussed in https://github.com/pivpn/pivpn/discussions/1516

Originally posted by TimeForANinja May 3, 2022

In raising this issue, I confirm the following:

  • [x] I have read the documentation
  • [ ] Is it a feature request? please consider opening a [Discussion] (https://github.com/pivpn/pivpn/discussions/new)
  • [x] I have read and understood the contributors guide.
  • [x] The issue I am reporting can be replicated.
  • [x] The issue I am reporting is directly related to the pivpn installer script.
  • [ ] The issue I am reporting isn't a duplicate (see FAQs, closed issues, and open issues).

Has your install failed?

yes

Describe the issue

Issue

During Installation on my VM the script got stuck after choosing the VPN Type. CPU usage was at around 100% for ~10 Minutes befor i stopped the script. Retrying didn't fix it.

Investigation

After doing some debugging it looks like the script got stuck inside the generateRandomSubnet Function. I'm not good with bash scripting but from what i do understand about it it looks like it gets stuck in the while true; loop since the subnet of my vm 10.0.0.0/8 will result in all generated pivpnNET 10.XXX.XXX.0 to be invalid...

Workaround

I went ahead and edited the script, replacing the generateRandomSubnet Function with sth like echo "10.0.0.1" - after the installation i edited /etc/wireguard/wg0.conf, /etc/pivpn/wireguard/setupVars.conf and /etc/iptables/rules.v4 to my liking. From what I read the unattended mode can also bypass the function.

Possible Fixes

since changing the subnet of your host is not always easily possible i see three options:

  1. consider other private ip-ranges in the function
  2. manually filter out this edge-case
  3. let the script error-out after a few thousand iterations of the while loop

Can you replicate the issue? Describe the steps below

  1. Create a new Debian-11 based Container in proxmox
  2. open console
  3. start running the script
  4. press enter to choose the default option in all prompts until it gets stuck

orazioedoardo avatar May 04 '22 08:05 orazioedoardo

it looks like it gets stuck in the while true; loop since the subnet of my vm 10.0.0.0/8 will result in all generated pivpnNET 10.XXX.XXX.0 to be invalid...

Would it not make more sense to change your local subnet ?

Nobody requires 10/8 as a local subnet.

The script could detect this subnet and then explain why it is incompatible with pivpn.

TinCanTech avatar Nov 06 '22 17:11 TinCanTech

Or, PiVPN could allow the use of a non-10.x.x.x-based system? Such as using 192.168 instead? I have a large homelab setup with VMs and CTs within ProxMox boxes, as well as a large number of DHCP clients and site-to-site VPNs such that while a 10/8 subnet is not required, reconfiguring my entire network would be an extremely annoying thing to do.

davwheat avatar Nov 19 '22 01:11 davwheat

There is no valid use case for 10/8 as a local subnet.

TinCanTech avatar Nov 19 '22 01:11 TinCanTech

Just because there aren't reasonable use cases, doesn't mean that these networks do not exist, and a single piece of software should not dictate what a valid network setup is or isn't.

People can have their own opinions on what a networking setup should be like -- and yours is painfully obvious -- but this is still just your opinion.

davwheat avatar Nov 19 '22 01:11 davwheat

@davwheat If you have a physical local network with 16.77 million connected hosts then you do not require pivpn to configure your VPN.

That is, unless you can demonstrate a valid use case with a local subnet of 10/8.

Let us calculate the required resources:

  • Average rack switch: 64 ~ 2048 ports.
  • Number of switches required for a 10/8 subnet: 16.77 million divided by (64 ~ 2048) = 8192+++ Electricity bill is too excessive.

And this is only IPv4, what thumb-duckery can we expect with IPv6 ?

People can have their own opinions on what a networking setup should be like

Yeah .. people can have opinions, like which way to slice an onion.

On the other hand, pivpn is doing a good job, for free.. (IE. Not nonsense.)

TinCanTech avatar Nov 19 '22 01:11 TinCanTech

There is no valid use case for 10/8 as a local subnet.

Your Pi would fry, under such pressure.

TinCanTech avatar Nov 19 '22 06:11 TinCanTech

I was able to install be makeing changes to this part of pivpn/auto_install/install.sh

To install using 192.168.xxx.xxx instead of 10.xxx.xxx.xxx

generateRandomSubnet() { local MATCHES

Source: https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts

declare -a SUBNET_EXCLUDE_LIST

SUBNET_EXCLUDE_LIST=(10.0.0.0/24) SUBNET_EXCLUDE_LIST+=(10.0.1.0/24) SUBNET_EXCLUDE_LIST+=(10.1.1.0/24) SUBNET_EXCLUDE_LIST+=(10.1.10.0/24) SUBNET_EXCLUDE_LIST+=(10.2.0.0/24) SUBNET_EXCLUDE_LIST+=(10.8.0.0/24) SUBNET_EXCLUDE_LIST+=(10.10.1.0/24) SUBNET_EXCLUDE_LIST+=(10.90.90.0/24) SUBNET_EXCLUDE_LIST+=(10.100.1.0/24) SUBNET_EXCLUDE_LIST+=(10.255.255.0/24)

readarray -t CURRENTLY_USED_SUBNETS <<< "$(ip route show
| grep -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}')" SUBNET_EXCLUDE_LIST=("${SUBNET_EXCLUDE_LIST[@]}" "${CURRENTLY_USED_SUBNETS[@]}")

while true; do MATCHES=0 pivpnNET="192.168.$((RANDOM % 256)).0"

for SUB in "${SUBNET_EXCLUDE_LIST[@]}"; do
  if grepcidr "${SUB}" <<< "${pivpnNET}/24" 2>&1 >/dev/null; then
    ((MATCHES++))
  fi
done

if [[ "${MATCHES}" -eq 0 ]]; then
  break
fi

done

echo "${pivpnNET}" }

bradm10000 avatar May 19 '23 01:05 bradm10000

Hi, I had the same issue with a 10.X.X.X/24 network, after changing the line following line, it all worked nice. pivpnNET="10.$((RANDOM % 256)).$((RANDOM % 256)).0" => pivpnNET="20.$((RANDOM % 256)).$((RANDOM % 256)).0"

and to better format what @bradm10000 wrote:

generateRandomSubnet() {
  local MATCHES
  # Source: https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts
  declare -a SUBNET_EXCLUDE_LIST

  SUBNET_EXCLUDE_LIST=(10.0.0.0/24)
  SUBNET_EXCLUDE_LIST+=(10.0.1.0/24)
  SUBNET_EXCLUDE_LIST+=(10.1.1.0/24)
  SUBNET_EXCLUDE_LIST+=(10.1.10.0/24)
  SUBNET_EXCLUDE_LIST+=(10.2.0.0/24)
  SUBNET_EXCLUDE_LIST+=(10.8.0.0/24)
  SUBNET_EXCLUDE_LIST+=(10.10.1.0/24)
  SUBNET_EXCLUDE_LIST+=(10.90.90.0/24)
  SUBNET_EXCLUDE_LIST+=(10.100.1.0/24)
  SUBNET_EXCLUDE_LIST+=(10.255.255.0/24)

  readarray -t CURRENTLY_USED_SUBNETS <<< "$(ip route show \
    | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}')"
  SUBNET_EXCLUDE_LIST=("${SUBNET_EXCLUDE_LIST[@]}"
    "${CURRENTLY_USED_SUBNETS[@]}")

  while true; do
    MATCHES=0
    pivpnNET="192.168.$((RANDOM % 256)).0"

    for SUB in "${SUBNET_EXCLUDE_LIST[@]}"; do
      if grepcidr "${SUB}" <<< "${pivpnNET}/24" \
        2>&1 > /dev/null; then
        ((MATCHES++))
      fi
    done

    if [[ "${MATCHES}" -eq 0 ]]; then
      break
    fi
  done

  echo "${pivpnNET}"
}

MaxiStarling56 avatar Jun 19 '23 12:06 MaxiStarling56

I'm having this same exact problem, I cannot fathom why you guys can't just accept that people do actually use these networks, and you SHOULD adapt to it...

Auxtal avatar Sep 29 '23 04:09 Auxtal

I'm having this same exact problem, I cannot fathom why you guys can't just accept that people do actually use these networks, and you SHOULD adapt to it...

@Auxtal can you remind me please, who are you exactly?

anyway ... I have the test branch ready for your Pull request

coolapso avatar Sep 29 '23 07:09 coolapso

Running into this issue here as well, looking forward to a resolution on this bug!

volk12 avatar Nov 08 '23 01:11 volk12

Should be fixed in the pull request mentioned above, you can try with curl -L https://test.pivpn.io | TESTING= bash

orazioedoardo avatar Nov 23 '23 10:11 orazioedoardo

Pre-archive closing, more information here

coolapso avatar Apr 06 '24 09:04 coolapso