core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

`VPN: OpenVPN: Client Specific Overrides` "Tunnel Network" description only describes old Topology behavior

Open marner2 opened this issue 3 years ago • 2 comments

Important notices

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The full help text for "Tunnel Network" under "Client Specific Overrides" seems to very specifically refer to the behavior for the older net30 topology, with zero mention on how the behavior will change if you are using subnet topology (which is the newer recommended setting).

https://github.com/opnsense/core/blob/1d769e6e6cec6594ca0409c2b8b2d7539b90c558/src/www/vpn_openvpn_csc.php#L466-L472

To Reproduce

Steps to reproduce the behavior:

  1. Go to /vpn_openvpn_csc.php
  2. Create a new client specific override
  3. Click on the IPv4 Tunnel Network full help
  4. See description

Expected behavior

I expect the help to accurately describe the current underlying behavior for OpenVPN settings, which is that the "Tunnel Network" settings for Client Specific Overrides mention that they will set ifconfig-push <client ip> <subnet mask> which only sets the client ip address.

The updated description should make at least some mention about the behavior of the tunnel network settings when you are using a subnet topology. Ideally, that gets emphasized and there is a clear indication of the two different behaviors present (as defined by the code from the plugins directory below). e.g.:

If Subnet Topology is set on the corresponding server, this will be the ip address given to the client virtual interface. It must be within the subnet of the Tunnel Network set on the server, expressed in CIDR (eg. 10.0.8.3/24). If Subnet Topology is not set on the corresponding server, this is the IPv4 virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface.

Describe alternatives you considered

I only knew about this bug because I spent multiple hours researching the topic and digging through the codebase. It would be nice for future users to not have to do this with helpful messages.

Screenshots

Relevant log files

Additional context

According to the Topology section of OpenVPN, the current recommended topology for OpenVPN is subnet. In OPNsense configuration, this corresponds to checking the "Topology" checkbox under the "Client Settings" section on the VPN: OpenVPN: Servers page for the given server.

According to the aforementioned document from OpenVPN, Client Specific Overrides for the "subnet topology" take the form ifconfig-push <client ip> <subnet mask>. However for the older net30 topology, they take the form ifconfig-push <client ip> <server ip>. You can see this accurately reflected in the backend here:

https://github.com/opnsense/core/blob/1d769e6e6cec6594ca0409c2b8b2d7539b90c558/src/etc/inc/plugins.inc.d/openvpn.inc#L992-L1002

Original issue: #5851

Environment

OPNsense 22.1.8_1 (amd64, OpenSSL) a8aabc538

marner2 avatar Jul 04 '22 21:07 marner2

Over the years we cleaned up quite some code in this area, but unfortunately there is some inherited magic that is hard to phase out. The logic around addressing between the server and its overrides isn't very consistent at least.

For the overrides my suggestion would be to at least align it to reality using https://github.com/opnsense/core/commit/b651b05e49eb0217d300145e6d8859f705dc6f1d.

The server likely needs modifications too as this states the same:

https://github.com/opnsense/core/blob/7eadf5f44753c4a641775ea66f43ca6ef6b12b12/src/www/vpn_openvpn_server.php#L1102-L1123

In which case the network calculation doesn't have any relation with the topology setting.

https://github.com/opnsense/core/blob/7eadf5f44753c4a641775ea66f43ca6ef6b12b12/src/etc/inc/plugins.inc.d/openvpn.inc#L595-L612

As it only enables the topology setting using:

https://github.com/opnsense/core/blob/7eadf5f44753c4a641775ea66f43ca6ef6b12b12/src/etc/inc/plugins.inc.d/openvpn.inc

For backwards compatibility reasons these settings are difficult to change, but it is very confusing the same type of user input results in a different type of technical configurations in my humble opinion.

AdSchellevis avatar Jul 05 '22 07:07 AdSchellevis

b651b05 looks good to me.

I haven't researched the server settings very much, except to note that when I add these different remote networks to different clients, they all seem to use the second ip address as their gateway in the system routing table (eg, 10.0.8.2). I would expect it to use the first (eg, 10.0.8.1) since that is the "server address." Or to use the target address of the client that has that particular subnet.

The routing seems to work fine at least for one client, but I'm not sure if it works while I have different client with that ip address. I need to do further testing.

marner2 avatar Jul 05 '22 16:07 marner2