vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

T3214: Fixed ovpn config incompatibilities for IPv4+IPv6 and IPv6-onl…

Open leonkramer opened this issue 3 years ago • 1 comments

Change Summary

T3214: Fixed ovpn config incompatibilities for IPv4+IPv6 and IPv6-only use. "nopool" option not necessary. net30 "ifconfig-pool" statement handled by OpenVPN if "nopool" is omitted. IPv6 route push was nested inside IPv4 if block, now in IPv6 block. Removed mandatory IPv4 subnet for IPv6-only use.

Types of changes

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

  • https://phabricator.vyos.net/T3214

Component(s) name

openvpn

Proposed changes

  1. Fixed OpenVPN config incompatibilities for IPv4+IPv6 and IPv6-only use. "nopool" option not necessary in generated openvpn Configs because net30 "ifconfig-pool" statements are handled by OpenVPN if "nopool" is omitted.
  2. The generated config would allow a IPv6 only usage of the OpenVPN, but a commit error appears which prevent that saying that an IPv4 subnet is required. I have removed that check.
  3. Another incompatibility after change of 2) is that if only IPv6 "push-route" statement is defined, the IPv6 route is not being pushed because it is nested inside an IPv4 if block. I have moved the code into the IPv6 block.

How to test

  • Configure OpenVPN interface with mode=server.
  • Configure IPv4-only Subnet @ [interfaces openvpn vtunN server] = PrePatch: OK - PostPatch: OK
  • Configure IPv6-only Subnet @ [interfaces openvpn vtunN server] = PrePatch: FAIL - PostPatch: OK
    • Commit Error: IPv6 server requires an IPv4 server subnet
  • Configure IPv6+IPv4 Subnet @ [interfaces openvpn vtunN server] = PrePatch: FAIL - PostPatch: OK
    • OpenVPN Startup Error1: Options error: --server-ipv6 is incompatible with 'nopool' option
    • OpenVPN Startup Error2: Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [x] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [ ] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

leonkramer avatar May 29 '22 14:05 leonkramer

HI @leonkramer,

sorry for the late reply, can you share a VyOS configuration that you used to get it up and running? I am courious in also adding it to our documentation.

c-po avatar Aug 05 '22 05:08 c-po

We'll merge it once 1.4/sagitta is branched off.

dmbaturin avatar Aug 31 '23 14:08 dmbaturin

It seems to be the same functionality as in https://github.com/vyos/vyos-1x/pull/1637 which is merged now.

dmbaturin avatar Sep 14 '23 14:09 dmbaturin