From owner-freebsd-current@FreeBSD.ORG Wed Jul 29 18:30:08 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A7701065673 for ; Wed, 29 Jul 2009 18:30:08 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [212.12.50.230]) by mx1.freebsd.org (Postfix) with ESMTP id D1B728FC0C for ; Wed, 29 Jul 2009 18:30:07 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from localhost by koef.zs64.net (8.14.3/8.14.3) with ESMTP id n6TIU35q005619 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 29 Jul 2009 20:30:04 +0200 (CEST) (envelope-from stb@lassitu.de) (authenticated as stb) Message-Id: <3A1518B9-2C8C-4F05-9195-82C6017E4902@lassitu.de> From: Stefan Bethke To: Matthias Andree In-Reply-To: <4A709126.5050102@elischer.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Wed, 29 Jul 2009 20:30:03 +0200 References: <4A709126.5050102@elischer.org> X-Mailer: Apple Mail (2.935.3) Cc: FreeBSD Current , Julian Elischer Subject: Re: recent change to ifconfig breaks OpenVPN? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 18:30:08 -0000 Am 29.07.2009 um 20:12 schrieb Julian Elischer: > Stefan Bethke wrote: >> I just updated this afternoon (r195941), and after rebooting, >> OpenVPN has problems ifconfig'ing a tun interface. >> With sources from about one week ago, this is working: >> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/ifconfig tun1 >> 44.128.127.2 44.128.127.2 netmask 255.255.255.0 mtu 1500 up >> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/route add -net >> 44.128.127.0 44.128.127.2 255.255.255.0 >> Jul 29 03:07:15 diesel openvpn_zs64[14785]: /sbin/route add -net >> 44.128.64.0 44.128.127.1 255.255.192.0 >> Now, the same sequence fails: >> Jul 29 17:31:41 diesel openvpn_zs64[1855]: /sbin/ifconfig tun1 >> 44.128.127.2 44.128.127.2 netmask 255.255.255.0 mtu 1500 up >> Jul 29 17:31:41 diesel openvpn_zs64[1855]: FreeBSD ifconfig failed: >> external program exited with error status: 1 >> Trying the same command manually gets me: >> /sbin/ifconfig tun1 44.128.127.2 44.128.127.2 netmask 255.255.255.0 >> mtu > > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > have you tried it without using the same address on both ends? Sure, I changed to a custom up script that configures a different address for the other end. The question is: is this an intended change, and does OpenVPN need to be changed? Note that the addresses OpenVPN passed to ifconfig are determined automatically based on various config parameters (both on the client and on the server), so it's not a simple configuration change. It used to be that ifconfig would assign the local address to the p2p interface, and would add a route to the VPN block via that one address. This is from a 7-stable machine connected to the same server: $ ifconfig tun0 tun0: flags=8051 metric 0 mtu 1500 inet 44.128.127.14 --> 44.128.127.14 netmask 0xffffff00 Opened by PID 760 $ netstat -rnfinet ... 44.128.127.0/24 44.128.127.14 UGS 2 499 tun0 44.128.127.14 44.128.127.14 UH 1 0 tun0 ... I'm guessing that adding that host route is not working anymore, and that's why ifconfig is failing. The end result necessary for an OpenVPN setup like mine ("topology subnet") is a tun interface with the local address assigned by the server configuration, and a route to the server-configured subnet going out via the tun interface. The remote address on the tun interface does not actually matter, and no host route is necessary. I have a feeling OpenVPN needs to be changed wrt computing the proper ifconfig parameters. Stefan -- Stefan Bethke Fon +49 151 14070811