Date: Mon, 30 Jun 2025 06:02:01 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 287653] if_ovpn can't be pre-configured with ifconfig; can't be assigned to fib Message-ID: <bug-287653-7501-nJynl3VvQx@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-287653-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-287653-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287653 --- Comment #2 from Paige Thompson <paige@paige.bio> --- (In reply to Marek Zarychta from comment #1) Hey-- I actually moved on from this and settled on wireguard for now but for what this is worth i actually was hoping to get dco working between FreeBSD mach= ines but I couldn't figure out how to get it to work even with both machines bei= ng FreeBSD. disable-dco would be fine but there's seldom ever a case where I w= ant to settle for less when in theory I could have better. Honestly I wanted to= use IPSEC with racoon but the problem I seemed to be having with that was NAT a= nd using NAT-T the correct way (or there's something else wrong.There are issu= es with that depending on whether you use transport or tunnel; and depending on fragmentation settings.=20 I'll probably revisit this at some point but I just used wireguard it works even though I don't really care for it that much--it works, though part of = the configuration I'm doing with rc.local:=20 rc.conf takes care of standing up the interface and configuring it wg0: flags=3D10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420 options=3D80000<LINKSTATE> inet 192.0.2.1 netmask 0xfffffffe inet6 fcff:56::192:0:2:1 prefixlen 64 groups: wg fib: 56 tunnelfib: 255 nd6 options=3D101<PERFORMNUD,NO_DAD> rc.local associates the keys and remotes with the interface:=20 wg setconf wg0 /usr/local/etc/wireguard/wg0.conf you can close this if you want but in more than a decade of using OpenVPN I= 've never felt so defeated as I have by ovpn(4) moreover I don't think it's cap= able in it's current state of functioning in the way I need it to (where it is assigned to fib 56 and uses FIB 255 for the tunnel)--wireguard just *barely= * is and not only that but the best I could come up with was to add the last com= mand for it's setup to rc.local. I looked around for quite a while and I've found some evidence of people who have used it at different points in time and I = also don't think that it's always functioned the same way because some of the examples that I was able to piece together didn't work at all.=20 I don't really like using wireguard, but I'm not really keen on OpenVPN to = be honest and I feel like even ovpn at some point was a shortcut to get away f= rom having to deal with security associations, fragmentation with AH/ESP, NAT-T, etc.IPSEC hasn't always been the most reliable thing from one client to the next so there was also that but it's hard to imagine how that could be anym= ore so in theory the only obstacle is figuring out how to set it up in every ca= se. You can close this if you want. Personally, and I know my opinions are unpopular but I think for something that is in tree it should probably have= a little more documentation in the man page. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-287653-7501-nJynl3VvQx>