Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misconfigured OpenVPN breaks routing #201

Closed
kgleason opened this issue May 31, 2015 · 8 comments
Closed

Misconfigured OpenVPN breaks routing #201

kgleason opened this issue May 31, 2015 · 8 comments
Assignees
@fichtner
Labels
bug Production bug
Milestone
15.7

Comments

@kgleason
Copy link

I recently installed OPNSense, and I was working on creating an OpenVPN. I misconfigured the tunnel settings but using 192.168.100.1/24 for my tunnel network, and 10.0.0.1/24 for my Local Network. These are obviously invalid network definitions, but I didn't catch it up front.

Every time I attempted to start the OpenVPN server, all routing from within my network would stop. I tested multiple times by rebooting OPNSense, opening a ping (8.8.8.8), and then attempting to start the OpenVPN server. As soon as I tried to start the OpenVPN server, my ping would die.

I was always able to ping from the OPNSense box itself, but nothing from within my network.

My network set up is dead simple: Cable Modem -> OPNSense -> Switched Network, no VLANs.

The OpenVPN logs led me to my error. Once I fixed it, then everything proceeded to work as normal.

I am running OPNsense 15.1.11.1-amd64.

Please let me know if you need any additional information.
@kgleason
Copy link
Author

kgleason commented Jun 3, 2015

It looks like this might be related to this:

http://lists.freebsd.org/pipermail/freebsd-net/2015-January/040798.html

I'm making an assumption that adding a new VPN creates a new interface.

If so, then please feel free to close this issue as it is an upstream bug.

@fichtner fichtner added the bug Production bug label Jun 3, 2015
@fichtner fichtner added this to the 15.7 milestone Jun 3, 2015
@fichtner fichtner self-assigned this Jun 3, 2015
@fichtner
Copy link
Member

fichtner commented Jun 3, 2015

So /etc/rc.d/routing fiddles with the forwarding sysctls. Confirmed, but not sure what to do just yet. The suggested workaround in the thread is not suitable for OPNsense, because we handle the sysctls ourselves, meaning we'll have to prevent routing from kicking in. Thanks so far!

@fichtner
Copy link
Member

fichtner commented Jun 3, 2015

this probably causes the chain reaction... Can override via own devd rules :) https://github.com/opnsense/src/blob/master/etc/devd.conf#L64-71

fichtner added a commit that referenced this issue Jun 3, 2015
@fichtner
devd: do not launch /etc/pccard_ether; related to #201
435492a
@fichtner
Copy link
Member

fichtner commented Jun 3, 2015

The fix won't make it into 15.1.11.2 today, but is worth a 15.1.11.3 tomorrow or the day after. Needs some more testing, but looks promising.

@lattera lattera mentioned this issue Jun 7, 2015
Closed
lattera added a commit to HardenedBSD/opnsense-core that referenced this issue Jun 7, 2015
@lattera
Revert "devd: do not launch /etc/pccard_ether; related to opnsense#201"
cd1241c 
This reverts commit 435492a.
@fichtner
Copy link
Member

fichtner commented Jun 8, 2015

@kgleason did this help at all? :)

lattera added a commit to HardenedBSD/opnsense-core that referenced this issue Jun 10, 2015
@lattera
Revert "Revert "devd: do not launch /etc/pccard_ether; related to opn…
b47419c 
…sense#201""

This reverts commit cd1241c.
@fichtner
Copy link
Member

@lattera @kgleason close this maybe?

@lattera
Copy link
Contributor

lattera commented Jun 11, 2015

On my end, this can be closed.

@fichtner
Copy link
Member

Closing this: no more feedback (which is mostly good).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
bug Production bug
Milestone
15.7
Development

No branches or pull requests
3 participants
@lattera @fichtner @kgleason