Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openvpn: CSO support for previously used freeform custom settings #6703

Closed
2 tasks done
fichtner opened this issue Aug 3, 2023 · 12 comments
Closed
2 tasks done

openvpn: CSO support for previously used freeform custom settings #6703

fichtner opened this issue Aug 3, 2023 · 12 comments
Assignees
@fichtner
Labels
cleanup Low impact changes
Milestone
24.7

Comments

@fichtner
Copy link
Member

fichtner commented Aug 3, 2023
edited
Loading

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

Custom options are no longer available which requires us to add new fields which can be validated properly.

Describe the solution you like

Add requested fields:

  • sndbuf 524288 (increase system values if this is required, documentation isn't very enthusiastic about this)
  • rcvbuf 524288 (increase system values if this is required, documentation isn't very enthusiastic about this)
  • push "sndbuf 524288"
  • push "rcvbuf 524288"

Fields done:

  • route-gateway

Describe alternatives you considered

File based overrides for CSOs are not very elegant and a nightmare to handle for the user.

Additional context

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
https://forum.opnsense.org/index.php?topic=35149.0
@fichtner fichtner added the cleanup Low impact changes label Aug 3, 2023
@fichtner fichtner added this to the 24.1 milestone Aug 3, 2023
@fichtner fichtner self-assigned this Aug 3, 2023
@fichtner fichtner changed the title openvpn: CSO support for 'fragment 1250', 'mssfix 1250' and 'tun-mtu 1500' openvpn: CSO support for previously used freeform custom settings Aug 9, 2023
fichtner added a commit that referenced this issue Aug 14, 2023
@fichtner
openvpn: add tun-mtu/fragment/mssfix combo for CSOs #6703
0a4eacf
fichtner added a commit that referenced this issue Aug 17, 2023
@fichtner
openvpn: add tun-mtu/fragment/mssfix combo for CSOs #6703
6346ea1 
(cherry picked from commit 0a4eacf)
fichtner added a commit that referenced this issue Aug 22, 2023
@fichtner
Revert "openvpn: add tun-mtu/fragment/mssfix combo for CSOs #6703"
81a9dcc 
This reverts commit 6346ea1.
@fichtner fichtner mentioned this issue Aug 30, 2023
Closed
2 tasks
@smeretech
Copy link

smeretech commented Aug 30, 2023
edited
Loading

As referred to #6801, necessity to push route-gateway 'gateway IP'.

@smeretech
Copy link

Hello
Sorry, I just wanted to know if it will be considered to be able to put the route-gateway option back in again. Unfortunately, I cannot upgrade from 23.1 to 23.7 as the CSO is also modified for those using the legacy part of openVPN.

@AdSchellevis
Copy link
Member

@smeretech by default --route-gateway is set with the --server keyword (see https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/), if for specific cases this doesn't work, it might be good to offer some context on when this is. I don't have a strong feeling about leaving it out or adding it, but am interested to know the context before adding new options.

@smeretech
Copy link

smeretech commented Sep 4, 2023
edited
Loading

Thanks for your reply.
the context in which I use it is to deliver a single OpenVPN instance/server on multi projects that need to be separated.
In my specific case, the server adopts a /16 internal network.
Through CSOs, I would assign different sub-networks of this /16 to each workgroup of users but the only way to set a gateway to clients that falls within this sub-network was to use route-gateway.
Otherwise, OpenVPN assigns the first IP of the /16 as the gateway for a client session resulting in the error of not being able to reach it.

example:
Tunnel network: 10.50.0.0/16

Group1 (CSO) IPv4 Tunnel Network: 10.50.0.0/28 (gateway 10.50.0.14)
Group2 (CSO) IPv4 Tunnel Network: 10.50.0.16/28 (gateway 10.50.0.30)
Group3 (CSO) IPv4 Tunnel Network: 10.50.0.32/27 (gateway 10.50.0.62)

AdSchellevis added a commit that referenced this issue Sep 4, 2023
@AdSchellevis
VPN: OpenVPN: Client Specific Overrides - add "route-gateway" advance…
54ebcb0 
…d option which can be used to offer a different default gateway to the client when splitting the pool into smaller blocks. for #6703
@AdSchellevis
Copy link
Member

@smeretech sounds reasonable, should be fixed with 54ebcb0

@smeretech
Copy link

smeretech commented Sep 4, 2023
edited
Loading

thank you.
in the migration processes from 23.1 to 23.7, will the system automatically take into account what I had in the advanced fields to date and refer precisely to route-gateway?
In any case, I will wait until the next patch day to give it a try.

@AdSchellevis
Copy link
Member

No, advanced fields have been deprecated without a migration (we added the note d62015d 4 years ago to offer people the time to seek alternatives like opening tickets and explaining why features would be needed).

@smeretech
Copy link

ok.
to recap, during the upgrade to 23.7, the system will keep all CSOs and current network configurations (including "Local Networks" Subnets/hosts) but will not consider what we had within the Advanced field at all.

So, with the patch you just implemented, I will have to manually configure gateways for each CSO post upgrade.

In case, I could set one up and export the config file and then manually do the gateway addition for each CSOs and import the config file again. I hope it works.

@AdSchellevis
Copy link
Member

yes

fichtner added a commit that referenced this issue Sep 6, 2023
@fichtner
openvpn: add tun-mtu/fragment/mssfix combo for instances #6703
7272536 
(cherry picked from commit 0a4eacf)
(cherry picked from commit efd15f7)
(cherry picked from commit 7e85ad0)
fichtner pushed a commit that referenced this issue Sep 6, 2023
@AdSchellevis @fichtner
VPN: OpenVPN: Client Specific Overrides - add "route-gateway" advance…
4ed27fa 
…d option which can be used to offer a different default gateway to the client when splitting the pool into smaller blocks. for #6703

(cherry picked from commit 54ebcb0)
@smeretech
Copy link

smeretech commented Sep 14, 2023
edited
Loading

hello. only for your info, with 23.7.4 appears the same title name for both the settings

immagine

@AdSchellevis
Copy link
Member

@smeretech thanks, should be fixed in 9fb7c04

@AdSchellevis AdSchellevis modified the milestones: 24.1, 24.7 Jan 3, 2024
@fichtner
Copy link
Member Author

I'm retiring this ticket since there was no further feedback in the last half a year.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
cleanup Low impact changes
Milestone
24.7
Development

No branches or pull requests
3 participants
@fichtner @AdSchellevis @smeretech