Page MenuHomeVyOS Platform
Create Task
Maniphest T2145

openvpn: server default topology net30 is incompatible with static client IPs for Windows clients
Closed, ResolvedPublic
Actions

Description

If openvpn server topology is unset, openvpn >2.0 defaults to net30. Setting static IPs for clients with server client ip then generates ifconfig-push statements that aren't /30 subnets but are the subnet set for the server itself. Linux clients keep working but Windows clients fail with the error:

There is a problem in your selection of --ifconfig endpoints [local=192.0.2.12, remote=192.0.2.1]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.

The config that produces the above error:

openvpn vtun0 {
    encryption {
        ncp-ciphers aes256gcm
    }
    hash sha512
    local-host x.x.x.x
    mode server
    persistent-tunnel
    server {
        client client1 {
            ip 192.0.2.10
        }
        client client2 {
            ip 192.0.2.12
        }
        subnet 192.0.2.0/24
    }
    tls {
        ca-cert-file /config/auth/ca.crt
        cert-file /config/auth/server.crt
        crypt-file /config/auth/tls.key
        dh-file /config/auth/dh.pem
        key-file /config/auth/server.key
    }
}

Example ccd from the above config:

### Autogenerated by interfaces-openvpn.py ###

ifconfig-push 192.0.2.20 255.255.255.0

The following is the output of openvpn.exe --show-valid-subnets on Windows:

openvpn.exe --show-valid-subnets
On Windows, point-to-point IP support (i.e. --dev tun)
is emulated by the TAP-Win32 driver. The major limitation
imposed by this approach is that the --ifconfig local and
remote endpoints must be part of the same 255.255.255.252
subnet. The following list shows examples of endpoint
pairs which satisfy this requirement. Only the final
component of the IP address pairs is at issue.

As an example, the following option would be correct:
--ifconfig 10.7.0.5 10.7.0.6 (on host A)
--ifconfig 10.7.0.6 10.7.0.5 (on host B)
because [5,6] is part of the below list.

[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

A quick fix/workaround is setting topology subnet, which works with the same config for both Linux and Windows clients. Interestingly, net30 isn't even an option for subnet, while openvpn defaults to it if subnet is unset. net30 should probably be added as an option to topology.

I think the script should have this list of allowed IP pairs and only allow setting client IPs to a valid IP in a pair, with the completion and value help getting the list of allowed IPs from the script, only when net30 is selected (all free IPs in the server subnet are valid in subnet topology so this needs to be done conditionally). The ifconfig-push command is also different between net30 and subnet topologies

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

jjakob created this task.Mar 21 2020, 6:07 PM
jjakob created this object in space S1 VyOS Public.
jjakob updated the task description. (Show Details)
jjakob added a comment.Apr 17 2020, 10:06 AM

The recent work on openvpn added net30 as an option for "server topology" and marked it as default in the shell value help so at least users should now know it's the default. Personally I'd like the default topology to be subnet but that would mean adding a migrator script for old users who use net30.
It also rewrote some parts of the ifconfig setting logic. This should be retested if it's still an issue.

jjakob added a project: openvpn.Apr 17 2020, 10:08 AM
pasik subscribed.Apr 17 2020, 1:23 PM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:15 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:43 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
dmbaturin added a project: VyOS 1.4 Sagitta.Jan 9 2024, 4:51 PM
dmbaturin triaged this task as High priority.Jan 9 2024, 5:16 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:18 AM
dmbaturin added a project: Restricted Project.Feb 15 2024, 11:28 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:04 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).May 13 2024, 7:32 PM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa1).May 15 2024, 9:30 AM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.9); removed VyOS 1.3 Equuleus (1.3.8).Jun 20 2024, 10:17 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project, openvpn.Tue, Jul 2, 7:28 PM
fernando subscribed.Sat, Jul 13, 7:28 PM

I've tested in the new version , the problem with default net30 , it is already there .however , when the new version started show a warning message that migrating from net30 to subnet because is going to be deprecated :

Jul 13 17:55:01 systemd[1]: Starting [email protected] - OpenVPN connection to vtun10...
Jul 13 17:55:01 openvpn-vtun10[2612]: WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.

message on windows client , when it try to get a connection :

2024-07-13 11:07:44 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-07-13 11:07:44 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN vyos.net,route 192.0.2.1,topology net30,ping 10,ping-restart 600,ifconfig 192.0.2.12 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2024-07-13 11:07:44 OPTIONS IMPORT: --ifconfig/up options modified
2024-07-13 11:07:44 OPTIONS IMPORT: route options modified
2024-07-13 11:07:44 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-07-13 11:07:44 OPTIONS IMPORT: tun-mtu set to 1500
2024-07-13 11:07:44 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
2024-07-13 11:07:44 MANAGEMENT: Client disconnected
2024-07-13 11:07:44 There is a problem in your selection of --ifconfig endpoints [local=192.0.2.12, remote=255.255.255.0].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
2024-07-13 11:07:44 Exiting due to fatal error

if we use the topology subnet it works without problem ,here is another case why we should migrate it :

https://forums.openvpn.net/viewtopic.php?f=6&t=33728&p=104949#p104949

vyos configuration :

vyos@vyos-ser-win:~$ show openvpn server

OpenVPN status on vtun10

Client CN    Remote Host         Tunnel IP    Local Host    TX bytes    RX bytes    Connected Since
-----------  ------------------  -----------  ------------  ----------  ----------  -------------------
client2      172.16.50.23:64537  192.0.2.13   N/A           5.4 KB      13.2 KB     2024-07-13 19:16:22

vyos@vyos-ser-win:~$ show configuration commands
set interfaces ethernet eth1 address '172.16.100.1/24'
set interfaces ethernet eth1 hw-id '50:00:00:01:00:01'

set interfaces loopback lo
set interfaces openvpn vtun10 encryption ncp-ciphers 'aes256gcm'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '172.16.50.28'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 server client client2 ip '192.0.2.13'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server subnet '192.0.2.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'openvpn_vtun10_1'
set interfaces openvpn vtun10 tls certificate 'openvpn_vtun10'
set interfaces openvpn vtun10 tls dh-params 'openvpn_vtun10'
fernando changed the task status from Open to Confirmed.Sat, Jul 13, 8:04 PM
dmbaturin added a parent task: T6591: Deprecate the net30 topology option in OpenVPN.Wed, Jul 17, 1:14 PM
fernando claimed this task.Thu, Jul 25, 3:44 PM

tested and resolved, we've added this change in our cli to fix this deprecate option in opnvpn :

[edit]
vyos@vyos-ser-win# set interfaces openvpn vtun10 server topology
Possible completions:
   subnet               Subnet topology (recommended) (default)
   point-to-point       Point-to-point topology
   net30                net30 topology (deprecated)
fernando closed this task as Resolved.Thu, Jul 25, 3:46 PM