Page MenuHomeVyOS Platform
Create Task
Maniphest T4230

OpenVPN server configuration deleted after reboot when using a VRRP virtual-address
Closed, ResolvedPublicBUG
Actions

Description

Hi,

When configuring OpenVPN to use a VRRP virtual-address, after reboot VyOS reports a configuration error and deletes the OpenVPN interface.

openvpn-error1.png (143×981 px, 39 KB)

Sample configuration that causes error below

high-availability {
    vrrp {
        group eth0 {
            advertise-interval 1
            authentication {
                password ****************
                type plaintext-password
            }
            interface eth0
            no-preempt
            priority 200
            rfc3768-compatibility
            virtual-address <SECONDARY FLOATING WAN IP>
            vrid 10
        }
        group eth1 {
            advertise-interval 1
            authentication {
                password ****************
                type plaintext-password
            }
            interface eth1
            no-preempt
            priority 200
            rfc3768-compatibility
            virtual-address <INTERNAL IP>
            vrid 11
        }
        sync-group MAIN {
            member eth0
            member eth1
            transition-script {
                backup /config/scripts/vrrp_backup.sh
                master /config/scripts/vrrp_master.sh
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address <PRIMARY WAN IP>
        description WAN
    }
    ethernet eth1 {
        address <INTERNAL LAN IP>
        description LAN
    }
    loopback lo {
    }
    openvpn vtun10 {
        encryption {
            cipher aes256gcm
        }
        hash sha512
        keep-alive {
            failure-count 120
            interval 10
        }
        local-host <SECONDARY FLOATING WAN IP>
        local-port 1194
        mode server
        openvpn-option "--tls-crypt-v2 /config/auth/tls-crypt-v2-server.key"
        persistent-tunnel
        protocol udp
        server {
            domain-name <DOMAIN NAME>
            max-connections 5
            name-server 8.8.8.8
            push-route <INTERNAL ROUTE> {
            }
            push-route <INTERNAL ROUTE> {
            }
            subnet <INTERNAL SUBNET>
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/router-cluster.crt
            dh-file /config/auth/dh.pem
            key-file /config/auth/router-cluster.key
        }
        use-lzo-compression
    }
}

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-beta-202112240442
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

nikeshhajari created this task.Feb 7 2022, 2:07 AM
nikeshhajari created this object in space S1 VyOS Public.
pasik added a subscriber: pasik.Feb 7 2022, 6:09 PM
Viacheslav added a subscriber: Viacheslav.Feb 8 2022, 10:00 AM

Ip address for openvpn is not yet assigned as a priority for OpenVPN less than for HA

460 interfaces/openvpn
800 high-availability

Anf we have checks if address assigned:

set interfaces ethernet eth0 address '10.1.12.1/24'
set high-availability vrrp group FOO interface 'eth0'
set high-availability vrrp group FOO no-preempt
set high-availability vrrp group FOO priority '150'
set high-availability vrrp group FOO rfc3768-compatibility
set high-availability vrrp group FOO virtual-address '203.0.113.1/24'
set high-availability vrrp group FOO vrid '10'

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '172.16.254.30'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/central.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/central.key'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set interfaces openvpn vtun10 use-lzo-compression

vyos@r4# commit

local-host IP address "203.0.113.1" not assigned to any interface

[[interfaces openvpn vtun10]] failed
Commit failed
[edit]
vyos@r4#
Viacheslav changed the task status from Open to Confirmed.Feb 8 2022, 10:01 AM
Viacheslav changed the subtype of this task from "Task" to "Bug".
Viacheslav changed the task status from Confirmed to In progress.Feb 8 2022, 10:11 AM
Viacheslav claimed this task.
Viacheslav edited projects, added VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus.Feb 8 2022, 10:22 AM
Viacheslav added a comment.EditedFeb 8 2022, 10:51 AM

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1210
PR for 1.4 https://github.com/vyos/vyos-1x/pull/1211

Viacheslav mentioned this in T1317: OpenVPN configuration fails if it depends on another interface..Feb 9 2022, 12:33 PM
nikeshhajari mentioned this in T4192: OpenVPN custom option for "--client-to-client" causes configuration error.Feb 10 2022, 4:44 PM
c-po closed this task as Resolved.Mar 24 2022, 5:35 PM
c-po triaged this task as Normal priority.
c-po edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus ( 1.3.1), VyOS 1.4 Sagitta.
c-po added a project: VyOS 1.4 Sagitta.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
dmbaturin mentioned this in 1.3.2.Sep 5 2022, 3:14 PM
dmbaturin mentioned this in 1.3.2.Sep 15 2022, 10:42 AM