Page MenuHomeVyOS Platform

OpenVPN IPv6 config issue with 1.4-rc1
Closed, ResolvedPublicBUG

Description

Hi All

I believe I've found another issue with VyOS 1.4-rc1; this time with OpenVPN.

Firstly, because I've been using lots of different rolling versions (both 1.4 and 1.5) my config turned fairly messy and so I essentially started all my again. This was certainly required when I moved to 1.5-rolling as there were many changes such as with firewalls and QoS.

..so I've worked a little bit backwards from 1.5 with the following OpenVPN config in 1.4-rc1:

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 openvpn-option '--data-ciphers aes-256-cbc'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server domain-name 'monck.com.au'
set interfaces openvpn vtun10 server name-server '192.168.0.5'
set interfaces openvpn vtun10 server name-server '192.168.10.247'
set interfaces openvpn vtun10 server push-route 0.0.0.0/0
set interfaces openvpn vtun10 server push-route ::/0
set interfaces openvpn vtun10 server subnet '192.168.7.0/24'
set interfaces openvpn vtun10 server subnet '2403:5815:6df3:7::/64'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls auth-key 'openvpn_auth_key'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'central'
set interfaces openvpn vtun10 tls dh-params 'dh'

However with this config OpenVPN won't start with the following error:

Options error: --server-ipv6 is incompatible with 'nopool' option

This is the config produced in vtun10.conf:

### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
#
#

verb 3
dev-type tun
dev vtun10
persist-key
proto udp
multihome
lport 1194
persist-tun
disable-dco

#
# OpenVPN Server mode
#
mode server
tls-server
topology subnet
server 192.168.7.0 255.255.255.0 nopool
push "route 0.0.0.0 0.0.0.0 vpn_gateway 0"
push "route-ipv6 ::/0"
ifconfig-pool 192.168.7.2 192.168.7.253 255.255.255.0
server-ipv6 2403:5815:6df3:7::/64

keepalive 10 600
management /run/openvpn/openvpn-mgmt-intf unix

push "dhcp-option DNS 192.168.0.5"
push "dhcp-option DNS 192.168.10.247"
push "dhcp-option DOMAIN monck.com.au"

# TLS options
ca /run/openvpn/vtun10_ca.pem
cert /run/openvpn/vtun10_cert.pem
key /run/openvpn/vtun10_cert.key
dh /run/openvpn/vtun10_dh.pem
tls-auth /run/openvpn/vtun10_auth.key 0


# Encryption options
cipher AES-256-CBC
data-ciphers AES-256-CBC
# https://vyos.dev/T5027
# Required to support BF-CBC (default ciphername when none given)
providers legacy default

It seems this issue was already fixed in 1.5 as the changes I can see is the removal of the 'nopool' option, and the removal of the ifconfig-pool line:

### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
#
#

verb 3
dev-type tun
dev vtun10
persist-key
proto udp
multihome
lport 1194
persist-tun
disable-dco

#
# OpenVPN Server mode
#
mode server
tls-server
topology subnet
server 192.168.7.0 255.255.255.0
push "route 0.0.0.0 0.0.0.0 vpn_gateway 0"
push "route-ipv6 ::/0"
server-ipv6 2403:5815:6df3:7::/64

keepalive 10 600
management /run/openvpn/openvpn-mgmt-intf unix

push "dhcp-option DNS 192.168.0.5"
push "dhcp-option DNS 192.168.10.247"
push "dhcp-option DOMAIN monck.com.au"

# TLS options
ca /run/openvpn/vtun10_ca.pem
cert /run/openvpn/vtun10_cert.pem
key /run/openvpn/vtun10_cert.key
dh /run/openvpn/vtun10_dh.pem
tls-auth /run/openvpn/vtun10_auth.key 0


# Encryption options
cipher AES-256-CBC
data-ciphers AES-256-CBC
providers default

If I make those changes in the 1.4-rc1 config then all works again, so it seems a bug has made its way back into 1.4-rc1 (or I guess never fixed in1.4).

Thanks

Chris..

Details

Version
1.4.0-rc1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

StatusSubtypeAssignedTask
ResolvedBUGordex
ResolvedBUGc-po

Event Timeline

The fix from 1.5 was actually not backported. Thanks for testing and feedback

c-po changed the task status from Open to In progress.Jan 6 2024, 8:00 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po edited a custom field.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
c-po added a parent task: T3214: OpenVPN IPv6 fixes.