Hello Adolf, great so you know about :-) . Have you recognized the redirect-gateway message too ? Also, did you check the new script in libexec `dns-updown` ? It seems that this is a kind of new feature from 2.7.0 (haven´t digged deeper) ?
Best, Erik Am Donnerstag, dem 19.02.2026 um 17:04 +0100 schrieb Adolf Belka: > Hi Erik, > > > On 19/02/2026 16:03, ummeegge wrote: > > Hi all, > > > > since OpenVPN 2.7.0 was released last week, I’ve done some more > > testing > > with the new DCO flag. > > > > ``` > > @@ -73,10 +73,10 @@ $(TARGET) : $(patsubst > > %,$(DIR_DL)/%,$(objects)) > > cd $(DIR_APP) && ./configure \ > > --prefix=/usr \ > > --sysconfdir=/var/ipfire/ovpn \ > > - --enable-iproute2 \ > > --enable-plugins \ > > --enable-plugin-auth-pam \ > > - --enable-plugin-down-root > > + --enable-plugin-down-root \ > > + --enable-dco > > ``` > > > > I’ve found a couple of other issues: > > > > There have been some changes in the management interface, and a > > protocol prefix is now included (e.g. udp4:). > > As a result, the old regex patterns for > > a) OpenVPN Connection Statistics and > > b) Connection Status > > no longer update or show data. This shouldn’t be hard to fix. > > I already have patch fixes for this from my testing of the alpha3, > beta1 and rc1. If you go to my IPFire git repo (link at end of this > mail) the patch is in that rc1 branch. There is also the removal of > the deprecated persist-key which is now always enabled by default. > > Regards, > > Adolf. > > > > > With OpenVPN 2.7.0, a MULTI ERROR appears when creating a client > > with > > “redirect-gateway”. Example message: > > > > ``` > > Feb 19 13:34:36 ipfire-prime openvpnserver[7329]: > > PeterForden/udp4:192.168.110.10:38103 MULTI ERROR: primary virtual > > IP > > for PeterForden/udp4:192.168.110.10:38103 (10.12.52.2) violates > > tunnel > > network/netmask constraint (10.73.104.0/255.255.255.0) > > ``` > > > > The connection still works fine, but the log entries don’t look > > good. > > This happens because older setups used `redirect-gateway def1` in > > the > > advanced options, and remnants of this are still present in > > server.conf > > (push "redirect-gateway def1"), even though the checkbox for this > > option has disappeared. > > > > When creating a new client, enabling redirect-gateway (here without > > def1) now triggers this MULTI ERROR (“violates tunnel > > network/netmask > > constraint”). > > > > Using redirect-gateway def1 might actually be the better and more > > modern approach, since it adds two more specific routes (0.0.0.0/1 > > and > > 128.0.0.0/1) instead of replacing the original default route — > > keeping > > it available as a fallback. > > > > → Should `redirect-gateway def1` therefore be pushed globally for > > all > > clients? If not explicitly configured otherwise, it would still > > apply. > > > > So far, DCO seems to makes his job. > > > > Some smaller issues have been noticed, but I think these are the > > key > > points so far. > > > > Hope this mail isn’t **too long**, but I thought it might be useful > > to > > share. > > > > Best, > > > > Erik > > > > Am Donnerstag, dem 06.11.2025 um 22:19 +0100 schrieb Adolf Belka: > > > Hi All, > > > > > > Follow-on from my previous mails about testing openvpn- > > > 2.7_alpha3. > > > > > > Since then I have tested out openvpn-2.7_beta1 and today I tested > > > out > > > openvpn-2.7_rc1 > > > > > > It built without any problems and I also tested it on my vm > > > system > > > and confirmed that my android phone and linux laptop road > > > warriors > > > worked without any problems. > > > I also tested out the n2 connection with openvpn-2.7_rc1 at one > > > end > > > and openvpn-2.6.15 at the other end and it connected without any > > > issues. > > > > > > So the rc1 version has performed as the previous alpha3 and beta1 > > > versions. > > > > > > I have merged the build branch into my ipfire repo > > > > > > https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=shortlog;h=refs/heads/openvpn-2.7_rc1 > > > > > > Regards, > > > > > > Adolf. > > >
