Re: [Openvpn-devel] Fix for NetBSD with subnet topology

Mon, 23 Jul 2018 07:52:59 -0700 

>> It turns out, NetBSD needs similar handling of subnet topology for tun 
>> interfaces as OpenBSD does.
>> 
>> Here is a patch to fix the issue (against OpenVPN 2.4.6):
> 
> This comes as a bit of surprise - has something changed here on the
> NetBSD side?  Which NetBSD version did you test this against, how 
> does the problem manifest itself?
> 
> I do run CI tests on various NetBSD versions, and never had an issue
> with --topology subnet there...

I tried both NetBSD-7.1 and NetBSD-current (which is now at 8.99.21), and my 
OpenVPN setup does not work without the patch. On server side, I use a simple 
config like this (certificate sections omitted):

local 192.168.56.1
proto tcp-server
dev tun
topology subnet
persist-tun
persist-key

server 10.1.0.0 255.255.0.0
client-config-dir /dist/pkg/etc/openvpn/ccd

tls-server
tls-auth static.key 0


On client side (NetBSD) it looks like this:

remote 192.168.56.1 1194
proto tcp-client
dev tun
persist-tun
persist-key

tls-client
nobind
remote-cert-tls server
tls-auth static.key 1
auth-nocache
pull


tun0 interface and routing are configured as these:

% ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.1.0.2 -> 10.1.0.2 netmask 0xffff0000
        inet6 fe80::a00:27ff:fef1:6df7%tun0 ->  prefixlen 64 scopeid 0x4
% route -n show | grep 10.1
10.1.0.2           10.1.0.2           UH          -        -      -  tun0


and the VPN network is unreachable (e.g. can't ping 10.1.0.1).
However, with the patch applied, the network looks this:

% ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.1.0.2 -> 10.1.0.1 netmask 0xffff0000
        inet6 fe80::a00:27ff:fef1:6df7%tun0 ->  prefixlen 64 scopeid 0x4
% route -n show | grep 10.1
10.1/16            10.1.0.1           UG          -        -      -  tun0
10.1.0.1           10.1.0.2           UH          -        -      -  tun0

and VPN works correctly.


Hoping that clarifies your concern. :)

Kind regards,
Adam
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to