Opened 3 years ago

Closed 2 years ago

#1263 closed Feature Wish (worksforme)

Invalid base address in "server" line causes openvpn to fail to start. Should be avoidable

Reported by: nickh Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


If you have a server line on you OpenVPN server configuration file like
server, OpenVPN will fail to start giving:

[root@server ~]# systemctl status openvpn@clients-tcp -l
● openvpn@clients-tcp.service - OpenVPN Robust And Highly Flexible Tunneling Application On clients/tcp
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-03-25 12:32:18 GMT; 10min ago
  Process: 29990 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
 Main PID: 29990 (code=exited, status=1/FAILURE)

Mar 25 12:32:18 openvpn[29990]: Options error: --server directive network/netmask combination is invalid
Mar 25 12:32:18 openvpn[29990]: Use --help for more information.
Mar 25 12:32:18 systemd[1]: openvpn@clients-tcp.service: main process exited, code=exited, status=1/FAILURE
Mar 25 12:32:18 systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On clients/tcp.
Mar 25 12:32:18 systemd[1]: Unit openvpn@clients-tcp.service entered failed state.
Mar 25 12:32:18 systemd[1]: openvpn@clients-tcp.service failed.

Certainly in Linux it would be trivial to calculate the correct base address with ipcalc with something like ipcalc -n which gives NETWORK=

This could be used to avoid the start up failure

Change History (2)

comment:1 Changed 2 years ago by tct

You can change open source software as you see fit.

comment:2 Changed 2 years ago by Gert Döring

Resolution: worksforme
Status: newclosed
Type: Bug / DefectFeature Wish

I am not going to invest time into this - yes, it's not much work to change this in OpenVPN, but someone needs to do this (code the patch, review it, test it, etc.) - and it's easier to just configure the address correctly.

If a patch comes in (via the openvpn-devel mailing list) we'll look at it.

But even then, it might be more interesting to make the IPv4 code do what the IPv6 code does - if you specify a non-0 host part for ifconfig-pool or server, use that as the base address and shift the pool start accordingly.

OTOH IPv4 is so sparse that it does not make much sense to use less than the full network...

Note: See TracTickets for help on using tickets.