From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: openvpn-2.7_rc1
Date: Thu, 19 Feb 2026 18:25:31 +0100 [thread overview]
Message-ID: <1eccafd1bfb3b86c75dd7b3082fd204c3a70e38a.camel@ipfire.org> (raw)
In-Reply-To: <7b53160b-eb3a-4b1b-b068-94057bd680e1@ipfire.org>
Hello Adolf,
great so you know about :-) .
Have you recognized the redirect-gateway message too ?
Also, did you check the new script in libexec `dns-updown` ? It seems
that this is a kind of new feature from 2.7.0 (haven´t digged deeper) ?
Best,
Erik
Am Donnerstag, dem 19.02.2026 um 17:04 +0100 schrieb Adolf Belka:
> Hi Erik,
>
>
> On 19/02/2026 16:03, ummeegge wrote:
> > Hi all,
> >
> > since OpenVPN 2.7.0 was released last week, I’ve done some more
> > testing
> > with the new DCO flag.
> >
> > ```
> > @@ -73,10 +73,10 @@ $(TARGET) : $(patsubst
> > %,$(DIR_DL)/%,$(objects))
> > cd $(DIR_APP) && ./configure \
> > --prefix=/usr \
> > --sysconfdir=/var/ipfire/ovpn \
> > - --enable-iproute2 \
> > --enable-plugins \
> > --enable-plugin-auth-pam \
> > - --enable-plugin-down-root
> > + --enable-plugin-down-root \
> > + --enable-dco
> > ```
> >
> > I’ve found a couple of other issues:
> >
> > There have been some changes in the management interface, and a
> > protocol prefix is now included (e.g. udp4:).
> > As a result, the old regex patterns for
> > a) OpenVPN Connection Statistics and
> > b) Connection Status
> > no longer update or show data. This shouldn’t be hard to fix.
>
> I already have patch fixes for this from my testing of the alpha3,
> beta1 and rc1. If you go to my IPFire git repo (link at end of this
> mail) the patch is in that rc1 branch. There is also the removal of
> the deprecated persist-key which is now always enabled by default.
>
> Regards,
>
> Adolf.
>
> >
> > With OpenVPN 2.7.0, a MULTI ERROR appears when creating a client
> > with
> > “redirect-gateway”. Example message:
> >
> > ```
> > Feb 19 13:34:36 ipfire-prime openvpnserver[7329]:
> > PeterForden/udp4:192.168.110.10:38103 MULTI ERROR: primary virtual
> > IP
> > for PeterForden/udp4:192.168.110.10:38103 (10.12.52.2) violates
> > tunnel
> > network/netmask constraint (10.73.104.0/255.255.255.0)
> > ```
> >
> > The connection still works fine, but the log entries don’t look
> > good.
> > This happens because older setups used `redirect-gateway def1` in
> > the
> > advanced options, and remnants of this are still present in
> > server.conf
> > (push "redirect-gateway def1"), even though the checkbox for this
> > option has disappeared.
> >
> > When creating a new client, enabling redirect-gateway (here without
> > def1) now triggers this MULTI ERROR (“violates tunnel
> > network/netmask
> > constraint”).
> >
> > Using redirect-gateway def1 might actually be the better and more
> > modern approach, since it adds two more specific routes (0.0.0.0/1
> > and
> > 128.0.0.0/1) instead of replacing the original default route —
> > keeping
> > it available as a fallback.
> >
> > → Should `redirect-gateway def1` therefore be pushed globally for
> > all
> > clients? If not explicitly configured otherwise, it would still
> > apply.
> >
> > So far, DCO seems to makes his job.
> >
> > Some smaller issues have been noticed, but I think these are the
> > key
> > points so far.
> >
> > Hope this mail isn’t **too long**, but I thought it might be useful
> > to
> > share.
> >
> > Best,
> >
> > Erik
> >
> > Am Donnerstag, dem 06.11.2025 um 22:19 +0100 schrieb Adolf Belka:
> > > Hi All,
> > >
> > > Follow-on from my previous mails about testing openvpn-
> > > 2.7_alpha3.
> > >
> > > Since then I have tested out openvpn-2.7_beta1 and today I tested
> > > out
> > > openvpn-2.7_rc1
> > >
> > > It built without any problems and I also tested it on my vm
> > > system
> > > and confirmed that my android phone and linux laptop road
> > > warriors
> > > worked without any problems.
> > > I also tested out the n2 connection with openvpn-2.7_rc1 at one
> > > end
> > > and openvpn-2.6.15 at the other end and it connected without any
> > > issues.
> > >
> > > So the rc1 version has performed as the previous alpha3 and beta1
> > > versions.
> > >
> > > I have merged the build branch into my ipfire repo
> > >
> > > https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=shortlog;h=refs/heads/openvpn-2.7_rc1
> > >
> > > Regards,
> > >
> > > Adolf.
> >
>
next prev parent reply other threads:[~2026-02-19 17:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 21:19 openvpn-2.7_rc1 Adolf Belka
2025-11-07 14:18 ` openvpn-2.7_rc1 Michael Tremer
2025-12-20 18:05 ` openvpn-2.7_rc1 ummeegge
2025-12-23 11:27 ` openvpn-2.7_rc1 Michael Tremer
2025-12-23 16:13 ` openvpn-2.7_rc1 ummeegge
2025-12-28 12:18 ` openvpn-2.7_rc1 Michael Tremer
2025-12-30 11:17 ` openvpn-2.7_rc1 ummeegge
2026-02-19 15:03 ` openvpn-2.7_rc1 ummeegge
2026-02-19 16:04 ` openvpn-2.7_rc1 Adolf Belka
2026-02-19 17:25 ` ummeegge [this message]
2026-02-19 17:38 ` openvpn-2.7_rc1 Adolf Belka
2026-02-20 11:28 ` openvpn-2.7_rc1 Michael Tremer
2026-02-19 15:43 ` openvpn-2.7_rc1 ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1eccafd1bfb3b86c75dd7b3082fd204c3a70e38a.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox