From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fH0dq30Cyz33gK for ; Thu, 19 Feb 2026 17:25:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fH0db0xZyz2xHh for ; Thu, 19 Feb 2026 17:25:39 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp256r1 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fH0dX0Phzz2kB for ; Thu, 19 Feb 2026 17:25:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1771521936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wcRGA0T9xZHAeFFoLmGSrXC5cxUffxwu2IultWWkTUE=; b=jbpweWULkE69fBWK+bCk2wRewIqd+DqafRg+STN1xtD4xsaygM6TC/m4TJ1KGhCrwwinH5 OLQFXPe0tYPdEgDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1771521936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wcRGA0T9xZHAeFFoLmGSrXC5cxUffxwu2IultWWkTUE=; b=NDSspGoJCDcNa8d6c76D1LbahdzHkkjZcJJ6RB5Z5a9NMraHQ02WhvWKrAJ19R+2qHi3ow jwBUwBZdhxAp/6NMywA6W5knUM+qI7l3yz7b4UPqTigxi4Uv7U1TRy3sNmZHqU08Wb1NTN CYAybPoLknl1IVIcsOKRleqGtEHYzqfTR8aThEnhwsVZii5/F5oSGq1Nv5y6xAxpYKuZlX YD6JKQoowC0B19RxltZW5r+PsLx0D+81uG0DMTQat4tf7DSJpVUGoWFrtw4NzQalT0o3yK BjjnlqjhtmDINiY/GgJ8CMrmxyKNQgj0FWI/yOj/IexNP9Ax6j71ZRoggXIgTw== Message-ID: <1eccafd1bfb3b86c75dd7b3082fd204c3a70e38a.camel@ipfire.org> Subject: Re: openvpn-2.7_rc1 From: ummeegge To: development@lists.ipfire.org Date: Thu, 19 Feb 2026 18:25:31 +0100 In-Reply-To: <7b53160b-eb3a-4b1b-b068-94057bd680e1@ipfire.org> References: <4247a605-6aac-4c9c-93c8-db236c2cb769@ipfire.org> <414d5c1c72ceabb0f3051ba917bb45ff7de3f90f.camel@ipfire.org> <7b53160b-eb3a-4b1b-b068-94057bd680e1@ipfire.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Hello Adolf, great so you know about :-) . Have you recognized the redirect-gateway message too ? Also, did you check the new script in libexec `dns-updown` ? It seems that this is a kind of new feature from 2.7.0 (haven=C2=B4t digged deeper) = ? Best, Erik Am Donnerstag, dem 19.02.2026 um 17:04 +0100 schrieb Adolf Belka: > Hi Erik, >=20 >=20 > On 19/02/2026 16:03, ummeegge wrote: > > Hi all, > >=20 > > since OpenVPN 2.7.0 was released last week, I=E2=80=99ve done some more > > testing > > with the new DCO flag. > >=20 > > ``` > > @@ -73,10 +73,10 @@ $(TARGET) : $(patsubst > > %,$(DIR_DL)/%,$(objects)) > > cd $(DIR_APP) && ./configure \ > > --prefix=3D/usr \ > > --sysconfdir=3D/var/ipfire/ovpn \ > > - --enable-iproute2 \ > > --enable-plugins \ > > --enable-plugin-auth-pam \ > > - --enable-plugin-down-root > > + --enable-plugin-down-root \ > > + --enable-dco > > ``` > >=20 > > I=E2=80=99ve found a couple of other issues: > >=20 > > There have been some changes in the management interface, and a > > protocol prefix is now included (e.g. udp4:). > > As a result, the old regex patterns for > > a) OpenVPN Connection Statistics and > > b) Connection Status > > no longer update or show data. This shouldn=E2=80=99t be hard to fix. >=20 > I already have patch fixes for this from my testing of the alpha3, > beta1 and rc1. If you go to my IPFire git repo (link at end of this > mail) the patch is in that rc1 branch. There is also the removal of > the deprecated persist-key which is now always enabled by default. >=20 > Regards, >=20 > Adolf. >=20 > >=20 > > With OpenVPN 2.7.0, a MULTI ERROR appears when creating a client > > with > > =E2=80=9Credirect-gateway=E2=80=9D. Example message: > >=20 > > ``` > > Feb 19 13:34:36 ipfire-prime openvpnserver[7329]: > > PeterForden/udp4:192.168.110.10:38103 MULTI ERROR: primary virtual > > IP > > for PeterForden/udp4:192.168.110.10:38103 (10.12.52.2) violates > > tunnel > > network/netmask constraint (10.73.104.0/255.255.255.0) > > ``` > >=20 > > The connection still works fine, but the log entries don=E2=80=99t look > > good. > > This happens because older setups used `redirect-gateway def1` in > > the > > advanced options, and remnants of this are still present in > > server.conf > > (push "redirect-gateway def1"), even though the checkbox for this > > option has disappeared. > >=20 > > When creating a new client, enabling redirect-gateway (here without > > def1) now triggers this MULTI ERROR (=E2=80=9Cviolates tunnel > > network/netmask > > constraint=E2=80=9D). > >=20 > > Using redirect-gateway def1 might actually be the better and more > > modern approach, since it adds two more specific routes (0.0.0.0/1 > > and > > 128.0.0.0/1) instead of replacing the original default route =E2=80=94 > > keeping > > it available as a fallback. > >=20 > > =E2=86=92 Should `redirect-gateway def1` therefore be pushed globally f= or > > all > > clients? If not explicitly configured otherwise, it would still > > apply. > >=20 > > So far, DCO seems to makes his job. > >=20 > > Some smaller issues have been noticed, but I think these are the > > key > > points so far. > >=20 > > Hope this mail isn=E2=80=99t **too long**, but I thought it might be us= eful > > to > > share. > >=20 > > Best, > >=20 > > Erik > >=20 > > Am Donnerstag, dem 06.11.2025 um 22:19 +0100 schrieb Adolf Belka: > > > Hi All, > > >=20 > > > Follow-on from my previous mails about testing openvpn- > > > 2.7_alpha3. > > >=20 > > > Since then I have tested out openvpn-2.7_beta1 and today I tested > > > out > > > openvpn-2.7_rc1 > > >=20 > > > It built without any problems and I also tested it on my vm > > > system > > > and confirmed that my android phone and linux laptop road > > > warriors > > > worked without any problems. > > > I also tested out the n2 connection with openvpn-2.7_rc1 at one > > > end > > > and openvpn-2.6.15 at the other end and it connected without any > > > issues. > > >=20 > > > So the rc1 version has performed as the previous alpha3 and beta1 > > > versions. > > >=20 > > > I have merged the build branch into my ipfire repo > > >=20 > > > https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dshor= tlog;h=3Drefs/heads/openvpn-2.7_rc1 > > >=20 > > > Regards, > > >=20 > > > Adolf. > >=20 >=20