From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4c14Sy3cFNz30Vm for ; Mon, 11 Aug 2025 19:29:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4c14St6hxLz2xdr for ; Mon, 11 Aug 2025 19:29:18 +0000 (UTC) Received: from regulus.brecht-schule.hamburg (regulus.brecht-schule.hamburg [84.46.83.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "regulus.brecht-schule.hamburg", Issuer "R11" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4c14Ss5CkPz1QL for ; Mon, 11 Aug 2025 19:29:17 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=brecht-schule.hamburg header.s=202101ed25519 header.b=FAQ64AVA; dkim=pass header.d=brecht-schule.hamburg header.s=202101rsa header.b=LeTs0Wzf; spf=pass (mail01.ipfire.org: domain of dietzmann@brecht-schule.hamburg designates 84.46.83.131 as permitted sender) smtp.mailfrom=dietzmann@brecht-schule.hamburg; dmarc=pass (policy=reject) header.from=brecht-schule.hamburg ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1754940557; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bMoxg02fD4YYlvg5v9PfTbPL7HCPB1+z9YbLEUS6OLM=; b=lqLG3MuytebZ93rVowV6gj/X/tHDzfGB7tOALr/vAJSBZ8nARFtdfxzhJIyQG2JUhGBnUm sVWk96GqCkpWX36TzXhy8ElHCogjWLFLczA7bnTW2j8QinHPgSiXVl96uWOhtr8vbdoYug KwYGTx0jWctOlORmy2/s22YlmbXp1HlQLuzNz3Nbtmejm0wRvNNFNIPfoA5M1qIGEKPb79 IU8fSRm0JIVilA1RWQNEduGPX5+RUTT506jsLOo0wa/CKcs06kCm7sRR682IdxI4cqHhAz yBhp0YvjLEfj2cRcU7T/mmDn06opu4SYVprw/rQlnnJ+0PTCjhArAKg2lZP3Sw== ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1754940557; a=rsa-sha256; cv=none; b=VRIeYoqD273Exg9d3nM0yCtXuUn8hYuNhNjMcmUgtJt3MNqo5SDK34cpzH1e2+6l6kLuzD f2/g6TYX9TNNKjzt18+r3th9GZmoeRjqCsg3nBkAuOF91dvFsno/sky4zUfMuFg9OOuR3t XMEuDMD59HHS/7gJCB+Ea99fH5tAJQvPzS/thzwuyGK+0GpiGGrG0rDOkNuGgeUMlO155x U8AbqmCNpC4WU3HGK7HynLT+K54LlWhna2/HUFAmkkvcsKx6BhK8wQaCBk5Oi1HzKnnG/e P6YBcI7t/ri6C8iTjAokBvomWDiM5nI3AyLqo+688dVz0rZ8GvMMNcFUBrmq2Q== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=brecht-schule.hamburg header.s=202101ed25519 header.b=FAQ64AVA; dkim=pass header.d=brecht-schule.hamburg header.s=202101rsa header.b=LeTs0Wzf; spf=pass (mail01.ipfire.org: domain of dietzmann@brecht-schule.hamburg designates 84.46.83.131 as permitted sender) smtp.mailfrom=dietzmann@brecht-schule.hamburg; dmarc=pass (policy=reject) header.from=brecht-schule.hamburg Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by regulus.brecht-schule.hamburg (Postfix) with ESMTPSA id 4c14Sr3Rf0zgYLT for ; Mon, 11 Aug 2025 21:29:16 +0200 (CEST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=brecht-schule.hamburg; s=202101ed25519; t=1754940556; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bMoxg02fD4YYlvg5v9PfTbPL7HCPB1+z9YbLEUS6OLM=; b=FAQ64AVAFP7Uvmp6ZTpgnlVUyX50x78jf4VGbw+I90a1cMwBDsIS273DHXc4pJ5YBsXcf6 63cKI3zdXhE3IXBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brecht-schule.hamburg; s=202101rsa; t=1754940556; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bMoxg02fD4YYlvg5v9PfTbPL7HCPB1+z9YbLEUS6OLM=; b=LeTs0WzfK4qKL4oeETrJ9duOwA0Zq76Wl1yT2gKOE4q5qjHFYESIKwLCKbwdhfxMHe6cR9 rRpcWKA3J5PKNywLo9yKVXql39aiNK6l37qXpvf3O800KgnehRvvqPqRjT4bUZ7cMqb7Ds xf2jHhe1KSpsBsUoNnUH0mKjWwR+NnK+VC/jZ8SQ9nFiNe41AqmYgdh1DOK+gx7xP1lJfH jzlnaWloBgH0wfQGY4LpOVc50rE9BmJaXJkraZKMMUZ7RfWgshtLeqyUD5RWyecMTdS4LW FSL8f6b41CGxWiThLlNhYSRtFpTGle7cyUHtogtXKJwI67gnJ+zqZtF1Lfn3dg== Message-ID: Date: Mon, 11 Aug 2025 21:29:15 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: IPFire 2.29 - Core Update 197 is available for testing Content-Language: en-US To: development@lists.ipfire.org References: <175490371612.107547.14288613781884197415.ipfire@ipfire.org> <8c5b754f-002b-4a80-b757-9a74aeb57f7e@ipfire.org> <29a112a2-0ada-43a1-b0c6-43f336745d43@ipfire.org> From: Peer Dietzmann In-Reply-To: <29a112a2-0ada-43a1-b0c6-43f336745d43@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4c14Ss5CkPz1QL X-Spamd-Result: default: False [-5.88 / 11.00]; BAYES_HAM(-2.99)[99.97%]; DWL_DNSWL_MED(-2.00)[brecht-schule.hamburg:dkim]; NEURAL_SPAM(1.66)[0.832]; IP_REPUTATION_HAM(-1.04)[asn: 15943(-0.30), country: DE(0.00), ip: 84.46.83.131(-0.74)]; DMARC_POLICY_ALLOW(-0.50)[brecht-schule.hamburg,reject]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[84.46.83.131:from]; R_SPF_ALLOW(-0.20)[+ip4:84.46.83.131]; ONCE_RECEIVED(0.20)[]; R_DKIM_ALLOW(-0.20)[brecht-schule.hamburg:s=202101ed25519,brecht-schule.hamburg:s=202101rsa]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:15943, ipnet:84.46.0.0/17, country:DE]; DKIM_REPUTATION(0.00)[0]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; MISSING_XM_UA(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; DKIM_TRACE(0.00)[brecht-schule.hamburg:+] X-Rspamd-Action: no action X-Rspamd-Server: mail01.haj.ipfire.org Hi All, hi Adolf, I am experiencing a similar issue as you. But first I would like to say that I find it very very (!) sad that the openvpn WUI does not have any separation of the subnets anymore! This feature was very helpful and clean. Now all certificates are mixed together, and it's not that easy anymore to see which client is in which network! It would be very nice, if this feature could be brought back to IPFire! Especially for setups with multiple subnets this separation was helpful! But now to the connection issues: The new CU seems to push a wrong gateway. I have several subnets running my dynamic pool is 10.22.0.0/24, the first subnet uses 10.22.1.0/24, an two other subnets are using 10.22.2.0/24. All clients that aren't in the dynamic pool have static IPs. Which the CU 196 a client in 10.22.2.0/24 gets the following routes: 2025-08-11 21:04:44 net_addr_ptp_v4_add: 10.22.2.2 peer 10.22.2.1 dev tun0 2025-08-11 21:04:44 net_route_v4_add: 10.22.0.1/32 via 10.22.2.1 dev [NULL] table 0 metric -1 2025-08-11 21:04:44 net_route_v4_add: 10.99.0.0/24 via 10.22.2.1 dev [NULL] table 0 metric -1 This is all correct an works, but with the new CU 197 the following route is pushed: 2025-08-11 20:53:23 net_addr_v4_add: 10.22.2.2/24 dev tun0 2025-08-11 20:53:23 net_route_v4_add: 10.99.0.0/24 via 10.22.0.1 dev [NULL] table 0 metric -1 2025-08-11 20:53:23 sitnl_send: rtnl: generic error (-101): Network is unreachable 2025-08-11 20:53:23 ERROR: Linux route add command failed Obvioulsy this can't work. Best regards, Peer On 11/08/2025 16:51, Adolf Belka wrote: > Hi All, > > Further testing feedback of OpenVPN-2.6 > > I tested out the existing client connections to my android phone and > my linux laptop. > > Both connections connected. Ping worked on the laptop but not on the > android. Accessing the IPFire WUI via the openvpn rw tunnel worked for > both android and laptop. > > I then created new client connections. > > The linux laptop connection worked without any issues. > > The android client did not want to work with the .ovpn file with the > certificates built in. It said that it had obtained the required info > from inline but the connection failed within a couple of lines in the > log, so some problem. > > I then removed the inline certificate lines from the .ovpn file and > used the .p12 and ta.key files, adding the appropriate lines into the > .ovpn file to reference them. > > The connection worked without any problem. In addition the ping now > worked with this android connection. > > Regards, > > Adolf. > > > On 11/08/2025 16:01, Adolf Belka wrote: >> Hi All, >> >> Have found a little issue. Not sure if it is critical or not. >> >> My existing connections on OpenVPN are working fine and the network >> topology has been changed in most places but not in the ccd files. >> >> I have a connection called ipfiretesting which before the upgrade had >> 10.110.30.5 and 10.110.30.6. >> >> After the upgrade to 197 if I edit the entry it shows that it is >> using 10.110.30.6 >> >> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has >> the line >> >> ifconfig-push 10.110.26.6 10.110.26.5 >> >> If I then create a new client connection then all the ccd files get >> updated and ipfiretesting now contains >> >> ifconfig-push 10.110.30.6 255.255.255.0 >> >> So if a user upgrades but doesn't create a new client connection all >> the ccd files will stay with the old format. Not sure what this would >> or wouldn't do for the connection but I think after the upgrade it >> would be good to update all the ccd files but not sure how to make >> that happen. >> >> Regards, >> >> Adolf. >> >> On 11/08/2025 11:28, IPFire Project wrote: >>> **IPFire 2.29 – Core Update 197** is now available for testing. This >>> release introduces a significant overhaul of OpenVPN, upgrading to >>> version 2.6 with improved security, broader client compatibility, >>> and a modernised codebase — all without requiring changes to >>> existing configurations. System performance has also been optimised >>> to allow the CPU to remain in power-saving states more often, >>> reducing energy consumption. As with every release, this update >>> includes a large number of package updates to ensure your system >>> remains secure and reliable. >>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ >>> >>> >>>   IPFire_ >>> >>> >>>   IPFire 2.29 - Core Update 197 is available for testing >>> >>> **IPFire 2.29 – Core Update 197** is now available for testing. This >>> release introduces a significant overhaul of OpenVPN, upgrading to >>> version 2.6 with improved security, broader client compatibility, >>> and a modernised codebase — all without requiring changes to >>> existing configurations. System performance has also been optimised >>> to allow the CPU to remain in power-saving states more often, >>> reducing energy consumption. As with every release, this update >>> includes a large number of package updates to ensure your system >>> remains secure and reliable. >>> >>> Read The Full Post On Our Blog >>> >>> >>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, >>> 45711 Datteln, Germany >>> >>> Unsubscribe >>> >> > > -- Mit freundlichem Gruß Peer Dietzmann Brecht-IT | Administration und Support Brecht-Schule Hamburg GmbH Norderstrasse 163-165 | 20097 Hamburg Tel.: +49 40 21 11 12 - 37 | Fax: +49 40 21 11 12 - 20 E-Mail: dietzmann@brecht-schule.hamburg | www.brecht-schule.hamburg Diese Email enthält ggfs. vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese Email irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Email. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Email ist nicht gestattet.