Solved Openvpn fails on system upgraded to 13.0 (Static route failure on fib)

neal

Member

Reaction score: 5
Messages: 40

I have just upgraded a server to 13.0 and now my vpn no longer works. It seems that I am no longer able to set a default route on fib 1 as the "Network is unreachable".

I have the following in rc.conf, which used to work a treat, but no longer does:
Code:
static_routes="vpn"
route_vpn="default 10.0.0.1 -fib 1"
This stops openvpn from working at all, as it it set work on fib 1 and it can't see any network for it to get going with.

Is there a way to force the route to be added to the fib?
 
OP
neal

neal

Member

Reaction score: 5
Messages: 40

It seems that this is an intended change and all I had to do was to set the sysctl net.add_addr_allfibs=1 and everything was back to how it worked before.

Apparently this was in the release notes, but until now I'd never heard of net.add_addr_allfibs, so a change in the default setting of this meant nothing to me. Maybe the consequences of such changes need to be noted as well as the simple fact of them happening.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,144
Messages: 39,755

It's often quite useful to also have a read through /usr/src/UPDATING:
Code:
20201108:
        Default value of net.add_addr_allfibs has been changed to 0.
        If you have multi-fib configuration and rely on existence of all
        interface routes in every fib, you need to set the above sysctl to 1.
 
OP
neal

neal

Member

Reaction score: 5
Messages: 40

That description certainly would have been useful. Unfortunately I relied on the release notes, which stated the change, but not the consequences. Also, doing a binary update rather than a source update, I never go near the sources. Maybe the release notes and UPDATING need to be linked together somehow.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,144
Messages: 39,755

You can view the file through the git source browser: https://cgit.freebsd.org/src/tree/UPDATING?h=releng/13.0
It usually contains quite a lot of interesting information. Definitely worthwhile to give it a quick read every so often, even if you don't do anything with the sources.

If you want to keep an eye on it for future releases you can have a look at the stable/13 version: https://cgit.freebsd.org/src/tree/UPDATING?h=stable/13
New minor releases are always branched off from stable/13, so this will give you a good idea of the changes that'll go into the next minor release.
 
Top