Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Migration: losing configurations for openvpn tunnels with similar names #1062

Open
francio87 opened this issue Feb 4, 2025 · 2 comments
Open

Migration: losing configurations for openvpn tunnels with similar names #1062

francio87 opened this issue Feb 4, 2025 · 2 comments
Labels
verified All test cases were verified successfully
Milestone
NethSecurity 8.5

Comments

@francio87
Copy link
Member

During the migration process, configurations for OpenVPN tunnels with similar names are being lost

Steps to reproduce

  • Create two OpenVPN tunnels, for example, one called tunnel-1 and another called tunnel-2.
  • Attempt to migrate these tunnels.

Expected behavior

  • Both tunnels, tunnel-1 and tunnel-2, should be correctly imported without issues, retaining the correct configurations for each.

Actual behavior

  • Only one of the tunnels is imported correctly, as the naming is truncated during migration. For example, tunnel-1 and tunnel-2 are reduced to tunnel_, which causes one tunnel (likely the first one, tunnel-1) to be lost. Data appears to be overwritten with the last tunnel in the list during the import process.

Components
NethSecurity version: 8-23.05.5-ns.1.4.1

See also
@github-project-automation github-project-automation bot moved this to ToDo 🕐 in NethSecurity Feb 4, 2025
@francio87 francio87 changed the title migration: losing configurations for openvpn tunnels with similar names Migration: losing configurations for openvpn tunnels with similar names Feb 4, 2025
@gsanchietti gsanchietti mentioned this issue Feb 4, 2025
Merged
gsanchietti added a commit that referenced this issue Feb 5, 2025
@gsanchietti
fix(ns-migration): avoid ovpn tunnel collision (#1063)
35c5d95 
Previously, a tunnel could override an existing one during
the migration process

#1062
@gsanchietti
Copy link
Member

Testing image.

Test case

Check the issue is not reproducible

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Feb 5, 2025
@nethbot nethbot moved this from ToDo 🕐 to Testing in NethSecurity Feb 5, 2025
@francio87 francio87 self-assigned this Feb 5, 2025
@francio87 francio87 added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Feb 5, 2025
@nethbot nethbot moved this from Testing to Verified in NethSecurity Feb 5, 2025
@francio87 francio87 added testing Packages are available from testing repositories and removed verified All test cases were verified successfully labels Feb 5, 2025
@nethbot nethbot moved this from Verified to Testing in NethSecurity Feb 5, 2025
@francio87
Copy link
Member Author

Fixed, tested with release 23.05.5-ns.1.4.1-53-g3049dab, in case of name collisions, subsequent OpenVPN tunnels are renamed to mgr-xxxxx.

Nsec 7.9

Image

Nsec 8

Image

migration.log :

Creating OpenVPN tunnel server tunnel-sederm
Creating OpenVPN tunnel server mgr-9de43
root@ns79:~# uci show openvpn.ns_tunnel_.ns_name
openvpn.ns_tunnel_.ns_name='tunnel-sed'

root@ns79:~# uci show openvpn.ns_tunnel_.dev
openvpn.ns_tunnel_.dev='tuntunnel-seder'

root@ns79:~# uci show openvpn.ns_mgr_9de.ns_name
openvpn.ns_mgr_9de.ns_name='mgr-9de43'

root@ns79:~# uci show openvpn.ns_mgr_9de.dev
openvpn.ns_mgr_9de.dev='tunmgr-9de43'
root@ns79:~# ip -br -c a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             UP             192.168.122.251/24 
eth1             UP             10.87.25.6/24 
eth2             DOWN           
ifb-dns          UNKNOWN        fe80::485f:b5ff:fe64:c0b/64 
eth0.56@eth0     UP             10.58.58.5/24 fe80::5054:ff:fe1c:eb74/64 
tuntunnel-seder  UNKNOWN        10.19.189.1/24 fe80::423f:8d46:40eb:4832/64 
tunrw1           UNKNOWN        10.98.45.1/24 fe80::3c4f:bb5a:94e1:ed89/64 
tunmgr-9de43     UNKNOWN        10.65.233.1/24 fe80::a14a:7405:f176:5687/64 
root@ns79:~# fw4 reload
Section ns_user_include specifies unreachable path '/etc/firewall.user', ignoring section
Automatically including '/usr/share/nftables.d/chain-pre/input/20-don.nft'
Automatically including '/usr/share/nftables.d/chain-pre/srcnat/20netmap.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20netmap.nft'

@francio87 francio87 removed their assignment Feb 6, 2025
@francio87 francio87 added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Feb 6, 2025
@nethbot nethbot moved this from Testing to Verified in NethSecurity Feb 6, 2025
@Tbaile Tbaile added this to the NethSecurity 8.5 milestone Feb 6, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
NethSecurity
Status: Verified
Milestone
NethSecurity 8.5
Development

No branches or pull requests
3 participants
@gsanchietti @Tbaile @francio87