From 0b09bee3e5b040861353cf884d7cda36349c6a3b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 23 Feb 2022 17:55:32 +0100
Subject: [PATCH] VPN: OpenVPN: Servers - when using topology mode
 determination of the gateway isn't reliable. With
 https://github.com/opnsense/core/commit/0ad3ec432ff0d1ee45d9969424b7e5b19eb903e2
 we tried to calculate the next address, which unfortunately is our local
 address in quite some cases.

ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	description: OpenVPN
	options=80000<LINKSTATE>
	inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffff00

Calculation using 10.0.8.1/24 will result in 10.0.8.1, but should have been 10.0.8.2

This patch seems to add the least amount of magic, if the correct gateway would be captured in the environment variables that would be preferable, unfortunately that doesn't seem to be the case.

Example environment output:

xormask_1=
daemon_start_time=1645634011
daemon_pid=569
tun_mtu=1500
proto_1=udp4
daemon=1
dev_type=tun
script_context=init
PWD=/usr/local/www
xormasklen_1=0
daemon_log_redirect=0
ifconfig_local=10.0.8.1
local_port_1=1194
dev=ovpns1
link_mtu=1621
remote_port_1=1194
script_type=up
ifconfig_netmask=255.255.255.0
xormethod_1=0
config=/var/etc/openvpn/server1.conf
verb=3
---
 src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup |  5 ++-
 .../plugins.inc.d/openvpn/tunnel_endpoint.php | 37 +++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100755 src/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php

diff --git a/src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup b/src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
index 456aa62c9..95f2765bc 100755
--- a/src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
+++ b/src/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
@@ -5,7 +5,10 @@ if [ -n "${route_vpn_gateway}" ]; then
 elif [ -n "${ifconfig_remote}" ]; then
 	/bin/echo ${ifconfig_remote} > /tmp/${1}_router
 elif [ -n "${ifconfig_local}" ]; then
-	/usr/local/bin/python3 -c "import netaddr; import sys; print(netaddr.IPNetwork('%s/%s'%(sys.argv[1], sys.argv[2]))[1])" ${ifconfig_local} ${ifconfig_netmask} > /tmp/${1}_router
+	# XXX: We can't reliably determine the tunnels endpoint, other than parsing ifconfig.
+	#      Use our standard parser to request the tunnels other end. Eventually we could pass this to configd if
+	#      needed, but openvpn has elevated rights anyway at the moment.
+	/usr/local/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php ${1} > /tmp/${1}_router
 elif [ "${dev_type}" = "tun" -a -n "${5}" ]; then
 	/bin/echo ${5} > /tmp/${1}_router
 fi
diff --git a/src/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php b/src/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php
new file mode 100755
index 000000000..1982b1fb9
--- /dev/null
+++ b/src/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php
@@ -0,0 +1,37 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("interfaces.lib.inc");
+
+if (!empty($argv[1])) {
+    $result = legacy_interface_details($argv[1]);
+    if (!empty($result) && !empty($result['ipv4'][0]['endpoint'])) {
+        echo $result['ipv4'][0]['endpoint'];
+    }
+}