From 2758f9f649ee575df61e563f687a9fedeb3f2b69 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 29 Dec 2023 16:01:08 +0100
Subject: [PATCH] VPN: OpenVPN: Instances - add workaround for net30/p2p
 smaller than /29 networks, this was being used in the legacy code but left
 out in the mvc version. At a first glance it looks like it still possible to
 support /30 and /31 networks although this wasn't tested yet. We should
 likely also add a validation to prevent > /29 tunnels from being added.

Currently when specifying a /30 network the server refuses to start anyway, but before enforcing using a validation, let's try if there are still options possible for these networks to be used given the options in the new instances intreface.
---
 .../mvc/app/models/OPNsense/OpenVPN/OpenVPN.php   | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
index 7115cbe74..88d4acf57 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
@@ -470,7 +470,20 @@ class OpenVPN extends BaseModel
                     $options['verify-client-cert'] = (string)$node->verify_client_cert;
                     if (!empty((string)$node->server)) {
                         $parts = explode('/', (string)$node->server);
-                        $options['server'] = $parts[0] . " " . Util::CIDRToMask($parts[1]);
+                        $mask = Util::CIDRToMask($parts[1]);
+                        if ((string)$node->dev_type == 'tun' && (string)$node->topology != 'subnet' && $parts[1] > 29) {
+                            /**
+                             * Workaround and backwards compatibility, the server directive doesn't support
+                             * networks smaller than /30, pushing ifconfig manually works in some cases.
+                             * According to RFC3021 when the mask is /31 we may omit network and broadcast addresses.
+                             **/
+                            $masklong = ip2long($mask);
+                            $ip1 = long2ip32((ip2long32($parts[0]) & $masklong) + ($masklong == 0xfffffffe ? 0 : 1));
+                            $ip2 = long2ip32((ip2long32($parts[0]) & $masklong) + ($masklong == 0xfffffffe ? 1 : 2));
+                            $options['ifconfig'] = "{$ip1} {$ip2}";
+                        } else {
+                            $options['server'] = $parts[0] . " " . $mask;
+                        }
                     }
                     if (!empty((string)$node->server_ipv6)) {
                         $options['server-ipv6'] = (string)$node->server_ipv6;