OpenVPN Support Forum

Hi,

Noticed that after upgrading to openvpnas 2.12.3, when checking the Status > Log Reports, my web admin access to my openvpnas reports that my real IP is always 127.0.0.1 and not my actual ISP IP.

I wonder if this is a bug or a trigger of certain settings in my access server? the instances were all running on ubuntu 22 LTS and cent os 7.

The clients are being reported of their actual IP still though.

Thank you

Hello,

Can confirm on my system with 2.12.3 that public IP is still being shown correctly on web login.

However, it sounds like a bug or imperfection. In reality when you access the Access Server on the TCP port 443 (the default HTTPS port and assuming default configuration) you are actually hitting the OpenVPN TCP daemon which then transfers the connection internally to the web services. That way the OpenVPN TCP daemon and the web services can share the same port. That is useful to bypass certain simple firewalls that block everything except TCP 443 (HTTPS traffic). And maybe in your particular configuration that shows up as 127.0.0.1 because it's internal traffic.

I'd suggest contacting support and sending a sacli support output so we can see if there is a particular configuration that would solve this.

Oh, and try accessing your Access Server's web interface on port TCP 943. Like https://123.45.67.89:943/ or such.

Kind regards,
Johan

I am able to confirm also that when accessing AS via https:// NOT using port 943 gets this behavior. in the previous versions, this did not happen. wonder if this is specific only to 2.12.3

Hi Johan,

I got an update from support that this was indeed a reproducible bug on the current 2.12.3 which was not present on older 2.11.3 AS. I was advised that the Devs are fixing this bug. However, no ETA is provided when will this fix gets a release date.

Thank you and kind regards

Hi edmoncu,

Yeah, I've been keeping an eye on this. So basically it's the new DCO functionality which is in beta. When enabling that, the issue occurs. We'll fix it.

Giving an ETA is extremely difficult in software development. It will be fixed and it has our attention. But it's not a critical item. If you want it fixed now, turn off DCO.

Kind regards,
Johan

Hi Johan,

Confirming that DCO is enabled at all my instances and disabling it restores the logging of IP correctly.
Given the tradeoff between performance and security of my instances, I am opting for security to accurately log activities for now.

Will await the update on fixing the DCO bug.

Thanks!

Hi Johan,

Upon checking, update 2.13.0 seems to have not fixed this issue yet.

Hello edmoncu,

That is correct, it was also not mentioned or suggested anywhere that it would be. It will be fixed and it has our attention, but in some other future release of Access Server.

Kind regards,
Johan

just an update that the recently released openvpnas v2.13.1 fixed this bug.
thank you!

Just a quick update: The recently released OpenVPN Access Server version 2.13.1 has addressed and fixed the bug we encountered earlier. Thank you!