Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interesting bug I found

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    4
    638
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      Unsure how to even resolve short of recreating the OpenVPN server

      So the issue is this.
      An already actively working OpenVPN server is in use. If you create a client override and check the box that says under client settings "Prevent this client from receiving any server-defined client settings."
      If you have that user log in they will receive the same IP address on each device they sign in as. On top of that other users will receive the same address from the pool as well. So in my case, my tunnel network is 172.29.0.0/24
      All the clients will get the same IP addr of 172.29.0.0. They will get the network ID but not an IP in that range.
      Restarting VPN service doesn't resolve the issue. The logs show the gateway as 172.29.0.1 which it obviously shouldn't be...

      Mar 7 17:46:40 openvpn 50163 michmoor/192.168.50.12:56851 IP packet with unknown IP version=0 seen
      Mar 7 17:46:39 openvpn 50163 michmoor/192.168.50.12:56851 PUSH: Received control message: 'PUSH_REQUEST'
      Mar 7 17:46:39 openvpn 50163 michmoor/192.168.50.12:56851 SENT CONTROL [michmoor]: 'PUSH_REPLY,route 192.168.15.0 255.255.255.0,route 192.168.70.0 255.255.255.0,dhcp-option DOMAIN networkingtitan.com,block-outside-dns,register-dns,route-gateway 172.29.0.1,topology subnet,ping 10,ping-restart 60,dhcp-option DOMAIN xxxxxxx.com,dhcp-option DNS 192.168.15.1,redirect-gateway def1,ifconfig 172.29.0.0 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @michmoor
        last edited by michmoor

        @michmoor
        So within the CLI i find this
        /var/etc/openvpn/server1/csc: more michmoor
        push "dhcp-option DOMAIN networkingtitan.com"
        push "dhcp-option DNS 192.168.15.1"
        push "redirect-gateway def1"
        ifconfig-push 172.29.0.0 255.255.255.0

        I have absolutely no idea where the ifconfig-push configuration was set as I don't see it in the GUI for this override. If I disabled this override account then everything works normally. At least I know how to resolve the issue.

        I can recreate this.
        Create another CSC user. Make sure the option for Prevent this client from receiving any server-defined client settings, is set.
        This forces the ifconfig-push 172.29.0.0 255.255.255.0 for other CSC users which is strange.

        Odd OpenVPN behavior.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @michmoor
          last edited by

          @michmoor

          You mean this one :

          d99def25-9154-4bb1-8a00-76d36cf725c5-image.png

          ?

          If the VPN client wouldn't request these details from the OpenVPN server, they have to be present in the client opvn config file.
          Like comparing a classic, default DHCP configuration :
          It gets an IP, a network, DNS, domain name etc from the upstream server,
          or
          you set them all yourself (on the client openvpn config file)

          I guess, if these settings are not present, it default to requesting them from the server anyway.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Reply Quote 1
          • M
            michmoor LAYER 8 Rebel Alliance @Gertjan
            last edited by

            @gertjan gotcha so my scenario is that I have a user who needs a vpn address from me but does not need my dns, or dns suffix. Just the remote network. So I believed that setting a csc with no dns option would work but instead they get the firewalls upstream dns servers which I didn’t expect.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • First post
              Last post