OpenVPN server/client route messed up

Helix26404 · Apr 25, 2008, 5:18 AM

All,

Have had a successful pfSense/OpenVPN experience for several years now. pfSense is the OpenVPN server, and a Linksys WRT54GL running DD-WRT is the client. Woke up one morning and all of the settings in the Linksys had gone back to factory defaults, so I had to re-setup everything. I have an issue now where pfSense isn't assigning the correct gateway information and IP address to the client.

On OpenVPN startup, here's what the server (pfSense) is saying:

openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up

These 172.16.40.1, 172.16.40.2 addresses are taken from the 172.16.40.0/24 address block entered on the webGUI server config page.

When the client connects, it says:

/sbin/ifconfig tun0 172.16.40.6 pointopoint 172.16.40.5 mtu 1500

Obviously, we have a problem here. The client is configured to receive ALL info from the server. There is no static addressing going on here.

For whatever reason, the server is setting itself as 172.16.40.1 and designating 172.16.40.2 for the first client, but then actually assigning 172.16.40.6 and reporting itself as 172.16.40.5.

A quick look at both routing tables confirms that the routes were entered correctly, but obviously with the wrong info.

Anyone have any ideas? FWIW, I do remember having this EXACT problem (even down to the exact address assignments) when I first set this up a few years ago, but I can't remember what I did to fix it.

Thanks!

Helix26404 · Apr 25, 2008, 5:19 AM

By the way, I am positive that the settings on the Linksys are the exact same as they were before, and besides, it is configured as a client that receives every parameter from the server.

I have also tried fooling with the client-specific config but that hasn't yielded help either.

GruensFroeschli · Apr 25, 2008, 11:12 AM

hmmm.
That is strange.
It seems a bit as if pfSense remembers that the old client was 172.16.40.2 and assigned a new ip since a new unknown client connected.

Maybe it works if you resetup the server too so pfSense "forgets" the old client.

Helix26404 · Apr 25, 2008, 9:59 PM

I know–I will do that. Just to be sure, I want to make sure that the actual config file is removed when I delete it from the webGUI. Does anyone know where the OVPN config files are located?

Helix26404 · Apr 25, 2008, 11:06 PM

Found the config files. The contents are posted below. I also tried connecting to the pfSense OpenVPN server with a Windows client, same results.

Config file:

client
dev tun
proto udp
remote 75.13.22.133 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
mute 20

Server file:

writepid /var/run/openvpn_server0.pid
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 172.16.40.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 172.16.10.0 255.255.255.0"
lport 1194
route 172.16.50.0 255.255.255.0
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
push "route 172.16.20.0 255.255.255.0"
push "route 172.16.30.0 255.255.255.0"
local 172.16.10.1

Any ideas?

GruensFroeschli · Apr 26, 2008, 12:04 PM

Are you using a shared key or a PKI?

In a PKI the first client WILL recieve x.x.x.6
(rtm on http://openVPN.net )
In a shared key the only client is on x.x.x.2

kpa · Apr 26, 2008, 12:38 AM

What you are seeing is normal, in PKI mode (the ifconfig does not indicate PKI or shared key setup, it is run the same way at startup in both modes)
with default settings the openvpn server assigns the addresses in 4-address blocks (CIDR /30) of the address pool to the clients. Take a look at http://www.openvpn.net/index.php/documentation/faq.html the "Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?" -part.

GruensFroeschli · Apr 26, 2008, 12:10 PM

I'm sorry.
I didnt read right.
kpa describes it a bit better than i did :)

What i mean: in a shared key setup: you have on the server-log something like

openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up
and on the client something like
openvpn[2560]: /sbin/ifconfig tun0 172.16.40.2 172.16.40.1 mtu 1500 netmask 255.255.255.255 up

While in a PKI setup the client usually has something like
openvpn[2560]: /sbin/ifconfig tun0 172.16.40.6 172.16.40.5 mtu 1500 netmask 255.255.255.255 up