Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN assigns wrong tunnel address

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      Martin Emrich
      last edited by

      Hi!

      We have a pfSense 2.1 with OpenVPN (Road-Warrior setup). Some users get this message in their Windows OpenVPN client:

      Thu Oct 17 11:06:56 2013 There is a problem in your selection of --ifconfig endpoints [local=10.14.2.66, remote=10.14.2.67].  The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
      

      I wonder why the pfSense would assign this address (.65 and .66 would be valid).

      Ciao

      Martin

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nachtfalke
        last edited by

        If you use the /30 network it contains 4 addresses.

        E.g.:
        10.14.2.64 / 255.255.255.252

        10.14.2.64
        10.14.2.65
        10.14.2.66
        10.14.2.67

        So these 4 addresses are valid for one OpenVPN RoadWarrior

        1 Reply Last reply Reply Quote 0
        • M Offline
          Martin Emrich
          last edited by

          I know that. But why does pfSense distribute mismatching adresses?

          EDIT:
          Actually, the address is matching, as it fits the scheme. My colleage gets .26 as address, and it is accepted. thus .66 should work, too.
          /EDIT

          And furthermore: I always get the same address, it is stuck to my user name, and it is even persistent over both client and server reboots. But I could not find any user-to-IP-file on the pfsense. Where can I find it?

          Thanks

          Martin

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nachtfalke
            last edited by

            Hi,

            you can use "Client specific override" if you are using RoadWarrior setup with certificates. Just put the CN of the certificate of the user in the "client specific override" and put there the tunner /30 network this user always should get.

            On pfsense 2.0.3 you have to do that for every user if the users on OpenVPN should always get the same IP-address/subnet. On pfsense 2.1 - if I remember correct - there could be an additional option which allows you to not user /30 tunnels but single addresses. But I did not test that.

            The tunne network on the OpenVPN server confing for example is /24. This means that there could be max. 64-1 clients connect which always use /30.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.