Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cso client unable to get IP due to subnet error

    OpenVPN
    4
    7
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brunoc
      last edited by

      Hey guys,

      I have an openvpn instance running with Tunnel network of "172.27.2.0/24" and topology subnet. Clients can connect without any problems and all is good.

      Under "Client Specific Overrides" i've setup an override for a given user and specified Tunnel Network of "172.27.42.0/24". I then used the "Client Export" functionality to download the Windows x64 package and installed it on a Windows 7 x64.

      The issue is that the client fails to connect to the vpn with an error on the subnet calculation on the TAP driver:

      Sat Apr 12 15:51:22 2014 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{E2DCD4B1-7E88-4625-816C-A686F44A3D81}.tap
      Sat Apr 12 15:51:22 2014 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.42.0/172.27.42.2/172.27.42.1 [SUCCEEDED]
      Sat Apr 12 15:51:22 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet
      Sat Apr 12 15:51:22 2014 Exiting due to fatal error

      The issue appears to be "network/local/netmask (...) 172.27.42.0/172.27.42.2/172.27.42.1". I believe this should read "172.27.42.0/172.27.42.2/255.255.255.0".
      The TAP driver seems to be expecting a netmask but is being provided an IP address instead and failing.

      For reference, i tried setting a Tunnel network of "172.27.42.0/30" on the client override but that returns the exact same problem.

      To me this sounds like a bug somewhere in the code (either pfSense or openvpn). Any ideas?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        What bug? You are outside of the interface subnet (172.27.2.0/24)… it even tells you that in crystal clear message.

        @brunoc:

        Sat Apr 12 15:51:22 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet

        This is just completely invalid configuration.

        1 Reply Last reply Reply Quote 0
        • B
          brunoc
          last edited by

          Hey doktornotor,

          I believe it's possible for the cso network to be outside of the main Tunnel network. Is this not the case?

          Also, if i don't populate the field "Tunnel network" on the cso but instead specify "ifconfig-push 172.27.42.2 255.255.255.0" under advanced (still on the cso), then the client connects without any error (i see the proper subnet being passed for netmask). To me this leads me to believe there might be some sort of issue with how the "Tunnel network" passes the netmask info to the client or maybe something on the openvpn side.

          Unless i' missing something here. And if i am, would like to understand what it is.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            If you Google the error, you only hit source code with the error message. So congrats, you seem to be the first one to invent this configuration.  Just think about it within normal DHCP/LAN terms. You have a LAN say 10.10.10.0/24 and you configure your DHCP to assign a client with a particular MAC an IP like 192.168.200.111/24 - you think this is a sane configuration that will work?

            AFAICT, the only reasonable way to produce some sort of working static IP assignments is to set some ifconfig-pool in server configuration and set up CSO outside of that pool but still within the OpenVPN server subnet. Also https://forums.openvpn.net/topic10702.html

            Also, why do you need /24 for one client? /30 should be plenty enough.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              As doktonoktor says, in Client Specific Overrides give a "/30" to each special client. Like 172.27.2.40/30 (any multiple-of-4 boundaries after the very first one).

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • B
                brunoc
                last edited by

                So, as a test, i've set the CSO "Tunnel network" for the client to be "172.27.2.40/30" (which is under the main Tunnel network of 172.27.2.0/24) BUT i get the exact same error.
                I've mentioned this a few times, the error seems to be due to the wrong info for netmask:

                Sun Apr 13 15:02:41 2014 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{E2DCD4B1-7E88-4625-816C-A686F44A3D81}.tap
                Sun Apr 13 15:02:41 2014 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.2.40/172.27.2.42/172.27.2.41 [SUCCEEDED]
                Sun Apr 13 15:02:41 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet
                Sun Apr 13 15:02:41 2014 Exiting due to fatal error

                The client is trying to set "172.27.2.41" (in bold) as the netmask, which is wrong. For a /30 network, the netmask should be "255.255.255.252".

                Any ideas how/why the netmask is being set incorrectly?

                1 Reply Last reply Reply Quote 0
                • J
                  jits
                  last edited by

                  To resolve this issue, I had to edit the openvpn server.

                  If you have checked off 'allocate only one IP per client' under CLIENT SETTINGS, then uncheck this setting and your 'Client Specific Overrides' should now work.

                  This is what resolved the error for me.

                  Jits

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.