After upgrade to 2.3 Client Specific Overrides wont work

probie

jimp., i tried the command below from both the server side the client side and I am still experiencing the same issue. Still end up ending putting the route command on the client side to the correct /30 gw ip.

require_once("openvpn.inc");
openvpn_resync_all();

jimp

@probie:

jimp., i tried the command below from both the server side the client side and I am still experiencing the same issue. Still end up ending putting the route command on the client side to the correct /30 gw ip.

require_once("openvpn.inc");
openvpn_resync_all();

Sorry if i'm repeating, thread is long and I've been answering dozens of them today.

Check the server, make sure it's on net30, check the client, make sure it's on net30 (if it's on 2.3, if it's on 2.2 there was no client option for that).

Check a CSO/CSC, make sure it's only got a value in the tunnel network, not ifconfig in the advanced options. Save on there to be certain it's fresh.

Check /var/openvpn-csc/server<id>/ <name>and make sure the ifconfig looks OK there

Edit and save the client to ensure it's interface is rebuilt, maybe even try rebooting the client.</name></id>

probie

jimp, unless I am missing something, I don't see net30 on the PFS that is on the server side (under Servers and Client Specific Overrides tab). I only see the net30 on the PFS that on the client side in the Client tab.

nastov

Hi everyone,

My VPN server had subnet topology, not net30 before the upgrade and I also had some issues with the client specific overrides, the clients were receiving network ip addresses instead of the client ip addresses I've configured with ifconfig-push in the Advanced filed of openvpn-CSO.

I did follow jimps suggestion to check the /var/etc/openvpn-csc folder and I saw that the client config files generated there had two ifconfig-push commands in them.
The first was the proper one I configured and the second was an ifconfig-push with the network IP of the tunnel.

Went back to the gui in the CSO, removed "Tunnel Network" setting on the clients and restarted the openvpn services. This fixed the issue and now all of my clients are receiving the ip addressess I've setup with ifconfig-push.

I am not sure if the issue was generated by me when I entered the "Tunnel Network" ip addressess long time ago, but in the previous version of pfSense it did not cause any issues.

I do have multiple pfSense boxes with OpenVPN and subnet topology so I checked one of the v.2.2.6 we use, and the client specific overrides worked just fine with both the "Tunnel Network" ip address and the ifconfig-push address in the Advanced field.

I tested the old v.2.2.6 pfSense client specific overrides without the "Tunnel Network" just with the ifconfig-push and the clients kept working just fine, so i updated those afterwards without any issues.

I don't know where I saw that the "Tunnel Network" should be set in the client specific overrides when using subnet topology, or if it was left from a time when we were using net30, but this was my experience and I hope this helps someone.

Derelict

@probie

This is in the Remote Access Server settings.

![Screen Shot 2016-04-14 at 2.10.06 AM.png](/public/imported_attachments/1/Screen Shot 2016-04-14 at 2.10.06 AM.png)
![Screen Shot 2016-04-14 at 2.10.06 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-14 at 2.10.06 AM.png_thumb)

probie

Derelict, I see it on the client setting side and not on the server setting side. This is more of an issue now that i see it on a PPOE connection. The manual route that i added tends to disappear when the PPOE disconnect and reconnect.

probie

My issue is almost identical as nastov. Something in OPVN 2.3 has changed on the tunnel network settings that way it push the network gw to the clients.

I have the below in 2.2.6

PFS Hub side
Server Tab: IPv4 Tunnel Network: 10.9.9.0/24

Client Specific Overrides Tab:
Client/Site A: Tunnel Network: 10.9.9.0/30
Client Site B: Tunnel Network: 10.9.9.4/30

PFS Spoke siteA)
Client Tab: IPv4 Tunnel Network: 10.9.9.0/30

PFS Spoke siteB)
Client Tab: IPv4 Tunnel Network: 10.9.9.4/30

In this scenario, the server would push down the correct /30 gw to the sites (10.9.9.1 to Site A and 10.9.9.5 to site B) and work as expected

Now on the 2.3, it pushes GW of 10.9.9.1 to both site, leaving SITE A in working order and Site B broken.

I end up for doing for 2.3 below and all the PFS tunnel are in one big /24 and one common GW as opposed /30 with its own GW . Setting the typology to subnet and/or net30 does not seem to make a difference based on my observations.

Server (hub side)
Server Tab: IPv4 Tunnel Network: 10.9.9.0/24

Client Specific Overrides Tab:
Client/Site A: Tunnel Network: <blank>Client Site B: Tunnel Network: <blank></blank></blank>

whoknowz

Had the same issue, not a Topology (net30) issue. Just selected a VPN server for CSC override and disabled "Prevent this client from receiving any server-defined client settings." Was lucky enough that one CSC was working and the rest failing.

bleeuw

In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.

Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …

In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....

Note the dash ( - ) between 'ifconfig' and 'push'!

In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>

geir

Just wanted to fill in on this with the issues I experience.

I want my users to authenticate through LDAP, so I set Server Mode to "Remove Access (SSL/TLS + User Auth)", but then CSO stops working.
When I set Server mode to only "Remote Access (SSL/TLS)" without User Auth, CSO starts working again.
I see that the Topology setting have been mentioned a couple of times in the thread, but I run with topology = subnet so the problem exists regardless of what topology is set to.

I don't know if this worked prior to 2.3.X.

I currently run pfsense 2.3.1-RELEASE-p5 (amd64) / FreeBSD 10.3-RELEASE-p3.

jimp

When you enable user auth, the server gets an option that treats the username as the common name. So your CSOs have to match the LDAP login usernames, not the CN of the certificate. But ideally those should both be identical.

bleeuw

Dear Jimp,

Can you please also reply to my question about the correct syntax?

@Bennie41:

In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.

Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …

In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....

Note the dash ( - ) between 'ifconfig' and 'push'!

In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>

I can't find a syntax-manual anywhere, otherwise i would have sorted it out myself :)

Thanks in advance.
B.

jimp

That is up to OpenVPN – that isn't our syntax.

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

You should just be putting the IP address/mask in the tunnel network of the override. Let the code figure it out. If you must do it manually, check the link above.

kpa

Quote from the manual page:


OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.

franksterdam

I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.

jimp

@franksterdam:

I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.

You do not likely have an issue with overrides if you cannot edit or create them. Most likely you have done something like adding the "Deny Config Write" privilege to your user or group.

bleeuw

Hi All,

Thanks to Nastov's problem description and Probie's response to that, i managed to get the issue fixed for my Customer mgmt-oVPN network.

Things i had to change in comparison to the former V2.2.6 setup:

General:
Set topology to "Subnet", on both the server (hub) side and client (spoke) side, wherever i was not set to Subnet already.

Server side:
In the OpenVPN server config fill in the tunnel network as a /24 network (in Probie's example it would be: 10.9.9.0/24)

In the Client Specific Override's i cleared the tunnel-network (<blank>) and left the ifconfig-push as it was before, including the dash.

Client side:
In the OpenVPN client config i also cleared the tunnel-network to <blank>.

In this way, every client got it's unique tunnel IP-address (/24-/32) again and i was able to get the right traffic on the right VPN-tunnel for each spoke.

Hooray! 8)</blank></blank>