After upgrade to 2.3 Client Specific Overrides wont work
-
This is in the Remote Access Server settings.
![Screen Shot 2016-04-14 at 2.10.06 AM.png](/public/imported_attachments/1/Screen Shot 2016-04-14 at 2.10.06 AM.png)
![Screen Shot 2016-04-14 at 2.10.06 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-14 at 2.10.06 AM.png_thumb) -
Derelict, I see it on the client setting side and not on the server setting side. This is more of an issue now that i see it on a PPOE connection. The manual route that i added tends to disappear when the PPOE disconnect and reconnect.
-
My issue is almost identical as nastov. Something in OPVN 2.3 has changed on the tunnel network settings that way it push the network gw to the clients.
I have the below in 2.2.6
PFS Hub side
Server Tab: IPv4 Tunnel Network: 10.9.9.0/24Client Specific Overrides Tab:
Client/Site A: Tunnel Network: 10.9.9.0/30
Client Site B: Tunnel Network: 10.9.9.4/30PFS Spoke siteA)
Client Tab: IPv4 Tunnel Network: 10.9.9.0/30PFS Spoke siteB)
Client Tab: IPv4 Tunnel Network: 10.9.9.4/30In this scenario, the server would push down the correct /30 gw to the sites (10.9.9.1 to Site A and 10.9.9.5 to site B) and work as expected
Now on the 2.3, it pushes GW of 10.9.9.1 to both site, leaving SITE A in working order and Site B broken.
I end up for doing for 2.3 below and all the PFS tunnel are in one big /24 and one common GW as opposed /30 with its own GW . Setting the typology to subnet and/or net30 does not seem to make a difference based on my observations.
Server (hub side)
Server Tab: IPv4 Tunnel Network: 10.9.9.0/24Client Specific Overrides Tab:
Client/Site A: Tunnel Network: <blank>Client Site B: Tunnel Network: <blank></blank></blank> -
Had the same issue, not a Topology (net30) issue. Just selected a VPN server for CSC override and disabled "Prevent this client from receiving any server-defined client settings." Was lucky enough that one CSC was working and the rest failing.
-
In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.
Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …
In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....Note the dash ( - ) between 'ifconfig' and 'push'!
In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>
-
Just wanted to fill in on this with the issues I experience.
I want my users to authenticate through LDAP, so I set Server Mode to "Remove Access (SSL/TLS + User Auth)", but then CSO stops working.
When I set Server mode to only "Remote Access (SSL/TLS)" without User Auth, CSO starts working again.
I see that the Topology setting have been mentioned a couple of times in the thread, but I run with topology = subnet so the problem exists regardless of what topology is set to.I don't know if this worked prior to 2.3.X.
I currently run pfsense 2.3.1-RELEASE-p5 (amd64) / FreeBSD 10.3-RELEASE-p3.
-
When you enable user auth, the server gets an option that treats the username as the common name. So your CSOs have to match the LDAP login usernames, not the CN of the certificate. But ideally those should both be identical.
-
Dear Jimp,
Can you please also reply to my question about the correct syntax?
@Bennie41:
In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.
Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …
In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....Note the dash ( - ) between 'ifconfig' and 'push'!
In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>
I can't find a syntax-manual anywhere, otherwise i would have sorted it out myself :)
Thanks in advance.
B. -
That is up to OpenVPN – that isn't our syntax.
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
You should just be putting the IP address/mask in the tunnel network of the override. Let the code figure it out. If you must do it manually, check the link above.
-
Quote from the manual page:
OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
-
I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.
-
I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.
You do not likely have an issue with overrides if you cannot edit or create them. Most likely you have done something like adding the "Deny Config Write" privilege to your user or group.
-
Hi All,
Thanks to Nastov's problem description and Probie's response to that, i managed to get the issue fixed for my Customer mgmt-oVPN network.
Things i had to change in comparison to the former V2.2.6 setup:
General:
Set topology to "Subnet", on both the server (hub) side and client (spoke) side, wherever i was not set to Subnet already.Server side:
In the OpenVPN server config fill in the tunnel network as a /24 network (in Probie's example it would be: 10.9.9.0/24)In the Client Specific Override's i cleared the tunnel-network (<blank>) and left the ifconfig-push as it was before, including the dash.
Client side:
In the OpenVPN client config i also cleared the tunnel-network to <blank>.In this way, every client got it's unique tunnel IP-address (/24-/32) again and i was able to get the right traffic on the right VPN-tunnel for each spoke.
Hooray! 8)</blank></blank>