After upgrade to 2.3 Client Specific Overrides wont work

whoknowz

Had the same issue, not a Topology (net30) issue. Just selected a VPN server for CSC override and disabled "Prevent this client from receiving any server-defined client settings."  Was lucky enough that one CSC was working and the rest failing.

bleeuw

In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.

Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …

In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....

Note the dash ( - ) between 'ifconfig' and 'push'!

In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>

geir

Just wanted to fill in on this with the issues I experience.

I want my users to authenticate through LDAP, so I set Server Mode to "Remove Access (SSL/TLS + User Auth)", but then CSO stops working.
When I set Server mode to only "Remote Access (SSL/TLS)" without User Auth, CSO starts working again.
I see that the Topology setting have been mentioned a couple of times in the thread, but I run with topology = subnet so the problem exists regardless of what topology is set to.

I don't know if this worked prior to 2.3.X.

I currently run pfsense 2.3.1-RELEASE-p5 (amd64) / FreeBSD 10.3-RELEASE-p3.

jimp

When you enable user auth, the server gets an option that treats the username as the common name. So your CSOs have to match the LDAP login usernames, not the CN of the certificate. But ideally those should both be identical.

bleeuw

Dear Jimp,

Can you please also reply to my question about the correct syntax?

@Bennie41:

In conjunction with this topic i'm trying to figure out a similar issue with our Mgmt-OpenVPN network.

Reading the last topic update i'm wondering if anyone can point out if the syntax for the ifconfig-push has been changed since V2.3.x …

In both my 2.2.6 backup and my current 2.3.1 backup all my CSC's <advanced>entries are configured starting with:
<custom_options>ifconfig-push 10.150.0....

Note the dash ( - ) between 'ifconfig' and 'push'!

In the last topic entry, the dash is gone (several times).... Should i change all my CSC's in this way?</custom_options></advanced>

I can't find a syntax-manual anywhere, otherwise i would have sorted it out myself :)

Thanks in advance.
B.

jimp

That is up to OpenVPN – that isn't our syntax.

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

You should just be putting the IP address/mask in the tunnel network of the override. Let the code figure it out. If you must do it manually, check the link above.

kpa

Quote from the manual page:

OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.

franksterdam

I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.

jimp

@franksterdam:

I experience exactly the same. It's not possible to add or edit the Client Specific Overrides since the upgrade to 2.3. My search on the internet for an answer is unsuccessful till so far.

You do not likely have an issue with overrides if you cannot edit or create them. Most likely you have done something like adding the "Deny Config Write" privilege to your user or group.

bleeuw

Hi All,

Thanks to Nastov's problem description and Probie's response to that, i managed to get the issue fixed for my Customer mgmt-oVPN network.

Things i had to change in comparison to the former V2.2.6 setup:

General:
Set topology to "Subnet", on both the server (hub) side and client (spoke) side, wherever i was not set to Subnet already.

Server side:
In the OpenVPN server config fill in the tunnel network as a /24 network (in Probie's example it would be: 10.9.9.0/24)

In the Client Specific Override's i cleared the tunnel-network (<blank>) and left the ifconfig-push as it was before, including the dash.

Client side:
In the OpenVPN client config i also cleared the tunnel-network to <blank>.

In this way, every client got it's unique tunnel IP-address (/24-/32) again and i was able to get the right traffic on the right VPN-tunnel for each spoke.

Hooray!  8)</blank></blank>