Multiple clients range overlap?
-
Yeah set different /30 tunnel networks.
OpenVPN is obviously getting those /16 from somewhere.
Post what you have done not what you think you have done.
-
I thought that's what I did ;) ;D
Well, I configured 5 clients, all the same way on different ports. I got the config in a window next to me and double checked each one.
Device mode is layer 3 tunnel mode.
Topology Isolated /30 network per client.
Don't pull routes is enabled.
Don't add/remove routes is disabled (left as default).If you need any more settings or have me paste the complete config from a file let me know.
IPv4 Tunnel Network has been set for each client to a unique range:
10.4.0.0/30
10.6.0.0/30
10.8.0.0/30
10.10.0.0/30
10.12.0.0/30I've rebooted the firewall too. Today, it's even crazier, I've got only 1 and 3 working. I've included the ipv6 table so you can see that that is getting 5 unique ranges. As you can see, none of the ranges I defined in the OpenVPN client configs are being used.
Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS re0 10.14.0.0/16 10.14.0.1 UGS ovpnc1 10.14.0.1 link#7 UH ovpnc1 10.14.0.147 link#7 UHS lo0 10.14.1.135 link#8 UHS lo0 10.26.13.0/24 link#2 U re1 10.26.13.254 link#2 UHS lo0 10.30.0.0/16 10.30.0.1 UGS ovpnc3 10.30.0.1 link#9 UH ovpnc3 10.30.0.104 link#11 UHS lo0 10.30.0.205 link#10 UHS lo0 10.30.1.2 link#9 UHS lo0 127.0.0.1 link#4 UH lo0 192.168.1.0/24 link#1 U re0 192.168.1.254 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::1 link#4 UH lo0 fde6:7a:7d20:14::/64 link#7 U ovpnc1 fde6:7a:7d20:14::1091 link#7 UHS lo0 fde6:7a:7d20:14::1185 link#8 UHS lo0 fe80::%re0/64 link#1 U re0 fe80::201:2eff:fe78:4f4%re0 link#1 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::201:2eff:fe78:4f5%re1 link#2 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::%ovpnc1/64 link#7 U ovpnc1 fe80::201:2eff:fe78:4f4%ovpnc1 link#7 UHS lo0 fe80::%ovpnc2/64 link#8 U ovpnc2 fe80::201:2eff:fe78:4f4%ovpnc2 link#8 UHS lo0 fe80::%ovpnc3/64 link#9 U ovpnc3 fe80::201:2eff:fe78:4f4%ovpnc3 link#9 UHS lo0 fe80::%ovpnc4/64 link#10 U ovpnc4 fe80::201:2eff:fe78:4f4%ovpnc4 link#10 UHS lo0 fe80::%ovpnc5/64 link#11 U ovpnc5 fe80::201:2eff:fe78:4f4%ovpnc5 link#11 UHS lo0When I check the config files, it did actually write my settings to them:
/var/etc/openvpn: grep ifconfig *.conf client1.conf:ifconfig 10.4.0.2 10.4.0.1 client2.conf:ifconfig 10.6.0.2 10.6.0.1 client3.conf:ifconfig 10.8.0.2 10.8.0.1 client4.conf:ifconfig 10.10.0.2 10.10.0.1 client5.conf:ifconfig 10.12.0.2 10.12.0.1What else can I check? Any ideas what might be wrong here that prevents openvpn from using the network specified?
Thanks!
-
I've enabled extra logging for OpenVPN and been going through the logs to find out more.
Here's what I see in the logs, it does actually use my configured network but it is ignoring the 'dont pull routes' setting.
May 21 09:15:26 pfsense openvpn[63464]: topology = 1 May 21 09:15:26 pfsense openvpn[63464]: ifconfig_local = '10.4.0.2' May 21 09:15:26 pfsense openvpn[63464]: ifconfig_remote_netmask = '10.4.0.1' May 21 09:15:26 pfsense openvpn[63464]: ifconfig_noexec = DISABLED May 21 09:15:26 pfsense openvpn[63464]: ifconfig_nowarn = DISABLED ... May 21 09:15:26 pfsense openvpn[63466]: WARNING: using --pull/--client and --ifconfig together is probably not what you want ... May 21 09:15:27 pfsense openvpn[63466]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.6.0.1, comp-lzo no,route-gateway 10.6.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.6.0.33 255.255.0.0' May 21 09:15:27 pfsense openvpn[63466]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) May 21 09:15:27 pfsense openvpn[63466]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: timers and/or timeouts modified May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: compression parms modified May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: --ifconfig/up options modified May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: route-related options modified May 21 09:15:27 pfsense openvpn[63466]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:406 ET:0 EL:3 ] May 21 09:15:27 pfsense openvpn[63466]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key May 21 09:15:27 pfsense openvpn[63466]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication May 21 09:15:27 pfsense openvpn[63466]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key May 21 09:15:27 pfsense openvpn[63466]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication May 21 09:15:27 pfsense openvpn[63466]: TUN/TAP device ovpnc1 exists previously, keep at program end May 21 09:15:27 pfsense openvpn[63466]: TUN/TAP device /dev/tun1 opened May 21 09:15:27 pfsense openvpn[63466]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 May 21 09:15:27 pfsense openvpn[63466]: /sbin/ifconfig ovpnc1 10.6.0.33 10.6.0.1 mtu 1500 netmask 255.255.0.0 up May 21 09:15:27 pfsense openvpn[63466]: /sbin/route add -net 10.6.0.0 10.6.0.1 255.255.0.0 May 21 09:15:28 pfsense openvpn[63466]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.6.0.33 255.255.0.0 init May 21 09:15:28 pfsense openvpn[63466]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this May 21 09:15:28 pfsense openvpn[63466]: Initialization Sequence CompletedSo it warns about using settings together and ignores ifconfig setting.
If this is my problem, how can I fix that? In the config I do have the options 'client' and 'route-nopull'.
Thanks again! Appreciate the help.
-
Post screenshots of your OpenVPN config on two sides of one of the problematic connections.
You obviously have those /16s in there somewhere? Local Networks? Remote Networks?
-
re0 is connected to my router LAN2 with a fixed ip 192.168.1.254/24 with a default gateway 192.168.1.1.
re1 is connected to a switch on the internal network with a fixed ip 10.26.13.254/24, no gateway configured.
The internet router has its LAN1 connected to the switch as 10.26.13.1/24 which is the default gateway for the LAN.For now, the router is providing DHCP with itself as DNS and gateway for the clients. I have configured my own pc with a fixed IP, gateway and DNS set to pfsense, 10.26.13.254 to test. Once pfsense is happy, it will take over DHCP and provide internet access for all clients.
(removed redundant attachments) Attached are all configs from all clients. Not sure why you're not asking to simply post the text from config files though but here it is.
Maybe you're a step ahead of me but (respectfully), I feel you are ignoring the log messages and info I provided. There's a warning there that states why it is ignoring my ifconfig settings and it shows it is applying the pull from the server and ignoring the noroute-pull.
In any case, thanks for the help! I do appreciate it.
-
That doesn't give me what I asked for. Looking for the complete OpenVPN for BOTH SIDES of ONE AND ONLY ONE connection that is malfunctioning. Please keep it to one connection. Zero reason to look at them all if they are all doing the same thing.
/sbin/route add -net 10.6.0.0 10.6.0.1 255.255.0.0
You need to figure out where that is coming from. It's coming from someplace. That is 10.6.0.0/16, not anything to do with any /30s.
I also have no idea why you are messing about with all of those custom options.
Are you connecting to your own server or some provider.
May 21 09:15:27 pfsense openvpn[63466]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.6.0.1,comp-lzo no,route-gateway 10.6.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.6.0.33 255.255.0.0'
Looks like it's getting the /16 from the server.
-
Sorry misunderstood what you were asking for. I don't have access to the server side. I am connecting to airvpn pool of servers. If what you're asking for is something I can provide can you please be more specific?
And yes, it is getting the /16 from the server but it should ignore that when I configure "IPv4 Tunnel Network" right?
Concerning the custom options, I am following the guide on airvpn servers and simply copied that from the guide. Some are deprecated or redundant, I know. I'll clean that up at some point. I don't think any of those cause the problem I am having.
ps. the guide is here:
https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ -
No. In SSL/TLS mode they push the tunnel network to you. You pretty much have to do what they think you should do.
Maybe choose a VPN provider that doesn't do that.
-
Thanks again for the help. They allow 5 simultaneous client connections, but it's pretty useless this way unless you install and configure the client on different pc's.
I've submitted a support request to AirVPN, hopefully the are willing to change this (got 3 months left on my sub) or maybe they can help fix it somehow.
We'll see.
Got one more Q about this if you don't mind. Is it possible to reconfigure the ip, gateway and route for each client connection from the pfsense terminal? I realize this would be temporary, but I could dump that in a script and manually run it after a reboot or something.
-
Probably possible but you'd have to write a bunch of php to do it.
They are pushing that anyway.
Maybe you could configure 5 different clients to connect to 5 different AirVPN nodes.
