OpenVPN and static IP for ALL clients

viktor_g

If you need per-client firewall rules, a more efficient way is to use Cisco-AVPair RADIUS ACLs:
https://docs.netgate.com/pfsense/en/latest/book/openvpn/controlling-client-parameters-via-radius.html

noplan

@viktor_g

oh yeah i like that, but lack of useCase :(

i think @ThePieMonster needs a static IP for his vpn-clients
but a static Ip only helps when rules are set ;) so whats NEXT !

ThePieMonster

@noplan @viktor_g

As I mentioned the user cert is from the the Certificate Manager / Certificates section of pfSense, not from the User Manager section. There are two locations where a user certificate can be created.

I also found out today, that the common name, is not the CN name of the cert, that can be whatever you like, but the username of the domain user. Switching this info around in the client override solved the issue for me.

TLDR: CN = Domain Username, not Certificate name.

noplan

@ThePieMonster said in OpenVPN and static IP for ALL clients:

Switching this info around in the client override solved the issue for me.

so please mark this posting als SOLVED !

ThePieMonster

@noplan I would but I'm not OP. :)

stephenw10

There seems to be some mis-information in this thread.

You do not need to add the custom push line in a Client Specific Override. Adding the tunnel network as an IP address already does exactly that.

You often do need to restart the OpenVPN server to read in the CSOs: https://redmine.pfsense.org/issues/10337
That should probably be marked a feature though, nothing has changed there.

Steve

noplan

@stephenw10 said in OpenVPN and static IP for ALL clients:

You do not need to add the custom push line in a Client Specific Override

as i mentioned earlier
the reason why i added it and still doin it

there are clinets out there in the wild where the CSO is not working without
the custom push added.

thanks for pointin me to issue 10337

brNP
#staysafe

viktor_g

@ThePieMonster said in OpenVPN and static IP for ALL clients:

@noplan @viktor_g

I also found out today, that the common name, is not the CN name of the cert, that can be whatever you like, but the username of the domain user. Switching this info around in the client override solved the issue for me.

TLDR: CN = Domain Username, not Certificate name.

You can change this behavior on 2.5 branch,
or by applying patch https://redmine.pfsense.org/issues/8289 on 2.4.4/2.4.5

stephenw10

I would suggest those clients must have typo or similar because adding the custom line does exactly the same thing.
For example I created a CSO for a user with a cert CN of test and added only this:

If I check what that actually creates:

[2.4.5-RELEASE][admin@google.stevew.lan]/root: cat /var/etc/openvpn-csc/server2/test
ifconfig-push 10.10.10.5 255.255.255.240

If I now add the custom line in addition:

I now get:

[2.4.5-RELEASE][admin@google.stevew.lan]/root: cat /var/etc/openvpn-csc/server2/test
ifconfig-push 10.10.10.5 255.255.255.240
ifconfig-push 10.10.10.5 255.255.255.240

Clearly both those lines are not required!

Steve

noplan

@stephenw10

tested it with some older android clients right now
without the ifconfig-push not working on device
added the lines working
maybe / pretty shure it is the client not the config on the Server