OpenVPN client static ip CSO not working

rcuello · Jun 16, 2016, 4:18 PM

2.3.1-RELEASE-p1 (amd64)
built on Wed May 25 14:53:06 CDT 2016
FreeBSD 10.3-RELEASE-p3

I'm using OpenVPN with LDAP authentication.
my network design uses two internal networks
192.168.248.x/24 network
10.0.0.4/30 network

10.2.0.0/24 network for OpenVPN clients
Connection using Windows 7 client (OpenVPN client) works fine. Client traffic is tunneled across the vpn.

I' trying to set static ip to remote users based on X.509 common name to restrict network access based on source IP address.
If I set a diferent network (10.3.0.0/24 or 10.3.0.0/30) on CSO to a User, connection is not working
If I set same network on CSO 10.2.0.0/24 connection is working, but client gets ip address 10.2.0.0 and DHCP server informed to client is 10.2.0.254. If I ping from OpenVPN server side to Windows client it works. I can also browse SMB resources.
If I try to set static IP using advanced option it does not work and ip 10.2.0.0 is set to windows client:
ifconfig-push 10.2.0.240 10.2.0.1;

this is my OpenVPN Windows client connection log:
Thu Jun 16 18:13:27 2016 SIGHUP[hard,] received, process restarting
Thu Jun 16 18:13:27 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Thu Jun 16 18:13:27 2016 Windows version 6.1 (Windows 7) 64bit
Thu Jun 16 18:13:27 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Thu Jun 16 18:13:29 2016 Control Channel Authentication: using 'pfSense-udp-1194-tls.key' as a OpenVPN static key file
Thu Jun 16 18:13:29 2016 UDPv4 link local (bound): [undef]
Thu Jun 16 18:13:29 2016 UDPv4 link remote: [AF_INET]WAN_IP_ADDRESS:1194
Thu Jun 16 18:13:29 2016 [FQDN_ADDRESS] Peer Connection Initiated with [AF_INET]WAN_IP_ADDRESS:1194
Thu Jun 16 18:13:31 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 16 18:13:31 2016 open_tun, tt->ipv6=0
Thu Jun 16 18:13:31 2016 TAP-WIN32 device [Conexión de área local 3] opened: \.\Global{247D5993-18E4-4F2C-A5E9-F5ABF62FFF08}.tap
Thu Jun 16 18:13:31 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.2.0.0/10.2.0.0/255.255.255.0 [SUCCEEDED]
Thu Jun 16 18:13:31 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.2.0.0/255.255.255.0 on interface {247D5993-18E4-4F2C-A5E9-F5ABF62FFF08} [DHCP-serv: 10.2.0.254, lease-time: 31536000]
Thu Jun 16 18:13:31 2016 Successful ARP Flush on interface [32] {247D5993-18E4-4F2C-A5E9-F5ABF62FFF08}
Thu Jun 16 18:13:36 2016 Initialization Sequence Completed

Thanks in advance.

Electricshock · Jun 18, 2016, 5:07 AM

Hi man!
Same problem…dunno how 2 fix it.

rcuello · Jun 19, 2016, 7:14 AM

Well, I've found how to make it work, but not in subnet mode.

I've set openVPN Server config topology in net/30 mode. I've used a 10.x.x.x/16 subnet.
Later, in CSO Tunnel Network use a /30 per user.
10.x.x.0/30, 10.x.x.4/30…10.x.x.252/30

Client wil use second usable address in subnet, router uses firstone usable. I'm loosing 3 address for every client to use, but using 10.x.x.x/16 you can define more tan 16.000 remote users.

Later, with firewall rules you can tuneup user Access based on their ip address

hope it helps.

Electricshock · Jun 19, 2016, 9:56 AM

ok, thanx, but i decided degrade to 2.2.4 version (stable).