OpenVPN client static ip CSO not working



  • 2.3.1-RELEASE-p1 (amd64)
    built on Wed May 25 14:53:06 CDT 2016
    FreeBSD 10.3-RELEASE-p3

    I'm using OpenVPN with LDAP authentication.
    my network design uses two internal networks
    192.168.248.x/24 network
    10.0.0.4/30 network

    10.2.0.0/24 network for OpenVPN clients
    Connection using Windows 7 client (OpenVPN client) works fine. Client traffic is tunneled across the vpn.

    I' trying to set static ip to remote users based on X.509 common name to restrict network access based on source IP address.
    If I set a diferent network (10.3.0.0/24 or 10.3.0.0/30) on CSO to a User, connection is not working
    If I set same network on CSO 10.2.0.0/24 connection is working, but client gets ip address 10.2.0.0 and DHCP server informed to client is 10.2.0.254. If I ping from OpenVPN server side to Windows client it works. I can also browse SMB resources.
    If I try to set static IP using advanced option it does not work and ip 10.2.0.0 is set to windows client:
    ifconfig-push 10.2.0.240 10.2.0.1;

    this is my OpenVPN Windows client connection log:
    Thu Jun 16 18:13:27 2016 SIGHUP[hard,] received, process restarting
    Thu Jun 16 18:13:27 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
    Thu Jun 16 18:13:27 2016 Windows version 6.1 (Windows 7) 64bit
    Thu Jun 16 18:13:27 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
    Thu Jun 16 18:13:29 2016 Control Channel Authentication: using 'pfSense-udp-1194-tls.key' as a OpenVPN static key file
    Thu Jun 16 18:13:29 2016 UDPv4 link local (bound): [undef]
    Thu Jun 16 18:13:29 2016 UDPv4 link remote: [AF_INET]WAN_IP_ADDRESS:1194
    Thu Jun 16 18:13:29 2016 [FQDN_ADDRESS] Peer Connection Initiated with [AF_INET]WAN_IP_ADDRESS:1194
    Thu Jun 16 18:13:31 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Jun 16 18:13:31 2016 open_tun, tt->ipv6=0
    Thu Jun 16 18:13:31 2016 TAP-WIN32 device [Conexión de área local 3] opened: \.\Global{247D5993-18E4-4F2C-A5E9-F5ABF62FFF08}.tap
    Thu Jun 16 18:13:31 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.2.0.0/10.2.0.0/255.255.255.0 [SUCCEEDED]
    Thu Jun 16 18:13:31 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.2.0.0/255.255.255.0 on interface {247D5993-18E4-4F2C-A5E9-F5ABF62FFF08} [DHCP-serv: 10.2.0.254, lease-time: 31536000]
    Thu Jun 16 18:13:31 2016 Successful ARP Flush on interface [32] {247D5993-18E4-4F2C-A5E9-F5ABF62FFF08}
    Thu Jun 16 18:13:36 2016 Initialization Sequence Completed

    Thanks in advance.



  • Hi man!
    Same problem…dunno how 2 fix it.



  • Well, I've found how to make it work, but not in subnet mode.

    I've set openVPN Server config topology in net/30 mode. I've used a 10.x.x.x/16 subnet.
    Later, in CSO Tunnel Network use a /30 per user.
    10.x.x.0/30, 10.x.x.4/30…10.x.x.252/30

    Client wil use second usable address in subnet, router uses firstone usable. I'm loosing 3 address for every client to use, but using 10.x.x.x/16 you can define more tan 16.000 remote users.

    Later, with firewall rules you can tuneup user Access based on their ip address

    hope it helps.



  • ok, thanx, but i decided degrade to 2.2.4 version (stable).