Client Specific Overrides - assign static ips



  • I'm trying to give users a /30 static.  When I connect with the user though openvpn seems to be ignoring the cso's.

    I don't see any indication in the log that there is a cso, should it normally show?

    Nov 7 10:47:37 openvpn user 'testuser' authenticated
    Nov 7 10:47:37 openvpn 36076 [testuser] Peer Connection Initiated with [AF_INET]:5834
    Nov 7 10:47:37 openvpn 36076 testuser/:5834 MULTI_sva: pool returned IPv4=192.168.10.6, IPv6=(Not enabled)
    Nov 7 10:47:39 openvpn 36076 testuser/:5834 send_push_reply(): safe_cap=940
    Nov 7 10:50:53 openvpn 36076 testuser/:5834 [andygee] Inactivity timeout (–ping-restart), restarting

    I've posted the openvpn config as well as the cso below.

    • <openvpn>- <openvpn-server><vpnid>1</vpnid>
      <mode>server_tls_user</mode>
      <authmode>Local Database</authmode>
      <protocol>UDP</protocol>
      <dev_mode>tun</dev_mode>
      <ipaddr><interface>wan</interface>
      <local_port>1194</local_port>

    <custom_options><tls>mMmNiM2JkYWFiMjU2ZGZmNTRkYzI4YWQwMmMzZWEzDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0K</tls>
    <caref>5995d3c107301</caref>
    <crlref><certref>5995d3c1975c3</certref>
    <dh_length>2048</dh_length>
    <cert_depth>1</cert_depth>
    <strictusercn><crypto>AES-256-CBC</crypto>
    <digest>SHA1</digest>
    <engine>none</engine>
    <tunnel_network>192.168.10.0/23</tunnel_network>
    <tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>10.0.0.0/8</local_network>
    <local_networkv6><maxclients>10</maxclients>
    <compression><passtos><client2client>yes</client2client>
    <dynamic_ip>yes</dynamic_ip>
    <pool_enable>yes</pool_enable>
    <topology>net30</topology>
    <serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
    <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>test.com</dns_domain>
    <dns_server1>10.0.0.19</dns_server1>
    <dns_server2>10.0.0.20</dns_server2>
    <dns_server3><dns_server4><netbios_enable><netbios_ntype>0</netbios_ntype>
    <netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></dns_server3></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></compression></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></strictusercn></crlref></custom_options></ipaddr></openvpn-server>

    • <openvpn-csc><server_list>1</server_list>
      <custom_options><common_name>test.user</common_name>
      <block>-
      <tunnel_network>192.168.11.8/30</tunnel_network>
      <local_network><local_networkv6><remote_network><remote_networkv6><gwredir><push_reset><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></push_reset></gwredir></remote_networkv6></remote_network></local_networkv6></local_network></block></custom_options></openvpn-csc></openvpn>

    Any ideas?

    Thanks,

    Andy



  • Nov 7 13:18:20 openvpn 94598 1.1.1.1:37295 TLS: Initial packet from [AF_INET]1.1.1.1:37295, sid=5939559f b350579f
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
    Nov 7 13:18:21 openvpn user 'testuser' authenticated
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 TLS: Username/Password authentication succeeded for username 'testuser' [CN SET]
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 [testuser] Peer Connection Initiated with [AF_INET]1.1.1.1:37295
    Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
    Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_b5d96f361bd2ea8c212edc0277d7a4ce.tmp
    Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: Learn: 192.168.10.2 -> testuser/1.1.1.1:37295
    Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: primary virtual IP for testuser/1.1.1.1:37295: 192.168.10.2
    Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 PUSH: Received control message: 'PUSH_REQUEST'
    Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 send_push_reply(): safe_cap=940
    Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 SENT CONTROL [testuser]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN test.com,dhcp-option DNS 10.0.0.19,dhcp-option DNS 10.0.0.20,route-gateway 192.168.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.10.2 255.255.254.0' (status=1)

    Looks like it is trying to read in the client specific options but user still isn't getting static ip that is configured.  In the cso options I have tunnel network set to 192.168.11.8/30, any problems with doing that?

    Thanks,

    Andy



  • I've got this working, in case someone else stumbles on this and has issues my problem was that the username didn't match the certificate name.

    Andy


Log in to reply