Client Specific Overrides - assign static ips

geewhz01

I'm trying to give users a /30 static.  When I connect with the user though openvpn seems to be ignoring the cso's.

I don't see any indication in the log that there is a cso, should it normally show?

Nov 7 10:47:37 openvpn user 'testuser' authenticated
Nov 7 10:47:37 openvpn 36076 [testuser] Peer Connection Initiated with [AF_INET]:5834
Nov 7 10:47:37 openvpn 36076 testuser/:5834 MULTI_sva: pool returned IPv4=192.168.10.6, IPv6=(Not enabled)
Nov 7 10:47:39 openvpn 36076 testuser/:5834 send_push_reply(): safe_cap=940
Nov 7 10:50:53 openvpn 36076 testuser/:5834 [andygee] Inactivity timeout (–ping-restart), restarting

I've posted the openvpn config as well as the cso below.

• <openvpn>- <openvpn-server><vpnid>1</vpnid>
  <mode>server_tls_user</mode>
  <authmode>Local Database</authmode>
  <protocol>UDP</protocol>
  <dev_mode>tun</dev_mode>
  <ipaddr><interface>wan</interface>
  <local_port>1194</local_port>

<custom_options><tls>mMmNiM2JkYWFiMjU2ZGZmNTRkYzI4YWQwMmMzZWEzDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0K</tls>
<caref>5995d3c107301</caref>
<crlref><certref>5995d3c1975c3</certref>
<dh_length>2048</dh_length>
<cert_depth>1</cert_depth>
<strictusercn><crypto>AES-256-CBC</crypto>
<digest>SHA1</digest>
<engine>none</engine>
<tunnel_network>192.168.10.0/23</tunnel_network>
<tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>10.0.0.0/8</local_network>
<local_networkv6><maxclients>10</maxclients>
<compression><passtos><client2client>yes</client2client>
<dynamic_ip>yes</dynamic_ip>
<pool_enable>yes</pool_enable>
<topology>net30</topology>
<serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
<serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>test.com</dns_domain>
<dns_server1>10.0.0.19</dns_server1>
<dns_server2>10.0.0.20</dns_server2>
<dns_server3><dns_server4><netbios_enable><netbios_ntype>0</netbios_ntype>
<netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></dns_server3></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></compression></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></strictusercn></crlref></custom_options></ipaddr></openvpn-server>

• <openvpn-csc><server_list>1</server_list>
  <custom_options><common_name>test.user</common_name>
  <block>-
  <tunnel_network>192.168.11.8/30</tunnel_network>
  <local_network><local_networkv6><remote_network><remote_networkv6><gwredir><push_reset><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></push_reset></gwredir></remote_networkv6></remote_network></local_networkv6></local_network></block></custom_options></openvpn-csc></openvpn>

Any ideas?

Thanks,

Andy

geewhz01

Nov 7 13:18:20 openvpn 94598 1.1.1.1:37295 TLS: Initial packet from [AF_INET]1.1.1.1:37295, sid=5939559f b350579f
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
Nov 7 13:18:21 openvpn user 'testuser' authenticated
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 TLS: Username/Password authentication succeeded for username 'testuser' [CN SET]
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 [testuser] Peer Connection Initiated with [AF_INET]1.1.1.1:37295
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_b5d96f361bd2ea8c212edc0277d7a4ce.tmp
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: Learn: 192.168.10.2 -> testuser/1.1.1.1:37295
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: primary virtual IP for testuser/1.1.1.1:37295: 192.168.10.2
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 PUSH: Received control message: 'PUSH_REQUEST'
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 send_push_reply(): safe_cap=940
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 SENT CONTROL [testuser]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN test.com,dhcp-option DNS 10.0.0.19,dhcp-option DNS 10.0.0.20,route-gateway 192.168.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.10.2 255.255.254.0' (status=1)

Looks like it is trying to read in the client specific options but user still isn't getting static ip that is configured.  In the cso options I have tunnel network set to 192.168.11.8/30, any problems with doing that?

Thanks,

Andy

geewhz01

I've got this working, in case someone else stumbles on this and has issues my problem was that the username didn't match the certificate name.

Andy