Client Specific Overrides - assign static ips

geewhz01 · Nov 7, 2017, 11:25 AM

I'm trying to give users a /30 static. When I connect with the user though openvpn seems to be ignoring the cso's.

I don't see any indication in the log that there is a cso, should it normally show?

Nov 7 10:47:37 openvpn user 'testuser' authenticated
Nov 7 10:47:37 openvpn 36076 [testuser] Peer Connection Initiated with [AF_INET]:5834
Nov 7 10:47:37 openvpn 36076 testuser/:5834 MULTI_sva: pool returned IPv4=192.168.10.6, IPv6=(Not enabled)
Nov 7 10:47:39 openvpn 36076 testuser/:5834 send_push_reply(): safe_cap=940
Nov 7 10:50:53 openvpn 36076 testuser/:5834 [andygee] Inactivity timeout (–ping-restart), restarting

I've posted the openvpn config as well as the cso below.

<openvpn>- <openvpn-server><vpnid>1</vpnid>
<mode>server_tls_user</mode>
<authmode>Local Database</authmode>
<protocol>UDP</protocol>
<dev_mode>tun</dev_mode>
<ipaddr><interface>wan</interface>
<local_port>1194</local_port>

<custom_options><tls>mMmNiM2JkYWFiMjU2ZGZmNTRkYzI4YWQwMmMzZWEzDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0K</tls>
<caref>5995d3c107301</caref>
<crlref><certref>5995d3c1975c3</certref>
<dh_length>2048</dh_length>
<cert_depth>1</cert_depth>
<strictusercn><crypto>AES-256-CBC</crypto>
<digest>SHA1</digest>
<engine>none</engine>
<tunnel_network>192.168.10.0/23</tunnel_network>
<tunnel_networkv6><remote_network><remote_networkv6><gwredir><local_network>10.0.0.0/8</local_network>
<local_networkv6><maxclients>10</maxclients>
<compression><passtos><client2client>yes</client2client>
<dynamic_ip>yes</dynamic_ip>
<pool_enable>yes</pool_enable>
<topology>net30</topology>
<serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface>
<serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>test.com</dns_domain>
<dns_server1>10.0.0.19</dns_server1>
<dns_server2>10.0.0.20</dns_server2>
<dns_server3><dns_server4><netbios_enable><netbios_ntype>0</netbios_ntype>
<netbios_scope><no_tun_ipv6><verbosity_level>1</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></dns_server3></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></passtos></compression></local_networkv6></gwredir></remote_networkv6></remote_network></tunnel_networkv6></strictusercn></crlref></custom_options></ipaddr></openvpn-server>

<openvpn-csc><server_list>1</server_list>
<custom_options><common_name>test.user</common_name>
<block>-
<tunnel_network>192.168.11.8/30</tunnel_network>
<local_network><local_networkv6><remote_network><remote_networkv6><gwredir><push_reset><netbios_enable><netbios_ntype>0</netbios_ntype></netbios_enable></push_reset></gwredir></remote_networkv6></remote_network></local_networkv6></local_network></block></custom_options></openvpn-csc></openvpn>

Any ideas?

Thanks,

Andy

geewhz01 · Nov 7, 2017, 1:24 PM

Nov 7 13:18:20 openvpn 94598 1.1.1.1:37295 TLS: Initial packet from [AF_INET]1.1.1.1:37295, sid=5939559f b350579f
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=1, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=test VPN
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY SCRIPT OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 VERIFY OK: depth=0, C=US, ST=GA, L=Atlanta, O=test, emailAddress=testuser@test.com, CN=testuser.gee
Nov 7 13:18:21 openvpn user 'testuser' authenticated
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 TLS: Username/Password authentication succeeded for username 'testuser' [CN SET]
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 7 13:18:21 openvpn 94598 1.1.1.1:37295 [testuser] Peer Connection Initiated with [AF_INET]1.1.1.1:37295
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_b5d96f361bd2ea8c212edc0277d7a4ce.tmp
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: Learn: 192.168.10.2 -> testuser/1.1.1.1:37295
Nov 7 13:18:21 openvpn 94598 testuser/1.1.1.1:37295 MULTI: primary virtual IP for testuser/1.1.1.1:37295: 192.168.10.2
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 PUSH: Received control message: 'PUSH_REQUEST'
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 send_push_reply(): safe_cap=940
Nov 7 13:18:23 openvpn 94598 testuser/1.1.1.1:37295 SENT CONTROL [testuser]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN test.com,dhcp-option DNS 10.0.0.19,dhcp-option DNS 10.0.0.20,route-gateway 192.168.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.10.2 255.255.254.0' (status=1)

Looks like it is trying to read in the client specific options but user still isn't getting static ip that is configured. In the cso options I have tunnel network set to 192.168.11.8/30, any problems with doing that?

Thanks,

Andy

geewhz01 · Nov 7, 2017, 1:35 PM

I've got this working, in case someone else stumbles on this and has issues my problem was that the username didn't match the certificate name.

Andy