Multiple clients range overlap?



  • I've setup 4 clients so far and I am trying to fix their virtual network range to a unique /30 per client.

    However, openvpn (or pfsense) seems to ignore "IPv4 Tunnel Network" setting. I set one to 10.4.0.0/30 (tried /24 too) but it comes up with 10.6.0.1 or 10.14.0.1 after reboots or restarts.

    The problem is this:

    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.1.1        UGS         re0
    10.4.0.0/16        10.4.0.1           UGS      ovpnc2
    10.4.0.1           link#8             UH       ovpnc2
    10.4.27.248        link#8             UHS         lo0
    10.6.0.0/16        10.6.0.1           UGS      ovpnc1
    10.6.0.1           link#7             UH       ovpnc1
    10.6.0.26          link#7             UHS         lo0
    10.26.13.0/24      link#2             U           re1
    10.26.13.254       link#2             UHS         lo0
    10.30.0.0/16       10.30.0.1          UGS      ovpnc4
    10.30.0.1          link#10            UH       ovpnc4
    10.30.0.79         link#10            UHS         lo0
    10.30.0.109        link#9             UHS         lo0
    127.0.0.1          link#4             UH          lo0
    192.168.1.0/24     link#1             U           re0
    192.168.1.254      link#1             UHS         lo0
    

    One client has 10.30.0.79, the other got 10.30.0.109. Instead of configuring /30 nets (as specified in the topology setting), it does a /16 for 10.30.0.0 with a gateway to 10.30.0.1. So now the gateway for both clients is set to link#10. The client on 10.30.0.109 will never get traffic as it will go to 10.30.0.79. We see ovpnc1, 2 and 4 in the collumn netif, but not 3. In the ipv6 list they are all 4 there.

    Unless of course I completely misunderstand how this works, which I admit is not completely impossible ::). If it's not too much to ask, please explain how that works if I got it wrong.

    Anyway, I'd prefer to get the same range for each tunnel anyway (I need to set the DNS server to the gateway address but if that keeps changing I end up with an unreachable DNS server. I'd also like to use the gateway address in the gateway monitoring too).

    So is there a way to set each client with its own fixed /30 network?

    Thanks in advance!


  • Netgate

    Yeah set different /30 tunnel networks.

    OpenVPN is obviously getting those /16 from somewhere.

    Post what you have done not what you think you have done.



  • I thought that's what I did  ;) ;D

    Well, I configured 5 clients, all the same way on different ports. I got the config in a window next to me and double checked each one.

    Device mode is layer 3 tunnel mode.
    Topology Isolated /30 network per client.
    Don't pull routes is enabled.
    Don't add/remove routes is disabled (left as default).

    If you need any more settings or have me paste the complete config from a file let me know.

    IPv4 Tunnel Network has been set for each client to a unique range:
    10.4.0.0/30
    10.6.0.0/30
    10.8.0.0/30
    10.10.0.0/30
    10.12.0.0/30

    I've rebooted the firewall too. Today, it's even crazier, I've got only 1 and 3 working. I've included the ipv6 table so you can see that that is getting 5 unique ranges. As you can see, none of the ranges I defined in the OpenVPN client configs are being used.

    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.1.1        UGS         re0
    10.14.0.0/16       10.14.0.1          UGS      ovpnc1
    10.14.0.1          link#7             UH       ovpnc1
    10.14.0.147        link#7             UHS         lo0
    10.14.1.135        link#8             UHS         lo0
    10.26.13.0/24      link#2             U           re1
    10.26.13.254       link#2             UHS         lo0
    10.30.0.0/16       10.30.0.1          UGS      ovpnc3
    10.30.0.1          link#9             UH       ovpnc3
    10.30.0.104        link#11            UHS         lo0
    10.30.0.205        link#10            UHS         lo0
    10.30.1.2          link#9             UHS         lo0
    127.0.0.1          link#4             UH          lo0
    192.168.1.0/24     link#1             U           re0
    192.168.1.254      link#1             UHS         lo0
    
    Internet6:
    Destination                       Gateway                       Flags     Netif Expire
    ::1                               link#4                        UH          lo0
    fde6:7a:7d20:14::/64              link#7                        U        ovpnc1
    fde6:7a:7d20:14::1091             link#7                        UHS         lo0
    fde6:7a:7d20:14::1185             link#8                        UHS         lo0
    fe80::%re0/64                     link#1                        U           re0
    fe80::201:2eff:fe78:4f4%re0       link#1                        UHS         lo0
    fe80::%re1/64                     link#2                        U           re1
    fe80::201:2eff:fe78:4f5%re1       link#2                        UHS         lo0
    fe80::%lo0/64                     link#4                        U           lo0
    fe80::1%lo0                       link#4                        UHS         lo0
    fe80::%ovpnc1/64                  link#7                        U        ovpnc1
    fe80::201:2eff:fe78:4f4%ovpnc1    link#7                        UHS         lo0
    fe80::%ovpnc2/64                  link#8                        U        ovpnc2
    fe80::201:2eff:fe78:4f4%ovpnc2    link#8                        UHS         lo0
    fe80::%ovpnc3/64                  link#9                        U        ovpnc3
    fe80::201:2eff:fe78:4f4%ovpnc3    link#9                        UHS         lo0
    fe80::%ovpnc4/64                  link#10                       U        ovpnc4
    fe80::201:2eff:fe78:4f4%ovpnc4    link#10                       UHS         lo0
    fe80::%ovpnc5/64                  link#11                       U        ovpnc5
    fe80::201:2eff:fe78:4f4%ovpnc5    link#11                       UHS         lo0
    

    When I check the config files, it did actually write my settings to them:

    /var/etc/openvpn: grep ifconfig *.conf
    client1.conf:ifconfig 10.4.0.2 10.4.0.1
    client2.conf:ifconfig 10.6.0.2 10.6.0.1
    client3.conf:ifconfig 10.8.0.2 10.8.0.1
    client4.conf:ifconfig 10.10.0.2 10.10.0.1
    client5.conf:ifconfig 10.12.0.2 10.12.0.1
    

    What else can I check? Any ideas what might be wrong here that prevents openvpn from using the network specified?

    Thanks!



  • I've enabled extra logging for OpenVPN and been going through the logs to find out more.

    Here's what I see in the logs, it does actually use my configured network but it is ignoring the 'dont pull routes' setting.

    May 21 09:15:26 pfsense openvpn[63464]:   topology = 1
    May 21 09:15:26 pfsense openvpn[63464]:   ifconfig_local = '10.4.0.2'
    May 21 09:15:26 pfsense openvpn[63464]:   ifconfig_remote_netmask = '10.4.0.1'
    May 21 09:15:26 pfsense openvpn[63464]:   ifconfig_noexec = DISABLED
    May 21 09:15:26 pfsense openvpn[63464]:   ifconfig_nowarn = DISABLED
    ...
    May 21 09:15:26 pfsense openvpn[63466]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
    ...
    May 21 09:15:27 pfsense openvpn[63466]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.6.0.1,
    comp-lzo no,route-gateway 10.6.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.6.0.33 255.255.0.0'
    May 21 09:15:27 pfsense openvpn[63466]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    May 21 09:15:27 pfsense openvpn[63466]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: timers and/or timeouts modified
    May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: compression parms modified
    May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: --ifconfig/up options modified
    May 21 09:15:27 pfsense openvpn[63466]: OPTIONS IMPORT: route-related options modified
    May 21 09:15:27 pfsense openvpn[63466]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:406 ET:0 EL:3 ]
    May 21 09:15:27 pfsense openvpn[63466]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    May 21 09:15:27 pfsense openvpn[63466]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    May 21 09:15:27 pfsense openvpn[63466]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    May 21 09:15:27 pfsense openvpn[63466]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    May 21 09:15:27 pfsense openvpn[63466]: TUN/TAP device ovpnc1 exists previously, keep at program end
    May 21 09:15:27 pfsense openvpn[63466]: TUN/TAP device /dev/tun1 opened
    May 21 09:15:27 pfsense openvpn[63466]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    May 21 09:15:27 pfsense openvpn[63466]: /sbin/ifconfig ovpnc1 10.6.0.33 10.6.0.1 mtu 1500 netmask 255.255.0.0 up
    May 21 09:15:27 pfsense openvpn[63466]: /sbin/route add -net 10.6.0.0 10.6.0.1 255.255.0.0
    May 21 09:15:28 pfsense openvpn[63466]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.6.0.33 255.255.0.0 init
    May 21 09:15:28 pfsense openvpn[63466]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    May 21 09:15:28 pfsense openvpn[63466]: Initialization Sequence Completed
    

    So it warns about using settings together and ignores ifconfig setting.

    If this is my problem, how can I fix that? In the config I do have the options 'client' and 'route-nopull'.

    Thanks again! Appreciate the help.


  • Netgate

    Post screenshots of your OpenVPN config on two sides of one of the problematic connections.

    You obviously have those /16s in there somewhere? Local Networks? Remote Networks?



  • re0 is connected to my router LAN2 with a fixed ip 192.168.1.254/24 with a default gateway 192.168.1.1.
    re1 is connected to a switch on the internal network with a fixed ip 10.26.13.254/24, no gateway configured.
    The internet router has its LAN1 connected to the switch as 10.26.13.1/24 which is the default gateway for the LAN.

    For now, the router is providing DHCP with itself as DNS and gateway for the clients. I have configured my own pc with a fixed IP, gateway and DNS set to pfsense, 10.26.13.254 to test. Once pfsense is happy, it will take over DHCP and provide internet access for all clients.

    (removed redundant attachments) Attached are all configs from all clients. Not sure why you're not asking to simply post the text from config files though but here it is.

    Maybe you're a step ahead of me but (respectfully), I feel you are ignoring the log messages and info I provided. There's a warning there that states why it is ignoring my ifconfig settings and it shows it is applying the pull from the server and ignoring the noroute-pull.

    In any case, thanks for the help! I do appreciate it.







  • Netgate

    That doesn't give me what I asked for. Looking for the complete OpenVPN for BOTH SIDES of ONE AND ONLY ONE connection that is malfunctioning. Please keep it to one connection. Zero reason to look at them all if they are all doing the same thing.

    /sbin/route add -net 10.6.0.0 10.6.0.1 255.255.0.0

    You need to figure out where that is coming from. It's coming from someplace. That is 10.6.0.0/16, not anything to do with any /30s.

    I also have no idea why you are messing about with all of those custom options.

    Are you connecting to your own server or some provider.

    May 21 09:15:27 pfsense openvpn[63466]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.6.0.1,comp-lzo no,route-gateway 10.6.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.6.0.33 255.255.0.0'

    Looks like it's getting the /16 from the server.



  • Sorry misunderstood what you were asking for. I don't have access to the server side. I am connecting to airvpn pool of servers. If what you're asking for is something I can provide can you please be more specific?

    And yes, it is getting the /16 from the server but it should ignore that when I configure "IPv4 Tunnel Network" right?

    Concerning the custom options, I am following the guide on airvpn servers and simply copied that from the guide. Some are deprecated or redundant, I know. I'll clean that up at some point. I don't think any of those cause the problem I am having.

    ps. the guide is here:
    https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/


  • Netgate

    No. In SSL/TLS mode they push the tunnel network to you. You pretty much have to do what they think you should do.

    Maybe choose a VPN provider that doesn't do that.



  • Thanks again for the help. They allow 5 simultaneous client connections, but it's pretty useless this way unless you install and configure the client on different pc's.

    I've submitted a support request to AirVPN, hopefully the are willing to change this (got 3 months left on my sub) or maybe they can help fix it somehow.

    We'll see.

    Got one more Q about this if you don't mind. Is it possible to reconfigure the ip, gateway and route for each client connection from the pfsense terminal? I realize this would be temporary, but I could dump that in a script and manually run it after a reboot or something.


  • Netgate

    Probably possible but you'd have to write a bunch of php to do it.

    They are pushing that anyway.

    Maybe you could configure 5 different clients to connect to 5 different AirVPN nodes.