Fixed IP Client



  • Hi,
    I need the openvpn client to be always assigned the same IP address and I made the following configuration in "Client Specific Overrides -> Client Setting -> Advanced":
    ifconfig-push 10.0.2.1 10.0.2.2;

    but sometimes the vpn client has 10.0.2.2 IP address and other times he gets 10.0.2.3
    am i wrong?
    Thanks.


  • LAYER 8 Rebel Alliance

    Use the CSO IPv4 Tunnel Network box instead of Advanced.
    E.g. you OpenVPN RAS tunnel network is 10.0.2.0/24 put in the CSO IPv4 Tunnel Network 10.0.2.11/24
    And make sure the CSO Common Name matches the User Certificate Name exactly.

    -Rico



  • Hi,
    I made the requested change but now I have an error when I try the client connection:

    Mon Feb 17 08:35:21 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Feb 17 08:35:21 2020 TLS Error: TLS handshake failed
    Mon Feb 17 08:35:21 2020 SIGUSR1[soft,tls-error] received, process restarting
    Mon Feb 17 08:35:26 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]167.x.x.x:1194

    and in VPN Status I have this:
    [error] Unable to contact daemon Service not running?

    Thanks.



  • I configured the tunnel again as:
    10.0.2.0/24
    and the link is now up.



  • I made a mistake because I had made the change in the general configuration and not in CSO.


  • LAYER 8 Rebel Alliance

    So everything is working now for you?

    -Rico



  • yes



  • @Rico unfortunately after three days in which the IP address has not changed this morning it happened again, the client was assigned the address 10.0.2.3 !
    do I have to change any other parameters?
    Thanks.



  • Hi,
    what can I check to solve the problem?
    Thanks.


  • LAYER 8 Rebel Alliance

    Is your CSO present in the filesystem? Check /var/etc/openvpn-csc/<server>/<user>
    It should contain your Client IP like this ifconfig-push 10.20.30.40 255.255.255.0
    Crank up your OpenVPN RAS Verbosity level and see whats happening there. Working CSO logs:

    user/1.2.3.4:1194 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/<server>/<user>
    user/1.2.3.4:1194 MULTI: Learn: 10.20.30.40 -> user/1.2.3.4:1194
    user/1.2.3.4:1194 MULTI: primary virtual IP for user/1.2.3.4:1194: 10.20.30.40 
    

    1.2.3.4 = external IP
    10.20.30.40 = user CSO (fixed IP)

    -Rico



  • Hi,
    I have checked in the directory indicated and I find these files (attached image),
    sorry I have not understood how I can carry out the required verification.server.PNG

    In addition I also tried the parameter "IPv4 Tunnel Network" with:
    10.0.2.2/30

    but after two / three days the problem still present.
    Thanks.


  • LAYER 8 Global Moderator

    Not sure what your doing exactly... This is pretty straight forward..

    /30 is really too small to be honest for a tunnel network..

    Set your tunnel network to be something /24 that does not overlap your local or remote network (should be something uncommon)..

    You need to highlight which vpn server instance.
    Then set your clients common name - so this gets applied to the client you want.
    Then set the ifconfig-push for the IP you want to assign. Prob best to use an IP higher up in the tunnel so unlikely to have an overlap with other clients that might be connected.

    CSO.jpg



  • therefore in:
    tunnel settings -> IPv4 Tunnel Network
    I don't have to enter any value?
    must the field be left blank?
    Thanks.


  • LAYER 8 Global Moderator

    Your tunnel network should be setup on your actual vpn instance. There would be no reason to enter it here, unless your trying to use a different specific tunnel for this specific client.


  • LAYER 8 Rebel Alliance

    I always use the IPv4 Tunnel Network box for my CSOs, like jimp told me to do in one of his hangouts. ☺
    My Advanced box is empty.
    Never had any problems.

    -Rico


  • LAYER 8 Global Moderator

    Well depends if you want to use a specific tunnel for your client.. Or have them share the 1 tunnel network..


  • LAYER 8 Rebel Alliance

    Huh?
    My tunnel network is 10.1.10.0/24
    First CSO (via IPv4 Tunnel Network box) 10.1.10.11/24, second 10.1.10.12/24 and so on.

    -Rico


  • LAYER 8 Global Moderator

    Yeah that can work too... I just think its simpler to call it out specific via push ;)


  • LAYER 8 Rebel Alliance

    Well the box does the very same I think. ☺

    -Rico



  • @johnpoz I followed the instructions but after a couple of days the problem is present again, the vpn client has been assigned the IP address:
    10.0.2.3

    how is it possible ? where am i wrong?
    thanks.


Log in to reply