OpenVPN: client-config-dir in server config missing if tunnel network is not set

hik

I have migrated an existing OpenVPN tls-server instance to pfSense. The server's IP address has to be the last IP in the network, i.e., 10.8.1.254/24 and I use client-specific configuration options.

pfSense's "IPv4 Tunnel Network" option does not allow a specific IP but only a network. However, 10.8.1.0/24 will take the first address of the given network for the server which is 10.8.1.1 (according to OpenVPN man page).

Therefore, I have to leave this entry empty and I use the custom option ifconfig 10.8.1.254 255.255.255.0 and mode server.

However, if "Tunnel Network" is empty option client-config-dir will be omitted in the server configuration file. As a workaround I manually set client-config-dir /var/etc/openvpn/server4/csc with the absolute path which is a little bit cumbersome.

This seems to be a bug because client-config-dir should always be set when OpenVPN is in server mode.

JKnott

@hik

Why does the server have to be the last address?

hik

@jknott I have a productive environment with external networks 10.5.x.0/24 with x=1..253.

For a network 10.5.x.0/24, the corresponding external VPN client uses a tunnel IP 10.8.1.x/24:

• E.g., the VPN client for the external network 10.5.1.0/24 has a TAP interface with 10.8.1.1/24,
• the external network10.5.2.0/24 has a TAP interface with 10.8.1.2/24
• and so on.

10.8.1.x with x=1..253 is reserved for external networks. For my setup the VPN server uses the last available IP 10.8.1.254 for the tunnel network because the first one is already in use.

OpenVPNs' --server directive simplifies the setup and sets the server IP to .1. However, there is no reason that it has to be the first available IP and not to use a custom setup.