Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN: client-config-dir in server config missing if tunnel network is not set

    OpenVPN
    2
    3
    178
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hik last edited by hik

      I have migrated an existing OpenVPN tls-server instance to pfSense. The server's IP address has to be the last IP in the network, i.e., 10.8.1.254/24 and I use client-specific configuration options.

      pfSense's "IPv4 Tunnel Network" option does not allow a specific IP but only a network. However, 10.8.1.0/24 will take the first address of the given network for the server which is 10.8.1.1 (according to OpenVPN man page).

      Therefore, I have to leave this entry empty and I use the custom option ifconfig 10.8.1.254 255.255.255.0 and mode server.

      However, if "Tunnel Network" is empty option client-config-dir will be omitted in the server configuration file. As a workaround I manually set client-config-dir /var/etc/openvpn/server4/csc with the absolute path which is a little bit cumbersome.

      This seems to be a bug because client-config-dir should always be set when OpenVPN is in server mode.

      JKnott 1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott @hik last edited by

        @hik

        Why does the server have to be the last address?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        H 1 Reply Last reply Reply Quote 0
        • H
          hik @JKnott last edited by

          @jknott I have a productive environment with external networks 10.5.x.0/24 with x=1..253.

          For a network 10.5.x.0/24, the corresponding external VPN client uses a tunnel IP 10.8.1.x/24:

          • E.g., the VPN client for the external network 10.5.1.0/24 has a TAP interface with 10.8.1.1/24,
          • the external network10.5.2.0/24 has a TAP interface with 10.8.1.2/24
          • and so on.

          10.8.1.x with x=1..253 is reserved for external networks. For my setup the VPN server uses the last available IP 10.8.1.254 for the tunnel network because the first one is already in use.

          OpenVPNs' --server directive simplifies the setup and sets the server IP to .1. However, there is no reason that it has to be the first available IP and not to use a custom setup.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post