OpenVPN: client-config-dir in server config missing if tunnel network is not set
-
I have migrated an existing OpenVPN tls-server instance to pfSense. The server's IP address has to be the last IP in the network, i.e.,
10.8.1.254/24and I use client-specific configuration options.pfSense's "IPv4 Tunnel Network" option does not allow a specific IP but only a network. However,
10.8.1.0/24will take the first address of the given network for the server which is10.8.1.1(according to OpenVPN man page).Therefore, I have to leave this entry empty and I use the custom option
ifconfig 10.8.1.254 255.255.255.0andmode server.However, if "Tunnel Network" is empty option
client-config-dirwill be omitted in the server configuration file. As a workaround I manually setclient-config-dir /var/etc/openvpn/server4/cscwith the absolute path which is a little bit cumbersome.This seems to be a bug because
client-config-dirshould always be set when OpenVPN is in server mode. -
Why does the server have to be the last address?
-
@jknott I have a productive environment with external networks
10.5.x.0/24withx=1..253.For a network
10.5.x.0/24, the corresponding external VPN client uses a tunnel IP10.8.1.x/24:- E.g., the VPN client for the external network
10.5.1.0/24has a TAP interface with10.8.1.1/24, - the external network
10.5.2.0/24has a TAP interface with10.8.1.2/24 - and so on.
10.8.1.xwithx=1..253is reserved for external networks. For my setup the VPN server uses the last available IP10.8.1.254for the tunnel network because the first one is already in use.OpenVPNs'
--serverdirective simplifies the setup and sets the server IP to.1. However, there is no reason that it has to be the first available IP and not to use a custom setup. - E.g., the VPN client for the external network
