OpenVPN Client Specific Overrides ot updated until server restarted

Lagan

pfSense 2.4.4-RELEASE-p3 (amd64) built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10

I have an openvpn Remote Access (SSL/TLS) server that is working great.
Each client has Client-specific override to assign an IP address and push some IPv4 Local Network/s. The clients are all running Ubuntu 20 and the openvpn service that comes with it - OpenVPN 2.4.7
I now want to remove the Local Network that is being pushed to each client.

1. edit the override, delete the contents of the IPv4 Local Network/s field and save it
2. edit it again to confirm the change has been saved.
3. restart the vpn connection at the client end

I expect the new settings (i.e. no local network being pushed) to be applied but it is not.

It only applies the updated override if I restart the server. This disconnects all the other clients as well which I would prefer not to do.

I have tried updating the contents of the override to some other value, and even deletion/recreation but I always have to restart the vpn server to apply the new updates.

• Is this expected behaviour?
• Is there anything I can do to manually update something in the background?
• I realise it's old software, and it's on the timelie to update it, just not yet.

Many thanks

Gertjan

@Lagan said in OpenVPN Client Specific Overrides ot updated until server restarted:

Each client has Client-specific ....

Do you have full control over these clients ?
if your clients are using this, then they will receive a notification when an update is avaible, and clients can (could/ should/must ...) upgrade.

Or, the pfSense admin decided to stay on an very ancient OpenVPN server version that comes with pfSense 2.4.4. To upgrade the OpenVPN : upgrade pfSense. Like 2.7.2 or even 2.8.0 beta.

Btw :

where you declare Client Specific Overrides.

Lagan

Hi @Lagan

Yes, I have full control over the clients.
No, not using the Windows openVPN client. I should have said - the clients are all running Ubuntu 20 and the openvpn service that comes with it - OpenVPN 2.4.7

As I said, an upgrade is planned, but not until after I have finished the work I'm doing now.

Gertjan

@Lagan

Would love to give an OpenVPN Client override example, but the thing is : my version is "the one from last week" (25.03B2 - comparable to 2.8.2) so for you it would be an example of what might be possible after you upgrade ...

From what I recall, the client specific overrides were already there, way back in the past. You tell me ;)

Lagan

@Gertjan - I'm not sureif I haven't explained myself correctly - the client specific overrides are already there and being used. This ticket is about when the new settings are actually sent to the clients

Rico

AFAIK, the OpenVPN RAS pushes the networks defined in the server's 'IPv4 Local Network(s)' setting, regardless of the CSO.

-Rico

Gertjan

@Lagan said in OpenVPN Client Specific Overrides ot updated until server restarted:

Each client has Client-specific override to assign an IP address

Normally, my OpenVPN tunnel is 192.168.3.1/24 so the OpenVPN server usd 192.168.3.1, and the connected clients start use 1292.168.3.2 etc.

I decide to give my phone the IP 192.168.3.30 :
To identify my phone :

the rest stays empty, up until this :

and how, when my phone connects, it gets 192.168.3.30 instead of the usual 192.168.3.2.

Btw : I didn't know that this was possible. Google gave me this : Openvpn Client Specific IP Address.

Lagan

Hi @Gertjan and @Rico -

Thanks for your help. To be clear - I am happy with how to configure the overrides - this isn't point of this ticket.

The issue I am experiencing is in getting the new override to take effect.

Restarting the vpn connection from the client end sees the "old" override details being served (as verified in the server log)
The only way to I'm able to get the new override settings into play is to restart the vpn service on the server.

I would like the new override to take effect when I restart the client.

Gertjan

@Lagan said in OpenVPN Client Specific Overrides ot updated until server restarted:

I would like the new override to take effect when I restart the client.

Hummm.

It's possible that a save on the "Client Specific Overrides" page doesn't restart the OpenVPN server - I doesn't seem to do that.
Maybe it isn't needed, as the server has a setting :

client-config-dir /var/etc/openvpn/server1/csc/

that tells the server to look into that folder for client special settings, the "Client Specific Overrides".

Anyway, I did restart the server, then connected the client and it got the '.30' IP.