Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Internal Subnets with OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 5 Posters 17.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digm
      last edited by

      Hello all,

      I've been working at this for the last 4 hours with no luck and I was hoping the community might be able to provide some suggestions. Basically, I want to setup an OpenVPN that allows for the static assignment of IP addresses. Here's the setup.

      Public IP: YYY.YYY.YYY.YYY
      Net 1: 192.168.1.0/24
      Net 2: 192.168.2.0/24
      Net 3: 192.168.3.0/24
      OpenVPN Pool: 192.168.100.0/24
      Local Network: 192.168.0.0/16

      With no client-specific configuration, this works flawlessly. However, I want to specify client-specific configurations (http://openvpn.net/index.php/open-source/documentation/howto.html#policy) that allow me to set static IP ranges for certain users based on the certificates common name. In thise case, I want to give them a 192.168.101.0/24 address.

      I've configured the "Client-specific configuration" tag with a new user, set the Interface IP to "192.168.101.0/24" and can successfully connect. However, I cannot access any of my internal systems nor the internet. Recall, this worked fine without a client-specific configuration.

      I'm baffled, any ideas? I've not setup anything out of the ordinary, so I'm hoping this is something easy. Static route, firewall issues, other?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        With a PKI you dont want to assign the .0/30 subnet since it's used for the server itself.
        The first client should get the .4/30 subnet.
        The second client .8/30
        3rd .12/30
        etc.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • D
          digm
          last edited by

          Hi GruensFroeschili,

          Thanks for the feedback. I'm not sure I follow how to properly implement your suggestions. What would I need to change about my current network setup, the OpenVPN Pool, Net1-3, or the Local Network?

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Take note of the routes pushed to the clients when they connect (client side logs). Most likely the problem lies in that the clients with client specific configuration are not getting routes for your internal networks 192.168.1-3.0/24.

            1 Reply Last reply Reply Quote 0
            • D
              digm
              last edited by

              KPA/GruensFroeschli,

              Included below are the details. Notice that the only thing that changes between the two is that I add a client-specific configuration in the second one. The problem is, once connected with the client-specific config, I'm unable to get anywhere in terms of routing. Ideas?

              Standard Working VPN
              Setup
              Public IP: YYY.YYY.YYY.YYY
              Net 1: 192.168.1.0/24
              Net 2: 192.168.2.0/24
              Net 3: 192.168.3.0/24
              OpenVPN Pool: 192.168.100.0/24
              Local Network: 192.168.1.0/24
              Client-Specific Configurations: None

              tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
              inet 192.168.100.6 –> 192.168.100.5 netmask 0xffffffff
              open (pid 2691)

              Destination        Gateway              Flags        Netif  Expire
              0/1                  192.168.100.5      UGSc            2        0    tun0
              192.168.1          192.168.100.5      UGSc            1        0    tun0
              192.168.100      192.168.100.5      UGSc            0        0    tun0
              192.168.100.5    192.168.100.6      UH              8        0    tun0

              Standard VPN with Client-Specific Configuration
              Setup
              Public IP: YYY.YYY.YYY.YYY
              Net 1: 192.168.1.0/24
              Net 2: 192.168.2.0/24
              Net 3: 192.168.3.0/24
              OpenVPN Pool: 192.168.100.0/24
              Local Network: 192.168.1.0/24
              Client-Specific Configurations:

              • Interface IP: 192.168.101.0/24
              • Push Reset: Unchecked
              • Custom Options: None

              tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
              inet 192.168.101.1 –> 192.168.101.2 netmask 0xffffffff
              open (pid 2845)

              Destination        Gateway              Flags        Netif  Expire
              0/1                    192.168.101.2      UGSc            1        0    tun0
              192.168.1          192.168.101.2      UGSc            1        0    tun0
              192.168.100        192.168.101.2      UGSc            0        0    tun0
              192.168.101.2      192.168.101.1      UH              7        0    tun0</up,pointopoint,running,simplex,multicast></up,pointopoint,running,simplex,multicast>

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                You're probably missing the iroute. Described here: http://forum.pfsense.org/index.php/topic,12888.0.html

                1 Reply Last reply Reply Quote 0
                • D
                  digm
                  last edited by

                  CMB,

                  I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    Actually yeah, Gruens is right. What you have to do is to put the client addresses on /30 boundaries . Usable addresses for clients start from 192.168.101.4 because the openvpn server uses the addresses 0-3. Use 192.168.101.x/30 for interface ip in the client configuration where x is
                    divisible by four, 4, 8, 12 etc.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      @digm:

                      CMB,

                      I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?

                      You also need a route statement in the main custom options, not just the iroute. See here:

                      http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • D
                        digm
                        last edited by

                        jimp/kpa,

                        Thanks for the advice, the thing I was missing was the extra route statement in the server configuration. Just to close the loop on this thread, here's the final settings that worked.

                        Public IP: YYY.YYY.YYY.YYY
                        Net 1: 192.168.1.0/24
                        Net 2: 192.168.2.0/24
                        Net 3: 192.168.3.0/24
                        OpenVPN Pool: 192.168.100.0/24
                        Local Network: Left blank
                        Custom Options: push "redirect-gateway def1"; push "route 192.168.1.0 255.255.255.0"; push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0";route 192.168.101.0 255.255.255.0;

                        Client-Specific Configurations:

                        • Interface IP: 192.168.101.0/30
                        • Push Reset: Unchecked
                        • Custom Options: iroute 192.168.101.0 255.255.255.0

                        Problem solved!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.