Multiple Internal Subnets with OpenVPN



  • Hello all,

    I've been working at this for the last 4 hours with no luck and I was hoping the community might be able to provide some suggestions. Basically, I want to setup an OpenVPN that allows for the static assignment of IP addresses. Here's the setup.

    Public IP: YYY.YYY.YYY.YYY
    Net 1: 192.168.1.0/24
    Net 2: 192.168.2.0/24
    Net 3: 192.168.3.0/24
    OpenVPN Pool: 192.168.100.0/24
    Local Network: 192.168.0.0/16

    With no client-specific configuration, this works flawlessly. However, I want to specify client-specific configurations (http://openvpn.net/index.php/open-source/documentation/howto.html#policy) that allow me to set static IP ranges for certain users based on the certificates common name. In thise case, I want to give them a 192.168.101.0/24 address.

    I've configured the "Client-specific configuration" tag with a new user, set the Interface IP to "192.168.101.0/24" and can successfully connect. However, I cannot access any of my internal systems nor the internet. Recall, this worked fine without a client-specific configuration.

    I'm baffled, any ideas? I've not setup anything out of the ordinary, so I'm hoping this is something easy. Static route, firewall issues, other?



  • With a PKI you dont want to assign the .0/30 subnet since it's used for the server itself.
    The first client should get the .4/30 subnet.
    The second client .8/30
    3rd .12/30
    etc.



  • Hi GruensFroeschili,

    Thanks for the feedback. I'm not sure I follow how to properly implement your suggestions. What would I need to change about my current network setup, the OpenVPN Pool, Net1-3, or the Local Network?



  • Take note of the routes pushed to the clients when they connect (client side logs). Most likely the problem lies in that the clients with client specific configuration are not getting routes for your internal networks 192.168.1-3.0/24.



  • KPA/GruensFroeschli,

    Included below are the details. Notice that the only thing that changes between the two is that I add a client-specific configuration in the second one. The problem is, once connected with the client-specific config, I'm unable to get anywhere in terms of routing. Ideas?

    Standard Working VPN
    Setup
    Public IP: YYY.YYY.YYY.YYY
    Net 1: 192.168.1.0/24
    Net 2: 192.168.2.0/24
    Net 3: 192.168.3.0/24
    OpenVPN Pool: 192.168.100.0/24
    Local Network: 192.168.1.0/24
    Client-Specific Configurations: None

    tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
    inet 192.168.100.6 –> 192.168.100.5 netmask 0xffffffff
    open (pid 2691)

    Destination        Gateway              Flags        Netif  Expire
    0/1                  192.168.100.5      UGSc            2        0    tun0
    192.168.1          192.168.100.5      UGSc            1        0    tun0
    192.168.100      192.168.100.5      UGSc            0        0    tun0
    192.168.100.5    192.168.100.6      UH              8        0    tun0

    Standard VPN with Client-Specific Configuration
    Setup
    Public IP: YYY.YYY.YYY.YYY
    Net 1: 192.168.1.0/24
    Net 2: 192.168.2.0/24
    Net 3: 192.168.3.0/24
    OpenVPN Pool: 192.168.100.0/24
    Local Network: 192.168.1.0/24
    Client-Specific Configurations:

    • Interface IP: 192.168.101.0/24
    • Push Reset: Unchecked
    • Custom Options: None

    tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
    inet 192.168.101.1 –> 192.168.101.2 netmask 0xffffffff
    open (pid 2845)

    Destination        Gateway              Flags        Netif  Expire
    0/1                    192.168.101.2      UGSc            1        0    tun0
    192.168.1          192.168.101.2      UGSc            1        0    tun0
    192.168.100        192.168.101.2      UGSc            0        0    tun0
    192.168.101.2      192.168.101.1      UH              7        0    tun0</up,pointopoint,running,simplex,multicast></up,pointopoint,running,simplex,multicast>



  • You're probably missing the iroute. Described here: http://forum.pfsense.org/index.php/topic,12888.0.html



  • CMB,

    I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?



  • Actually yeah, Gruens is right. What you have to do is to put the client addresses on /30 boundaries . Usable addresses for clients start from 192.168.101.4 because the openvpn server uses the addresses 0-3. Use 192.168.101.x/30 for interface ip in the client configuration where x is
    divisible by four, 4, 8, 12 etc.


  • Rebel Alliance Developer Netgate

    @digm:

    CMB,

    I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?

    You also need a route statement in the main custom options, not just the iroute. See here:

    http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect



  • jimp/kpa,

    Thanks for the advice, the thing I was missing was the extra route statement in the server configuration. Just to close the loop on this thread, here's the final settings that worked.

    Public IP: YYY.YYY.YYY.YYY
    Net 1: 192.168.1.0/24
    Net 2: 192.168.2.0/24
    Net 3: 192.168.3.0/24
    OpenVPN Pool: 192.168.100.0/24
    Local Network: Left blank
    Custom Options: push "redirect-gateway def1"; push "route 192.168.1.0 255.255.255.0"; push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0";route 192.168.101.0 255.255.255.0;

    Client-Specific Configurations:

    • Interface IP: 192.168.101.0/30
    • Push Reset: Unchecked
    • Custom Options: iroute 192.168.101.0 255.255.255.0

    Problem solved!


Log in to reply