Multiple Internal Subnets with OpenVPN
-
Hello all,
I've been working at this for the last 4 hours with no luck and I was hoping the community might be able to provide some suggestions. Basically, I want to setup an OpenVPN that allows for the static assignment of IP addresses. Here's the setup.
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.0.0/16With no client-specific configuration, this works flawlessly. However, I want to specify client-specific configurations (http://openvpn.net/index.php/open-source/documentation/howto.html#policy) that allow me to set static IP ranges for certain users based on the certificates common name. In thise case, I want to give them a 192.168.101.0/24 address.
I've configured the "Client-specific configuration" tag with a new user, set the Interface IP to "192.168.101.0/24" and can successfully connect. However, I cannot access any of my internal systems nor the internet. Recall, this worked fine without a client-specific configuration.
I'm baffled, any ideas? I've not setup anything out of the ordinary, so I'm hoping this is something easy. Static route, firewall issues, other?
-
With a PKI you dont want to assign the .0/30 subnet since it's used for the server itself.
The first client should get the .4/30 subnet.
The second client .8/30
3rd .12/30
etc. -
Hi GruensFroeschili,
Thanks for the feedback. I'm not sure I follow how to properly implement your suggestions. What would I need to change about my current network setup, the OpenVPN Pool, Net1-3, or the Local Network?
-
Take note of the routes pushed to the clients when they connect (client side logs). Most likely the problem lies in that the clients with client specific configuration are not getting routes for your internal networks 192.168.1-3.0/24.
-
KPA/GruensFroeschli,
Included below are the details. Notice that the only thing that changes between the two is that I add a client-specific configuration in the second one. The problem is, once connected with the client-specific config, I'm unable to get anywhere in terms of routing. Ideas?
Standard Working VPN
Setup
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.1.0/24
Client-Specific Configurations: Nonetun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
inet 192.168.100.6 –> 192.168.100.5 netmask 0xffffffff
open (pid 2691)Destination Gateway Flags Netif Expire
0/1 192.168.100.5 UGSc 2 0 tun0
192.168.1 192.168.100.5 UGSc 1 0 tun0
192.168.100 192.168.100.5 UGSc 0 0 tun0
192.168.100.5 192.168.100.6 UH 8 0 tun0Standard VPN with Client-Specific Configuration
Setup
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.1.0/24
Client-Specific Configurations:- Interface IP: 192.168.101.0/24
- Push Reset: Unchecked
- Custom Options: None
tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
inet 192.168.101.1 –> 192.168.101.2 netmask 0xffffffff
open (pid 2845)Destination Gateway Flags Netif Expire
0/1 192.168.101.2 UGSc 1 0 tun0
192.168.1 192.168.101.2 UGSc 1 0 tun0
192.168.100 192.168.101.2 UGSc 0 0 tun0
192.168.101.2 192.168.101.1 UH 7 0 tun0</up,pointopoint,running,simplex,multicast></up,pointopoint,running,simplex,multicast> -
You're probably missing the iroute. Described here: http://forum.pfsense.org/index.php/topic,12888.0.html
-
CMB,
I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?
-
Actually yeah, Gruens is right. What you have to do is to put the client addresses on /30 boundaries . Usable addresses for clients start from 192.168.101.4 because the openvpn server uses the addresses 0-3. Use 192.168.101.x/30 for interface ip in the client configuration where x is
divisible by four, 4, 8, 12 etc. -
CMB,
I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?
You also need a route statement in the main custom options, not just the iroute. See here:
http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect
-
jimp/kpa,
Thanks for the advice, the thing I was missing was the extra route statement in the server configuration. Just to close the loop on this thread, here's the final settings that worked.
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: Left blank
Custom Options: push "redirect-gateway def1"; push "route 192.168.1.0 255.255.255.0"; push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0";route 192.168.101.0 255.255.255.0;Client-Specific Configurations:
- Interface IP: 192.168.101.0/30
- Push Reset: Unchecked
- Custom Options: iroute 192.168.101.0 255.255.255.0
Problem solved!