Multiple Internal Subnets with OpenVPN

digm

Hello all,

I've been working at this for the last 4 hours with no luck and I was hoping the community might be able to provide some suggestions. Basically, I want to setup an OpenVPN that allows for the static assignment of IP addresses. Here's the setup.

Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.0.0/16

With no client-specific configuration, this works flawlessly. However, I want to specify client-specific configurations (http://openvpn.net/index.php/open-source/documentation/howto.html#policy) that allow me to set static IP ranges for certain users based on the certificates common name. In thise case, I want to give them a 192.168.101.0/24 address.

I've configured the "Client-specific configuration" tag with a new user, set the Interface IP to "192.168.101.0/24" and can successfully connect. However, I cannot access any of my internal systems nor the internet. Recall, this worked fine without a client-specific configuration.

I'm baffled, any ideas? I've not setup anything out of the ordinary, so I'm hoping this is something easy. Static route, firewall issues, other?

GruensFroeschli

With a PKI you dont want to assign the .0/30 subnet since it's used for the server itself.
The first client should get the .4/30 subnet.
The second client .8/30
3rd .12/30
etc.

digm

Hi GruensFroeschili,

Thanks for the feedback. I'm not sure I follow how to properly implement your suggestions. What would I need to change about my current network setup, the OpenVPN Pool, Net1-3, or the Local Network?

kpa

Take note of the routes pushed to the clients when they connect (client side logs). Most likely the problem lies in that the clients with client specific configuration are not getting routes for your internal networks 192.168.1-3.0/24.

digm

KPA/GruensFroeschli,

Included below are the details. Notice that the only thing that changes between the two is that I add a client-specific configuration in the second one. The problem is, once connected with the client-specific config, I'm unable to get anywhere in terms of routing. Ideas?

Standard Working VPN
Setup
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.1.0/24
Client-Specific Configurations: None

tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
inet 192.168.100.6 –> 192.168.100.5 netmask 0xffffffff
open (pid 2691)

Destination        Gateway              Flags        Netif  Expire
0/1                  192.168.100.5      UGSc            2        0    tun0
192.168.1          192.168.100.5      UGSc            1        0    tun0
192.168.100      192.168.100.5      UGSc            0        0    tun0
192.168.100.5    192.168.100.6      UH              8        0    tun0

Standard VPN with Client-Specific Configuration
Setup
Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: 192.168.1.0/24
Client-Specific Configurations:

• Interface IP: 192.168.101.0/24
• Push Reset: Unchecked
• Custom Options: None

tun0: flags=8851 <up,pointopoint,running,simplex,multicast>mtu 1500
inet 192.168.101.1 –> 192.168.101.2 netmask 0xffffffff
open (pid 2845)

Destination        Gateway              Flags        Netif  Expire
0/1                    192.168.101.2      UGSc            1        0    tun0
192.168.1          192.168.101.2      UGSc            1        0    tun0
192.168.100        192.168.101.2      UGSc            0        0    tun0
192.168.101.2      192.168.101.1      UH              7        0    tun0</up,pointopoint,running,simplex,multicast></up,pointopoint,running,simplex,multicast>

cmb

You're probably missing the iroute. Described here: http://forum.pfsense.org/index.php/topic,12888.0.html

digm

CMB,

I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?

kpa

Actually yeah, Gruens is right. What you have to do is to put the client addresses on /30 boundaries . Usable addresses for clients start from 192.168.101.4 because the openvpn server uses the addresses 0-3. Use 192.168.101.x/30 for interface ip in the client configuration where x is
divisible by four, 4, 8, 12 etc.

jimp

@digm:

CMB,

I added "iroute 192.168.101.0 255.255.255.0" to the custom options of the client-specific configuration, but no luck. Was that what you wanted me to try?

You also need a route statement in the main custom options, not just the iroute. See here:

http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect

digm

jimp/kpa,

Thanks for the advice, the thing I was missing was the extra route statement in the server configuration. Just to close the loop on this thread, here's the final settings that worked.

Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: Left blank
Custom Options: push "redirect-gateway def1"; push "route 192.168.1.0 255.255.255.0"; push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0";route 192.168.101.0 255.255.255.0;

Client-Specific Configurations:

• Interface IP: 192.168.101.0/30
• Push Reset: Unchecked
• Custom Options: iroute 192.168.101.0 255.255.255.0

Problem solved!