Connected clients not receiving DHCP address



  • Hi all,

    I setup OpenVPN via the following guide - http://hardforum.com/showthread.php?t=1663797 - and followed it down to the T.

    However, for whatever and unknown reason, my clients can connect fine, but they are unable to receive DHCP addresses from the server; eventually the interfaces just get a 169.x address…

    Any ideas of what could be the cause?

    Thanks!



  • Hokay - I got it to get a DHCP address by providing a start and finish range (though I thought it'd just use default DHCP server values… but fine), I also specified the network for which the tunnel should be created - i.e. 192.168.1.1/22... but I still can't 'see' internal resources.

    On another unrelated note - under tunnel settings, I have 4 sets of the 'Bridge DHCP' 'Bridge Interface' 'Server DHCP Bridge Start' and 'Server DHCP Bridge End'...

    Any ideas?

    Thanks!



  • Post both server and client configs.



  • See screenshot of config below for Server… in regards to client - is it just the opvn file contents?



  • dev ovpns1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 69.x.x.x
    engine cryptodev
    tls-server
    server-bridge 10.32.1.1 255.255.252.0 10.32.0.90 10.32.0.100
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 10.32.0.1 255.255.252.0"
    push "dhcp-option DNS 10.32.1.1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float



  • It's kinda hard to troubleshoot when you have all the pertinent info either x'd or grey'd out.

    The 10.x.x.x/8 network is a private IP space…  It can't be routed over the internet... so I'm not sure why you're masking it.

    Give us a network map then re-post your screen shots and configs with everything unmasked except your public IP.



  • @marvosa:

    It's kinda hard to troubleshoot when you have all the pertinent info either x'd or grey'd out.

    The 10.x.x.x/8 network is a private IP space…  It can't be routed over the internet... so I'm not sure why you're masking it.

    Give us a network map then re-post your screen shots and configs with everything unmasked except your public IP.

    Changed the screenshot and the info…

    Basically the network is set like that:

    pfsense has IP of 10.32.1.1 (and acts as DHCP server); the LAN network is 10.32.0.1/22 with static leases on the 10.32.0.xx network and DHCP configured for 10.32.1.100->150. VPN DHCP is configured as 10.32.0.90->100.

    There are no VLANs or nothing along those lines. All I really want is to be able to VPN in and see all resources on the 10.32.x.x network.

    Thanks :)



  • I see two corrections that need to be made:

    1.  change your local network to 10.32.0.0/22

    2.  you have bridge dhcp checked, so you should not need anything in the "Server DHCP Bridge Start", "Server DHCP Bridge End" fields… I would clear those.  If you want to keep what's in those fields... end your range at .99, so it doesn't overlap.

    Also, maybe someone who uses bridged solutions more can chime in, but I'm pretty sure you want to check the Enable NETBIOS over TCP/IP box.  Only because I'm not sure if setting up the bridge enables it automatically.  If you don't want or need netbios traffic to traverse the tunnel… switch to routed.

    It doesn't really matter, but is there a reason you're using a /22 mask on your LAN?  Do you really need 1000+ IP's on your home network?



  • It's a bit complicated to explain - suffice to say, it has to do with virtualization experimentation as well as CCNA-playground :D

    Didn't think of the 10.32.0.0 solution; duhhhhh

    Hmm… still does not work; I took away the DHCP address range and it is now not getting an address...



  • Looks like I modified my last post as opposed to add an update -

    I changed the network to 10.32.0.0 but it still does not do the trick. I can connect, but no DHCP…

    Any suggestions?

    Can someone perhaps post their settings and I can compare and contrast?

    Thanks!



  • I just registered to say that I have the exact same problem. Clients don't get IP from DHCP. If I set the start and end range on OpenVPN, then the IP gets assigned, but it's apparently not from the LAN DHCP server, as I cannot find the lease for the client.

    Subscribing to the topic, maybe someone might help us :)


  • Rebel Alliance Developer Netgate

    Did you actually go to Interfaces > (assign) and assign the OpenVPN interface, then create a bridge interface between the VPN and your LAN interface? Setting the "bridge interface" in the OpenVPN config doesn't do any of that for you - it's still required, and from the sound of it, that may be what's missing since it seems that your traffic isn't making it across the gap between the VPN interface and the LAN interface.



  • Yes, manually assigned the OpenVPN interface, enabled it, and made a bridge between OpenVPN interface and LAN manually. Still no go :(



  • @kalpik:

    Yes, manually assigned the OpenVPN interface, enabled it, and made a bridge between OpenVPN interface and LAN manually. Still no go :(

    Yup - same exact experience on my end.



  • Bump! Still an issue…



  • Bump! Anyone?????



  • My setup is similar to yours (TAP, etc) except I  needed to rely on pfsense's DHCP server running on the LAN to provide the ip whether the box was using openvpn to connect remotely or was plugged in locally.  As I needed all the traffic other than Openvpn related to pass through the tunnel (no security holes on the client going to the general lan) this was okay.

    In either case the issue I had (and finally solved) was that the arp table on the client side was geting 00 00 00 00 00 (invalid) mac address for the gateway.  I had to manually put an 'up' script in the client to forcibly add the lan's MAC address to the client's arp table – and then it all worked.  Anyhow maybe you can get some hints from a known working setup TAP described here:

    http://forum.pfsense.org/index.php/topic,54701.msg292497.html#msg292497

    With openvpn server and client configs listed here:

    http://community.openvpn.net/openvpn/ticket/233


Log in to reply