Cso client unable to get IP due to subnet error



  • Hey guys,

    I have an openvpn instance running with Tunnel network of "172.27.2.0/24" and topology subnet. Clients can connect without any problems and all is good.

    Under "Client Specific Overrides" i've setup an override for a given user and specified Tunnel Network of "172.27.42.0/24". I then used the "Client Export" functionality to download the Windows x64 package and installed it on a Windows 7 x64.

    The issue is that the client fails to connect to the vpn with an error on the subnet calculation on the TAP driver:

    Sat Apr 12 15:51:22 2014 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{E2DCD4B1-7E88-4625-816C-A686F44A3D81}.tap
    Sat Apr 12 15:51:22 2014 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.42.0/172.27.42.2/172.27.42.1 [SUCCEEDED]
    Sat Apr 12 15:51:22 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet
    Sat Apr 12 15:51:22 2014 Exiting due to fatal error

    The issue appears to be "network/local/netmask (...) 172.27.42.0/172.27.42.2/172.27.42.1". I believe this should read "172.27.42.0/172.27.42.2/255.255.255.0".
    The TAP driver seems to be expecting a netmask but is being provided an IP address instead and failing.

    For reference, i tried setting a Tunnel network of "172.27.42.0/30" on the client override but that returns the exact same problem.

    To me this sounds like a bug somewhere in the code (either pfSense or openvpn). Any ideas?

    Thanks.


  • Banned

    What bug? You are outside of the interface subnet (172.27.2.0/24)… it even tells you that in crystal clear message.

    @brunoc:

    Sat Apr 12 15:51:22 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet

    This is just completely invalid configuration.



  • Hey doktornotor,

    I believe it's possible for the cso network to be outside of the main Tunnel network. Is this not the case?

    Also, if i don't populate the field "Tunnel network" on the cso but instead specify "ifconfig-push 172.27.42.2 255.255.255.0" under advanced (still on the cso), then the client connects without any error (i see the proper subnet being passed for netmask). To me this leads me to believe there might be some sort of issue with how the "Tunnel network" passes the netmask info to the client or maybe something on the openvpn side.

    Unless i' missing something here. And if i am, would like to understand what it is.

    Thanks.


  • Banned

    If you Google the error, you only hit source code with the error message. So congrats, you seem to be the first one to invent this configuration.  Just think about it within normal DHCP/LAN terms. You have a LAN say 10.10.10.0/24 and you configure your DHCP to assign a client with a particular MAC an IP like 192.168.200.111/24 - you think this is a sane configuration that will work?

    AFAICT, the only reasonable way to produce some sort of working static IP assignments is to set some ifconfig-pool in server configuration and set up CSO outside of that pool but still within the OpenVPN server subnet. Also https://forums.openvpn.net/topic10702.html

    Also, why do you need /24 for one client? /30 should be plenty enough.



  • As doktonoktor says, in Client Specific Overrides give a "/30" to each special client. Like 172.27.2.40/30 (any multiple-of-4 boundaries after the very first one).



  • So, as a test, i've set the CSO "Tunnel network" for the client to be "172.27.2.40/30" (which is under the main Tunnel network of 172.27.2.0/24) BUT i get the exact same error.
    I've mentioned this a few times, the error seems to be due to the wrong info for netmask:

    Sun Apr 13 15:02:41 2014 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{E2DCD4B1-7E88-4625-816C-A686F44A3D81}.tap
    Sun Apr 13 15:02:41 2014 Set TAP-Windows TUN subnet mode network/local/netmask = 172.27.2.40/172.27.2.42/172.27.2.41 [SUCCEEDED]
    Sun Apr 13 15:02:41 2014 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet
    Sun Apr 13 15:02:41 2014 Exiting due to fatal error

    The client is trying to set "172.27.2.41" (in bold) as the netmask, which is wrong. For a /30 network, the netmask should be "255.255.255.252".

    Any ideas how/why the netmask is being set incorrectly?



  • To resolve this issue, I had to edit the openvpn server.

    If you have checked off 'allocate only one IP per client' under CLIENT SETTINGS, then uncheck this setting and your 'Client Specific Overrides' should now work.

    This is what resolved the error for me.

    Jits


Log in to reply