OpenVPN server/client route messed up



  • All,

    Have had a successful pfSense/OpenVPN experience for several years now. pfSense is the OpenVPN server, and a Linksys WRT54GL running DD-WRT is the client. Woke up one morning and all of the settings in the Linksys had gone back to factory defaults, so I had to re-setup everything. I have an issue now where pfSense isn't assigning the correct gateway information and IP address to the client.

    On OpenVPN startup, here's what the server (pfSense) is saying:

    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up

    These 172.16.40.1, 172.16.40.2 addresses are taken from the 172.16.40.0/24 address block entered on the webGUI server config page.

    When the client connects, it says:

    /sbin/ifconfig tun0 172.16.40.6 pointopoint 172.16.40.5 mtu 1500

    Obviously, we have a problem here. The client is configured to receive ALL info from the server. There is no static addressing going on here.

    For whatever reason, the server is setting itself as 172.16.40.1 and designating 172.16.40.2 for the first client, but then actually assigning 172.16.40.6 and reporting itself as 172.16.40.5.

    A quick look at both routing tables confirms that the routes were entered correctly, but obviously with the wrong info.

    Anyone have any ideas? FWIW, I do remember having this EXACT problem (even down to the exact address assignments) when I first set this up a few years ago, but I can't remember what I did to fix it.

    Thanks!



  • By the way, I am positive that the settings on the Linksys are the exact same as they were before, and besides, it is configured as a client that receives every parameter from the server.

    I have also tried fooling with the client-specific config but that hasn't yielded help either.



  • hmmm.
    That is strange.
    It seems a bit as if pfSense remembers that the old client was 172.16.40.2 and assigned a new ip since a new unknown client connected.

    Maybe it works if you resetup the server too so pfSense "forgets" the old client.



  • I know–I will do that. Just to be sure, I want to make sure that the actual config file is removed when I delete it from the webGUI. Does anyone know where the OVPN config files are located?



  • Found the config files. The contents are posted below. I also tried connecting to the pfSense OpenVPN server with a Windows client, same results.

    Config file:

    client
    dev tun
    proto udp
    remote 75.13.22.133 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    comp-lzo
    verb 3
    mute 20

    Server file:

    writepid /var/run/openvpn_server0.pid
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 172.16.40.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 172.16.10.0 255.255.255.0"
    lport 1194
    route 172.16.50.0 255.255.255.0
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    push "route 172.16.20.0 255.255.255.0"
    push "route 172.16.30.0 255.255.255.0"
    local 172.16.10.1

    Any ideas?



  • Are you using a shared key or a PKI?

    In a PKI the first client WILL recieve x.x.x.6
    (rtm on http://openVPN.net )
    In a shared key the only client is on x.x.x.2



  • What you are seeing is normal, in PKI mode (the ifconfig does not indicate PKI or shared key setup, it is run the same way at startup in both modes)
    with default settings the openvpn server assigns the addresses in 4-address blocks (CIDR /30) of the address pool to the clients. Take a look at http://www.openvpn.net/index.php/documentation/faq.html  the "Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?" -part.



  • I'm sorry.
    I didnt read right.
    kpa describes it a bit better than i did :)

    What i mean: in a shared key setup: you have on the server-log something like

    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up
    and on the client something like
    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.2 172.16.40.1 mtu 1500 netmask 255.255.255.255 up

    While in a PKI setup the client usually has something like
    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.6 172.16.40.5 mtu 1500 netmask 255.255.255.255 up


Locked