OpenVPN server/client route messed up

  • All,

    Have had a successful pfSense/OpenVPN experience for several years now. pfSense is the OpenVPN server, and a Linksys WRT54GL running DD-WRT is the client. Woke up one morning and all of the settings in the Linksys had gone back to factory defaults, so I had to re-setup everything. I have an issue now where pfSense isn't assigning the correct gateway information and IP address to the client.

    On OpenVPN startup, here's what the server (pfSense) is saying:

    openvpn[2560]: /sbin/ifconfig tun0 mtu 1500 netmask up

    These, addresses are taken from the address block entered on the webGUI server config page.

    When the client connects, it says:

    /sbin/ifconfig tun0 pointopoint mtu 1500

    Obviously, we have a problem here. The client is configured to receive ALL info from the server. There is no static addressing going on here.

    For whatever reason, the server is setting itself as and designating for the first client, but then actually assigning and reporting itself as

    A quick look at both routing tables confirms that the routes were entered correctly, but obviously with the wrong info.

    Anyone have any ideas? FWIW, I do remember having this EXACT problem (even down to the exact address assignments) when I first set this up a few years ago, but I can't remember what I did to fix it.


  • By the way, I am positive that the settings on the Linksys are the exact same as they were before, and besides, it is configured as a client that receives every parameter from the server.

    I have also tried fooling with the client-specific config but that hasn't yielded help either.

  • hmmm.
    That is strange.
    It seems a bit as if pfSense remembers that the old client was and assigned a new ip since a new unknown client connected.

    Maybe it works if you resetup the server too so pfSense "forgets" the old client.

  • I know–I will do that. Just to be sure, I want to make sure that the actual config file is removed when I delete it from the webGUI. Does anyone know where the OVPN config files are located?

  • Found the config files. The contents are posted below. I also tried connecting to the pfSense OpenVPN server with a Windows client, same results.

    Config file:

    dev tun
    proto udp
    remote 1194
    resolv-retry infinite
    ca ca.crt
    cert client1.crt
    key client1.key
    verb 3
    mute 20

    Server file:

    writepid /var/run/
    keepalive 10 60
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-config-dir /var/etc/openvpn_csc
    push "route"
    lport 1194
    ca /var/etc/
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    push "route"
    push "route"

    Any ideas?

  • Are you using a shared key or a PKI?

    In a PKI the first client WILL recieve x.x.x.6
    (rtm on )
    In a shared key the only client is on x.x.x.2

  • What you are seeing is normal, in PKI mode (the ifconfig does not indicate PKI or shared key setup, it is run the same way at startup in both modes)
    with default settings the openvpn server assigns the addresses in 4-address blocks (CIDR /30) of the address pool to the clients. Take a look at  the "Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?" -part.

  • I'm sorry.
    I didnt read right.
    kpa describes it a bit better than i did :)

    What i mean: in a shared key setup: you have on the server-log something like

    openvpn[2560]: /sbin/ifconfig tun0 mtu 1500 netmask up
    and on the client something like
    openvpn[2560]: /sbin/ifconfig tun0 mtu 1500 netmask up

    While in a PKI setup the client usually has something like
    openvpn[2560]: /sbin/ifconfig tun0 mtu 1500 netmask up

Log in to reply