Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN server/client route messed up

    Scheduled Pinned Locked Moved
    OpenVPN
    3
    8
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Helix26404
      last edited by

      All,

      Have had a successful pfSense/OpenVPN experience for several years now. pfSense is the OpenVPN server, and a Linksys WRT54GL running DD-WRT is the client. Woke up one morning and all of the settings in the Linksys had gone back to factory defaults, so I had to re-setup everything. I have an issue now where pfSense isn't assigning the correct gateway information and IP address to the client.

      On OpenVPN startup, here's what the server (pfSense) is saying:

      openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up

      These 172.16.40.1, 172.16.40.2 addresses are taken from the 172.16.40.0/24 address block entered on the webGUI server config page.

      When the client connects, it says:

      /sbin/ifconfig tun0 172.16.40.6 pointopoint 172.16.40.5 mtu 1500

      Obviously, we have a problem here. The client is configured to receive ALL info from the server. There is no static addressing going on here.

      For whatever reason, the server is setting itself as 172.16.40.1 and designating 172.16.40.2 for the first client, but then actually assigning 172.16.40.6 and reporting itself as 172.16.40.5.

      A quick look at both routing tables confirms that the routes were entered correctly, but obviously with the wrong info.

      Anyone have any ideas? FWIW, I do remember having this EXACT problem (even down to the exact address assignments) when I first set this up a few years ago, but I can't remember what I did to fix it.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • H
        Helix26404
        last edited by

        By the way, I am positive that the settings on the Linksys are the exact same as they were before, and besides, it is configured as a client that receives every parameter from the server.

        I have also tried fooling with the client-specific config but that hasn't yielded help either.

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          hmmm.
          That is strange.
          It seems a bit as if pfSense remembers that the old client was 172.16.40.2 and assigned a new ip since a new unknown client connected.

          Maybe it works if you resetup the server too so pfSense "forgets" the old client.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • H
            Helix26404
            last edited by

            I know–I will do that. Just to be sure, I want to make sure that the actual config file is removed when I delete it from the webGUI. Does anyone know where the OVPN config files are located?

            1 Reply Last reply Reply Quote 0
            • H
              Helix26404
              last edited by

              Found the config files. The contents are posted below. I also tried connecting to the pfSense OpenVPN server with a Windows client, same results.

              Config file:

              client
              dev tun
              proto udp
              remote 75.13.22.133 1194
              resolv-retry infinite
              nobind
              persist-key
              persist-tun
              ca ca.crt
              cert client1.crt
              key client1.key
              comp-lzo
              verb 3
              mute 20

              Server file:

              writepid /var/run/openvpn_server0.pid
              daemon
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              dev tun
              proto udp
              cipher BF-CBC
              up /etc/rc.filter_configure
              down /etc/rc.filter_configure
              server 172.16.40.0 255.255.255.0
              client-config-dir /var/etc/openvpn_csc
              push "route 172.16.10.0 255.255.255.0"
              lport 1194
              route 172.16.50.0 255.255.255.0
              ca /var/etc/openvpn_server0.ca
              cert /var/etc/openvpn_server0.cert
              key /var/etc/openvpn_server0.key
              dh /var/etc/openvpn_server0.dh
              comp-lzo
              persist-remote-ip
              float
              push "route 172.16.20.0 255.255.255.0"
              push "route 172.16.30.0 255.255.255.0"
              local 172.16.10.1

              Any ideas?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Are you using a shared key or a PKI?

                In a PKI the first client WILL recieve x.x.x.6
                (rtm on http://openVPN.net )
                In a shared key the only client is on x.x.x.2

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  What you are seeing is normal, in PKI mode (the ifconfig does not indicate PKI or shared key setup, it is run the same way at startup in both modes)
                  with default settings the openvpn server assigns the addresses in 4-address blocks (CIDR /30) of the address pool to the clients. Take a look at http://www.openvpn.net/index.php/documentation/faq.html  the "Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?" -part.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    I'm sorry.
                    I didnt read right.
                    kpa describes it a bit better than i did :)

                    What i mean: in a shared key setup: you have on the server-log something like

                    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up
                    and on the client something like
                    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.2 172.16.40.1 mtu 1500 netmask 255.255.255.255 up

                    While in a PKI setup the client usually has something like
                    openvpn[2560]: /sbin/ifconfig tun0 172.16.40.6 172.16.40.5 mtu 1500 netmask 255.255.255.255 up

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post