• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with custom subnet for Windows client

Scheduled Pinned Locked Moved OpenVPN
10 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    maxxer
    last edited by Nov 24, 2015, 10:28 AM

    Hi.
    I just found out that Windows7 clients needs custom client overrides for TAP driver limitation. So I followed the guide here, I added a client override with a NEW subnet (10.0.1.100/30), which is different from the main OpenVPN subnet (10.99.99.0/24).

    The client connects, it correctly receives 10.0.1.102 address, but pfSense is apparently not listening on 10.0.1.101: no ping, no whatever. Not even from the pfSense console itself, I cannot reach 10.0.1.101 nor 10.0.1.102.

    I tried manually adding a second IP to the ovpn1 interface but it fails because it's not an ethernet interface.

    How can I overcome this? Is there a specific configuration I need to do on OpenVPN to add this second IP? thanks

    P.S. I'm using 2.2.5

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Nov 24, 2015, 10:47 AM Nov 24, 2015, 10:39 AM

      Perhaps you could instead describe what's your goal here. Not exactly sure what are you trying to overcome beyond shooting yourself into the foot or what TAP driver limitation are we talking about.

      1 Reply Last reply Reply Quote 0
      • M
        maxxer
        last edited by Nov 24, 2015, 10:47 AM

        @doktornotor:

        Perhaps you could instead describe what's your goal here. Not exactly sure what are you trying to overcome beyond shooting yourself into the foot or what TAP drive driver limitation are we talking about.

        well, I'm just trying to have a Win7 client connected to OpenVPN.
        I tested the configuration with a Linux PC and it worked. In Windows I had the "subnet" error indicating the TAP driver MUST have a /30 subnet. So I followed the link above to create a client specific override, but it still doesn't work because of what I described.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Nov 24, 2015, 11:10 AM Nov 24, 2015, 10:47 AM

          @maxxer:

          well, I'm just trying to have a Win7 client connected to OpenVPN.

          No such abortion from hell is needed to connect W7 client to OpenVPN. And you need TAP exactly why?

          General information
          Server Mode: One of the Remote Access variants there, up to you which auth you prefer
          Protocol: UDP
          Device mode: TUN
          Interface: WAN (normally)
          Local Port: whatever

          Tunnel Settings
          IPv4 Tunnel Network: 10.99.99.0/24 (or whatever unused subnet)
          IPv4 Local Network/s: your LAN(s) subnets

          Client Settings
          Address Pool: tick the checkbox
          Topology: tick the checkbox there to avoid the net30 clusterfsck

          • Do NOT assign the OpenVPN server interface anywhere.
          • Your Interface above (WAN) needs a firewall rule to allow access to WAN address on the "Local Port" configured in OpenVPN, protocol UDP.
          • Put allow rules on the OpenVPN firewall rules tab (normally allow everything unless you need something more strict, do not make this restrictive until you have your VPN working.)
          • Install the OpenVPN Client Export package, export the package for Windows, install, run the OpenVPN GUI as admin, connect. Done.

          The above should not take more that ~15 minutes to set up. Simple and sure like hell working with W7.

          1 Reply Last reply Reply Quote 0
          • M
            maxxer
            last edited by Nov 24, 2015, 11:59 AM

            @doktornotor:

            Topology: tick the checkbox there to avoid the net30 clusterfsck

            it was this damn checkbox!! Thanks!!

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Nov 24, 2015, 12:12 PM Nov 24, 2015, 12:01 PM

              I have no idea why that darned thing is NOT ticked by default. Someone should perhaps file a bug. Never got to it. The net30 abortion should die a painful death, not be the default.

              EDIT: https://redmine.pfsense.org/issues/5526

              1 Reply Last reply Reply Quote 0
              • M
                maxxer
                last edited by Nov 24, 2015, 1:02 PM

                you're very passionate about that :D :D
                thanks again

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Nov 24, 2015, 1:26 PM

                  Yeah I hate that thing with a passion, since like ~90% of commonly hit "issues" with OpenVPN seem to stem either from this net30 thing, or the "need to run the GUI as admin under Windows". Other than these two, there are pretty much no issues here until people start inventing crazy things; this trully is a "create a reliable VPN in ~5 minutes of clicking" solution when you use the wizard and the export package. (Now, when you compare it to the IPsec nightmare, no idea why most people haven't switched yet.)

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Nov 24, 2015, 3:01 PM

                    To be honest I have never had any issue with the net30 topology on any client, windows, linux, ios, android… So have no clue to what the OP is complaining about?

                    Then again I have never used tap, why would you when tun is just clickity clickity and much easier to use.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M
                      maxxer
                      last edited by Nov 24, 2015, 3:29 PM

                      on a side note I douse tun, but the virtual driver in windows is called TAP anyway

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received