Problem with custom subnet for Windows client



  • Hi.
    I just found out that Windows7 clients needs custom client overrides for TAP driver limitation. So I followed the guide here, I added a client override with a NEW subnet (10.0.1.100/30), which is different from the main OpenVPN subnet (10.99.99.0/24).

    The client connects, it correctly receives 10.0.1.102 address, but pfSense is apparently not listening on 10.0.1.101: no ping, no whatever. Not even from the pfSense console itself, I cannot reach 10.0.1.101 nor 10.0.1.102.

    I tried manually adding a second IP to the ovpn1 interface but it fails because it's not an ethernet interface.

    How can I overcome this? Is there a specific configuration I need to do on OpenVPN to add this second IP? thanks

    P.S. I'm using 2.2.5


  • Banned

    Perhaps you could instead describe what's your goal here. Not exactly sure what are you trying to overcome beyond shooting yourself into the foot or what TAP driver limitation are we talking about.



  • @doktornotor:

    Perhaps you could instead describe what's your goal here. Not exactly sure what are you trying to overcome beyond shooting yourself into the foot or what TAP drive driver limitation are we talking about.

    well, I'm just trying to have a Win7 client connected to OpenVPN.
    I tested the configuration with a Linux PC and it worked. In Windows I had the "subnet" error indicating the TAP driver MUST have a /30 subnet. So I followed the link above to create a client specific override, but it still doesn't work because of what I described.


  • Banned

    @maxxer:

    well, I'm just trying to have a Win7 client connected to OpenVPN.

    No such abortion from hell is needed to connect W7 client to OpenVPN. And you need TAP exactly why?

    General information
    Server Mode: One of the Remote Access variants there, up to you which auth you prefer
    Protocol: UDP
    Device mode: TUN
    Interface: WAN (normally)
    Local Port: whatever

    Tunnel Settings
    IPv4 Tunnel Network: 10.99.99.0/24 (or whatever unused subnet)
    IPv4 Local Network/s: your LAN(s) subnets

    Client Settings
    Address Pool: tick the checkbox
    Topology: tick the checkbox there to avoid the net30 clusterfsck

    • Do NOT assign the OpenVPN server interface anywhere.
    • Your Interface above (WAN) needs a firewall rule to allow access to WAN address on the "Local Port" configured in OpenVPN, protocol UDP.
    • Put allow rules on the OpenVPN firewall rules tab (normally allow everything unless you need something more strict, do not make this restrictive until you have your VPN working.)
    • Install the OpenVPN Client Export package, export the package for Windows, install, run the OpenVPN GUI as admin, connect. Done.

    The above should not take more that ~15 minutes to set up. Simple and sure like hell working with W7.



  • @doktornotor:

    Topology: tick the checkbox there to avoid the net30 clusterfsck

    it was this damn checkbox!! Thanks!!


  • Banned

    I have no idea why that darned thing is NOT ticked by default. Someone should perhaps file a bug. Never got to it. The net30 abortion should die a painful death, not be the default.

    EDIT: https://redmine.pfsense.org/issues/5526



  • you're very passionate about that :D :D
    thanks again


  • Banned

    Yeah I hate that thing with a passion, since like ~90% of commonly hit "issues" with OpenVPN seem to stem either from this net30 thing, or the "need to run the GUI as admin under Windows". Other than these two, there are pretty much no issues here until people start inventing crazy things; this trully is a "create a reliable VPN in ~5 minutes of clicking" solution when you use the wizard and the export package. (Now, when you compare it to the IPsec nightmare, no idea why most people haven't switched yet.)


  • LAYER 8 Global Moderator

    To be honest I have never had any issue with the net30 topology on any client, windows, linux, ios, android… So have no clue to what the OP is complaining about?

    Then again I have never used tap, why would you when tun is just clickity clickity and much easier to use.



  • on a side note I douse tun, but the virtual driver in windows is called TAP anyway


Log in to reply