New 2.3 installation with backup from 2.2.6: OpenVPN issues

Sherminator

Hi everybody,

last saturday I did a new 2.3 installation and imported a config backup from our previous 2.2.6 installation.
Since then we have problems with our OpenVPN road warriors.

We work with client specific overrides looking like this:
Tunnel Network: 10.185.204.0/24
Server Definitions: <check>Prevent this client from receiving any server-defined client settings.
Advanced: push "route 192.168.1.0 255.255.255.0"

When a so configured client tries to connect it gets this messages:

Mon Apr 18 10:42:20 2016 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Mon Apr 18 10:42:20 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Apr 18 10:42:20 2016 There is a problem in your selection of --ifconfig endpoints [local=10.185.204.0, remote=255.255.255.0].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
Mon Apr 18 10:42:20 2016 Exiting due to fatal error

Looks like a bug, doesn't it? Or is there something we can change to make it work again?

Thanks a lot for your support and many greets
Stephan</check>

mevans336

https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes#OpenVPN

Probably related to this:

"Changed the default behavior of the OpenVPN server to use topology subnet, not net30. #5526"

https://redmine.pfsense.org/issues/5526

I suspect you need to change your server topology back to net30 or update the config your client is using to use the subnet topology.

georgeman

I have just stumbled upon the VERY same issue.

You have to manually select the server where you want the overrides to apply, on each entry, even if there is only one configured. Otherwise, it seems that a subnet topology is assumed when configuring the overrides.

I guess this 'kind of' a bug. When no servers are specified on the override, it should configure the second parameter of the 'ifconfig' command depending on the setting on EACH server (either the IP of the gateway or the subnet mask).

I'm quite sleepy right now, does this make sense?

Best regards

Sherminator

Hey you,

thanks a lot for your fast and helpful replies!

@georgeman:

You have to manually select the server where you want the overrides to apply, on each entry, even if there is only one configured. Otherwise, it seems that a subnet topology is assumed when configuring the overrides.

it seems that in my overrides there is a server marked (I have two OpenVPN servers, and the correct one is marked "blue")

@mevans336:

I suspect you need to change your server topology back to net30 or update the config your client is using to use the subnet topology.

I think I like to keep the more "modern" configuration instead of net30 if possible. But unfortunately I have no clue what I must change within the overrides to get things running again… Could someone give me a hint?

Thanks a lot and many greets
Stephan

robi

I think you need to re-export configs for all the road-warriors, since configuration changes for them too.

cmb

Just change the server topology back to net30. No need to re-export or change anything else.

robi

But if he wants to use the more "modern" configuration instead of the old net30 as he said, he needs to re-export all the clients, imho…

cmb

@robi:

But if he wants to use the more "modern" configuration instead of the old net30 as he said, he needs to re-export all the clients, imho…

Depends on the config, that's true for some circumstances. Most client-side configs ought to be fine after just changing the server-side.

Sherminator

Hi,

sorry for my late answer!

@robi:

I think you need to re-export configs for all the road-warriors, since configuration changes for them too.

Unfortunatly re-exporting the client configs doesn't solve the problem. Maybe there is something wrong with my overrides?
Or coming from another direction: What is now best practise to give OpenVPN access to road warriors so I can make firewall rules for each warrior seperately?

Thanks and greets
Stephan

cmb

Just edit the OpenVPN server instance and set the topology to net30, and you'll be back to where you were pre-upgrade.