OPNsense Forum
English Forums => 23.7 Legacy Series => Topic started by: myksto on August 24, 2023, 10:23:46 am
-
Hi.
Just upgraded to latest version 23.7.2.
I read in this topic https://forum.opnsense.org/index.php?topic=35149.0 that to push static IP to clients in the tunnel we just have to use the "IPv4 Tunnel Network" field.
Well, I just copied the command "ifconfig-push 10.160.71.2 255.255.255.255" and receive the error "please specify a valid network segment or address (IPv4/IPv6)" (see screenshot).
What am I doing wrong?
Thanks a lot,
Michele.
-
10.160.71.2/32
-
Sorry @franco,
how can I verify that CSOs are correctly read if I configure a new Instance using the new method?
As indicated here, https://forum.opnsense.org/index.php?topic=35447.msg172767#msg172767, I tried and it does not retrieve the CSO using the common name.
Thanks
-
Check the log for "client config created" under NOTICE log level.
Cheers,
Franco
-
10.160.71.2/32
The command " Ifconfig-push" has indeed to be removed.
Setting the field to 10.160.71.2/32 only works like a charm.
Thanks a lot.
Cheers,
Michele.
-
Check the log for "client config created" under NOTICE log level.
Cheers,
Franco
There is no trace. it seems not read the line made in CSO page.
-
Possibly yes. It's difficult for me to troubleshoot a condition I cannot reproduce.
Cheers,
Franco
-
With Legacy, I see this:
user 'xxxxxxx' authenticated using 'Local Database' CSO [CN]:/var/etc/openvpn-csc/1/xxxxxxx
With Instance, this line not exists and in CSO page I selected correctly the new Instance as server.
user 'xxxxxxx' authenticated using 'Local Database'
-
Ok, you have another mode there so you can't find that log line anyway.
Hmm, and does "user 'xxxxxxx' authenticated" at least show up in the log? The user is able to connect I suppose?
Cheers,
Franco
-
yes, it connects and gets the first ip of the subnet declared at the instance server level but it does not take the settings declared in the CSO, that are, the remote subnets to which it is to connect and the expected static IP it is to get.
As mentioned in the previous post, to do the test, I configured a new openvpn instance, leaving the legacy server configuration unchanged, assigning it a different listening port but using the same configurations (except the IPv4 Subnet).
-
Can you verify if this patch fixes your issue ?
opnsense-patch d3af50a
-
When posting opnsense-patch commands please also provide the GitHub commit link for reference:
https://github.com/opnsense/core/commit/d3af50a
It helps to assess what could be happening and prevents posting malicious patches (like reverting a security patch for example).
Cheers,
Franco
-
Sure thing, apologies, forgot to add the URL this time (found the commit on the phone and then I copy pasted here only the patch command)
root@OPNsense:~ # opnsense-patch d3af50a
Fetched d3af50a via https://github.com/opnsense/core
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From d3af50ad9021ba586af5efdb39899a696794c8af Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Fri, 25 Aug 2023 16:53:56 +0200
|Subject: [PATCH] VPN: OpenVPN: Client Specific Overrides - fix mismatch issue
| when pinning a CSO to a specific instance. As new CSO's are stored by uuid,
| we should make sure to send events using them as well. cc @fichtner
|
|---
| src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php | 8 ++++----
| src/opnsense/scripts/openvpn/user_pass_verify.php | 3 +--
| 2 files changed, 5 insertions(+), 6 deletions(-)
|
|diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
|index 55fffa5f39..b8ee06cc70 100644
|--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
|+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
--------------------------
Patching file opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php using Plan A...
Hunk #1 succeeded at 432 (offset -10 lines).
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/opnsense/scripts/openvpn/user_pass_verify.php b/src/opnsense/scripts/openvpn/user_pass_verify.php
|index 518d637ebd..2963302b7c 100755
|--- a/src/opnsense/scripts/openvpn/user_pass_verify.php
|+++ b/src/opnsense/scripts/openvpn/user_pass_verify.php
--------------------------
Patching file opnsense/scripts/openvpn/user_pass_verify.php using Plan A...
Hunk #1 succeeded at 119.
done
All patches have been applied successfully. Have a nice day.
-
Hello
I applied the patch and I tested again but in the log "Notice" not appear the use of CSO:
2023-08-28T13:01:28 Notice openvpn_server2 127.0.0.1:1959 PUSH: Received control message: 'PUSH_REQUEST'
2023-08-28T13:01:28 Notice openvpn user 'XXXXXXX' authenticated using 'Local Database'
2023-08-28T13:01:27 Notice openvpn_server2 127.0.0.1:1959 PUSH: Received control message: 'PUSH_REQUEST'
Regards
-
Hello, with 23.7.3 is now OK.
Thanks a lot.