Hi
After the upgrade to 23.7 I lost the setting for Client Specific overrides Custom options. I have until now used that option to set the IP nr for each OpenVPN client. How can I do the same in 23.7?
/J
Hi,
Custom options were removed during the MVC/API conversion of CSO as part of our ongoing effort to secure the code.
What was the directive you used? If it makes sense it will be added to the GUI instead.
Cheers,
Franco
Hi,
I was issuing a "ifconfig-push 192.168.yyy.xxx 255.255.255.0" to a specific client. It has been working very well in the 23.1.11 and previous versions.
/J
"IPv4 Tunnel Network" setting will do this for you actually. Can you try?
Cheers,
Franco
:) Thanks for the hint, yes that works just fine.
/J
Hi,
I was also using the advanced options in the legacy CSO page, can you please let me know how to use the following options in the modern CSO page:
iroute xx.xx.xx.0 255.255.255.0
push "client-nat snat yy.yy.yy.0 255.255.255.0 xx.xx.xx.0"
Cheers,
tnode
Hi tnode,
iroute(-ipv6) is set by "Remote Network".
For the push I'm not sure how to integrate but I think we will have to deal with it. A feature ticket would be helpful to properly track this and set the scope as there are multiple push options.
Thanks,
Franco
Thanks Franco,
Keeping the free form text entry for appending to the config/cso was a nice catch all, is this still possible with the mvc redesign as an interim solution?
Cheers,
tnode
As per our policy we would like to get rid of these fields since they cannot be controlled and use cases disappear into the shadows where people smart enough to pull it of get it done, but everyone else not so much.
https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=feature_request.md&title=
I'm sure we can figure something out that is solid moving forward.
Cheers,
Franco
Franco, I'm using three custom (advanced) options: 'fragment 1250', 'mssfix 1250' and 'tun-mtu 1500'.
These options are for mobile clients to work better through 3G/4G networks.
Can these options be added in some way?
I've made a ticket for these small updates https://github.com/opnsense/core/issues/6703 but for the "push" thing we need to discuss first with the submitter and interested parties because validation will be a bit difficult.
Cheers,
Franco
Thank you Franco
Hello franco,
we too had to set some custom options for OpenVPN and problems with mobile networks (3G/4G), although at some other places.
At OpenVPN->Server->Advanced Options->Advanced we had to set
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
in order to get rid of our vpn problems in our countries mobile network.
Since these "custom settings" are also deprecated and will go away (or already have gone since we are not on the latest opnsense version), can you tell me where to set them in future version of OpnSense Firewall.
Kind regards.
Robert
Hi Robert,
I'll add this to the mentioned ticket.
Still a bit tied up with 23.7 upgrade handling, but should be available in 23.7.2.
Cheers,
Franco
Quote from: giversen on August 02, 2023, 06:47:04 PM
:) Thanks for the hint, yes that works just fine.
/J
Hello!
If I put in the field "tunnel network IPv4" IP
192.168.56.12/32
Then it will work, the VPN client will be assigned a static address 192.168.56.12 and it will work fine?
Yes, but you need to put the correct subnet size.
Cheers,
Franco
Hello,
had the following directives under OpenVPN - Clients - Advanced:
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
and under OpenVPN - Servers - Advanced:
allow-compression no
How to get now the directives after the Update again as the custom options are missing?
@teo88
Please use the old GUI for backwards compatibility.
@muchacha_grande
https://github.com/opnsense/core/commit/605042ada8
https://github.com/opnsense/core/commit/0a4eacfb6ab
# opnsense-patch 605042ada8 0a4eacfb6ab
(mssfix latches on to fragment if set as per OpenVPN documentation)
@broesel68
After going through the documentation, bug reports and performance guides I think the server side should not matter on modern FreeBSD. So you might look at push requirements only. Can you try to verify? The goal is to remove obsolete/defunct things and sndbuf/rcvbuf looks a bit like it (at least from the OPNsense side).
Cheers,
Franco
Thanks, Franco
What is the Command to revert back to 23.1.11 Gui?
opnsense-revert -r
Reverting is not possible between major versions.
Cheers,
Franco
Thx, i was understanding to revert back, as you mentioned "use old GUI for backwards compatibility"
How do i do that?
Reinstall with config import.
Cheers,
Franco
@franco, I tried patch 0a4eacfb6ab, but when I use the command opnsense-patch 0a4eacfb6ab it shows:
root@router:~ # opnsense-patch 0a4eacfb6ab
Fetched 0a4eacfb6ab via https://github.com/opnsense/core
1 out of 3 hunks failed while patching opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
It appears to haven't been applied.
Also can't find the intended options on the gui.
Cheers
Sorry, another fix was preventing it to apply. Try these two:
# opnsense-patch 605042ada8 0a4eacfb6ab
Added options are at the bottom under "Advanced".
Cheers,
Franco
Quote from: franco on August 15, 2023, 02:31:34 PM
Reinstall with config import.
Cheers,
Franco
Is there no possibility to install a patch to get the fields back, without complete reinstall?
No, the whole component was replaced to provide API capabilities.
We are discussing file-based overrides that fit our advanced configuration policy at the moment. But that tends to be messy since common name and server combinations can cause quite a number of files to be added (users alone could be many and it's quite dynamic compared to just changing configuration options on an instance).
Cheers,
Franco
Quote from: franco on August 10, 2023, 02:45:12 PM
Yes, but you need to put the correct subnet size.
Cheers,
Franco
Assuming you meant to modify "IPv4 Tunnel Network" setting in the clients option I have changed it to 192.168.x.x but it has no effect even after restarting the instance. I got connected though but with a different IP address.
Hmm, I'm not aware that it doesn't work all the time so I'm unable to help directly in this particular case.
Cheers,
Franco
Has anyone found a solution to get pre-defined fixed IP addresses?
Quote from: franco on August 10, 2023, 02:45:12 PM
Yes, but you need to put the correct subnet size.
Cheers,
Franco
If on version 23.1.11 we used the line
ifconfig-push 192.168.yyy.xxx 255.255.255.0
Now in the IPv4 Tunnel Network field, you need to set the value
192.168.yyyy.xxx/24 ?
Did I understand correctly?
See my findings at https://forum.opnsense.org/index.php?topic=35447.0 (https://forum.opnsense.org/index.php?topic=35447.0)
Quote from: PIv0 on August 21, 2023, 04:41:06 PM
Quote from: franco on August 10, 2023, 02:45:12 PM
Yes, but you need to put the correct subnet size.
Cheers,
Franco
If on version 23.1.11 we used the line
ifconfig-push 192.168.yyy.xxx 255.255.255.0
Now in the IPv4 Tunnel Network field, you need to set the value
192.168.yyyy.xxx/24 ?
Did I understand correctly?
i did various tries with IPv4 Tunnel network settings, but none of them were satisfactory:
- VPN server subnet is set to 10.0.8.0/24
- Client Specific override Tunnel IPv4 set to 10.0.8.10/32 -> resulting client IP is 10.0.8.12
- Client Specific override Tunnel IPv4 set to 10.0.8.10/24 -> resulting client IP is 10.0.8.2
Don't know what I am doiing wrong
This is exactly what I have experienced and it was solved after checking "Topology" of the Server configuration. See my post https://forum.opnsense.org/index.php?topic=35447.0 (https://forum.opnsense.org/index.php?topic=35447.0)
Quote from: gdur on August 23, 2023, 09:22:50 AM
This is exactly what I have experienced and it was solved after checking "Topology" of the Server configuration. See my post https://forum.opnsense.org/index.php?topic=35447.0 (https://forum.opnsense.org/index.php?topic=35447.0)
thanks, that did it !!
You're welcome...
Hi All,
I'm Mario and this is my first post on this forum. Pleased to meet You.
I.ve upgraded OPNSense to version 23.7.6 and tried to reconfigure static ip assignment to my OpenVPN clients but this does not work.
My OpenVPN server creates the following subnet 192.168.20.0/24. I want a certain user to login and get always IP 192.168.20.8, so I configured in CSO "IPv4 Tunnel network" to "192.168.20.8/32". It does not work. :-[
It seems that CSO are completely ignored when client with specific username is logging in. Confirmed also by trying to check the option "Connection blocking"; use can still login normally.
It seems that common name and username never match. I also checked "Force CSO Login Matching" but does not work.
Where am I wrong?
Thanks in advance.
Mario.
You have likely missed my previous post in this thread. Follow my solution at https://forum.opnsense.org/index.php?topic=35447.0 (https://forum.opnsense.org/index.php?topic=35447.0)
Quote from: gdur on October 20, 2023, 06:49:48 PM
You have likely missed my previous post in this thread. Follow my solution at https://forum.opnsense.org/index.php?topic=35447.0 (https://forum.opnsense.org/index.php?topic=35447.0)
If you mean "Topology" check in server configuration, it's been always checked and never being disabled.
In my case "Topology" was disabled after the update but I only discovered that after redefining the CSO's which disappeared as well.
I noticed that although the CSO's were gone in the GUI they luckily still did exist in the config.xml file. I used that to reconstruct the CSO's but it still didn't work until I found out that "Topology" in the server setting was disabled as well. So after enabling the "Topology" setting it worked as before. What I didn't try out anymore is what would have happened if I would have checked the "Topology" setting prior to redefining the CSO's but it wouldn't surprise me if that would have been the case because I don't understand otherwise why these entrees were still present in the config.xml.
In your case in the example you gave the IP address in the CSO should be defined as 192.168.20.8/24 as the network is defined as 192.168.20.0/24.
So if in your case "Topology" in the server setting has been enabled and your CSO's are correctly defined it should work.
So sad, not resolved.
Tried to check and uncheck "Topology", "Dynamic IP" and "Force CSO Login Matching" in several tests usign 2 clients, 1 Windows and 1 Android.
In all cases the IP address associated with clients are always first available (192.168.20.2, 192.168.20.3 ...) despite I use common name in CSO configuration.
Do I need to modify any configuration file? XML or so on? Is there a patch that could be installed?
Version is 23.7.6.
Thanks in advance.
Mario.
How did you define IPv4 Tunnel Network?
You wrote
Quotedespite I use common name in CSO configuration
but Common name has nothing to do with your problem.
You may send me your config off-line to better understand what may be wrong...
Hi.
I try to explain more deeply.
VPN Server has "IPv4 Tunnel Network" is set to "192.168.20.0/24"
"Topology" flag is checked.
"Force CSO Login Matching" flag is checked.
No other options specified.
User I want to login has following CSO configuration:
"Common Name" is identical to username
"IPV4 Tunnel Network" is set to "192.168.20.5/24"
No other options specified.
When user connect to VPN Server It always get 192.168.20.2 IP address, not 192.168.20.5.
In previous version of OPNSense (don't remember which one) I was obliged to set "Force CSO Login Matching" because if not user's CSO were ignored because there was non matching between username and common name.
If "Common Name" is identical to username than there should be no need to enable "Force CSO Login Matching"
At least I have not enabled it in my working config as my Username is the same as common name
I have no experience with using a different username than the common name.
Does your client logs in using the common name or its username?
Hello. Can I ask you to add a "push route..." block to the CSO? We provide the default gateway through the VPN, but on some clients, certain subnets need to be routed through their gateway. And of course, I hope that it will be possible to add any possible parameters to the CSO for those who are confident in what they are doing.
Hello
In the older version I was using this custom option:
push "inactive 900 750000"
It was used to force disconnect when client was inactive for some time. I've had different settings, depending on the client (different amounts of bytes defined depending on client activity type).
How can I realize that in the current version?
Greetings, Jakub
Hi everybody,
in the old "Servers" menu, we use the "Advanced" section a lot:
learn-address "/usr/local/sbin/openvpn.learn-address-nsupdate.sh";
push "dhcp-option DOMAIN lan.domain.com";
push "dhcp-option DOMAIN-SEARCH lan.domain.com";
push "dhcp-option DOMAIN-ROUTE lan.domain.com";
push "dhcp-option DOMAIN-ROUTE .";
push "dhcp-option DOMAIN ~.";
Especially the custom "learn-adress" script and "dhcp-option DOMAIN ~." are essential for us. Is this old "Servers" going to stay, or how we can achieve those custom options with the new logic behind "Instances [new]"?
Quote from: mdesortis on October 20, 2023, 04:38:43 PM
Hi All,
I'm Mario and this is my first post on this forum. Pleased to meet You.
I.ve upgraded OPNSense to version 23.7.6 and tried to reconfigure static ip assignment to my OpenVPN clients but this does not work.
My OpenVPN server creates the following subnet 192.168.20.0/24. I want a certain user to login and get always IP 192.168.20.8, so I configured in CSO "IPv4 Tunnel network" to "192.168.20.8/32". It does not work. :-[
It seems that CSO are completely ignored when client with specific username is logging in. Confirmed also by trying to check the option "Connection blocking"; use can still login normally.
It seems that common name and username never match. I also checked "Force CSO Login Matching" but does not work.
HI,
I have the same name (Mario!) and the same problem.
I am on OPNSense 23.7.12 bought from Azure (so it seems OPNSense earns a commission) and, after an update from previous version I have lost custom options in cso. Now I put topology, but ipv4 ip tunnel network is ignored so I cannot set ip for clients.
I have several openvpn servers active, can it be the problem?
Hi all,
If anyone is still watching this thread we have a similar issue as we used the "plugin" option here to integrate Duo Security.
Hoping this could get added in as an option in lieu of an actual custom field.
We had something in the attached png.