Last year I ran into a similar problem https://forum.opnsense.org/index.php?topic=35447.msg172767 (https://forum.opnsense.org/index.php?topic=35447.msg172767) but that was solved somehow. During the OPNsense upgrades hereafter OpenVPN wouldn't upgrade anymore and got stuck at version 2.6.10. I did not bother too much as clients were still able to log into OpenVPN.
Now I'm setting up a new server and using the new Instance option for OpenVPN. Everything was rapidly up and running but I could not get assigning a fixed client IP address to work, no matter what option I tried after a whole afternoon Googling for a solution. None of the suggestions found solved the problem.
At last I decided to copy the settings of a working Legacy Server and Client from my "old" working FW but with that I stumbled into other problems. With the exact copy of Legacy settings from my old FW I all the time get a TLS Error: TLS handshake failed and the only difference is the newer OpenVPN version 2.6.11.
Does anyone know a proper guide on how to setup an Instance with fixed client addresses?
Would be good to see what is already set up ;)
Having a working ovpn instance there should be nothing more to do than adding CSO with two simple configurations:
Common name = Client / User name
IPv4 (and/or v6) Tunnel Network = IP to be assigned
CSO has been setup correctly but won't assign the given IP address.
Network is: 192.168.80.0/24
CSO IPv4 Tunnel Network is 192.168.80.5/24
IP address given is 192.168.80.2
Works on my "old" FW.
[SOLVED] because I've got it to work but [NOT SOLVED] because I don't understand why.
After a hairpulling night I decided to assign another user and that worked right away(???).
So next I added all the users who should have VPN access and all worked fine with the proper assigned IP address.
After a deep thought I remembered that the only difference I could think of was that with the first account I struggled with I had generated the client Certificate in System->Trust->Certificates and NOT using the System-> Access->Users page option used for the other clients. Not that I believe it matters but for completeness I should say that all users are imported from a LDAP server.
So I unlinked in the Cert of my first troublesome user in the System-> Access->Users page and created a new client Cert from the same page. Exported the config and voila it worked as should.
Now I'd like to understand why a Cert generated in System->Trust->Certificates caused this problem. This maybe something for the developers to sort out.