OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Oxygen61 on October 24, 2018, 06:07:40 pm

Title: OpenVPN - CSO Admin/User-Tunnel-Subnetting
Post by: Oxygen61 on October 24, 2018, 06:07:40 pm
Hey guys,

i need a little help to understand how exactly OPNsense handles it's Tunnel-subnets for an OpenVPN-Server, when also combined with Client-Specific-Override settings to create Admin and User Subnets for different use-cases.

I have a fully working Roadwarrior OpenVPN-Server with Multifactor-Auth for my admin users. They can login without problems. As soon as I instead want an User to login to the same OpenVPN-Server they get a subnet, which should work (in theory), but just isn't able to find the gateway it seems.

OpenVPN-Server Configuration:
- 3 User: A-RoadWarrior [User] ; B-Roadwarrior [User] ; C-Roadwarrior [Admin]
- 1 OpenVPN-Server ontop of OPNsense with the following IPv4 Tunnel Network: 172.31.250.248/29
(3 IP's are used for Net-address, Broadcast and OpenVPN-server-gateway --> 5 useable Admin IP's)
- Redirect Gateway: [X]
- Address Pool: [X]
- Topology: [X]

OpenVPN-CSO Configuration:
- A-RoadWarrior IPv4 Tunnel Network: 172.31.250.240/29
- B-RoadWarrior IPv4 Tunnel Network: 172.31.250.240/29
- C-RoadWarrior IPv4 Tunnel Network: 172.31.250.248/29
- Redirect Gateway [X] for all three users

--> User Clients and Admin Clients are able to connect to the VPN-Server on my OPNsense and get an IP/Subnet assigned shown in my CSO-Configuration. The Admins can freely browse and administrate and the user can't even access IP-addresses via web. (The firewall rules are correct though - Outbound-NAT is working as well)
When a User Client get's assigned the 172.31.250.248/29 subnet instead they can browse and work as expected


My thoughts:
- I guess the problem here is that the server doesn't know about the 172.31.250.240/29 network,
since it's only configured tunnel-network is the 172.31.250.248/29 for the admins.

- I could probably create a second OpenVPN-Server to split both user-groups, BUT i need the Server to only listen to TCP/443 to insure that no matter what, the user or admin clients are always able to get out of the remote network. Both VPN-Servers won't probably listen to the same TCP/Port so that won't work I assume.

- The CSO passes the IP, configured in the tunnel-network no matter what, which is odd. So in my case both User A and B will get the IP 172.31.250.240/29, which is the Net-address. They will also steal each others IP's. The fun part is that I am able to give my Admin Client C the IP 172.31.250.248/29, which again is the Net-address but this time it will work, even though the User should not know how to reach the gateway-address with such an IP.

Any idea how to utilize subnets correctly in this scenario? I am probably overlooking something obvious here. :( Thanks for any help! Much appreciated!