OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: mgiammarco on May 10, 2016, 06:39:19 pm

Title: [SOLVED] Are CSO working?
Post by: mgiammarco on May 10, 2016, 06:39:19 pm
Hello,
I am using opnsense 16.1.13.
I have a complex openvpn configuration site to site with many Client specific Overrides (CSO).
I had version 16.1.5.
Today I see that routes do not work anymore (from openvpn client A I cannot reach B) and so I upgraded to 16.1.13.
Nothing has changed. Looking configuration it seems that I can modify any parameter in CSO and nothing changes.
Can you confirm that CSO are working?
How can I debug them?
Thanks,
Mario
Title: Re: Are CSO working?
Post by: AdSchellevis on May 10, 2016, 09:01:15 pm
Hi Mario,

Client specific overrides should work without any issues, so lets try to find out where yours comes from.

If I understand your post correctly it did work for some time in 16.1.5 and then it didn't, so your issue was already there before you switched to 16.1.13.

The first step we could take is to inspect the location of the override files and the created server configuration. Can you run this in a console:

Code: [Select]
find /var/etc/openvpn-csc/
grep "client-config-dir" /var/etc/openvpn/server*.conf

The first command shows a listing of the created overrides, the second the location where the openvpn server will search for them.

You can use packet capture (interfaces -> diagnostics -> packet capture) to see if there is traffic actually going through your firewall (use ping to a host that should be reachable and capture for that ip on the openvpn server interface).

A good idea is also to check the log of your client, most of them collect information of what was planned to setup including possible errors.

Best regards,

Ad
Title: Re: Are CSO working?
Post by: mgiammarco on May 11, 2016, 09:10:08 am
Thank you for your prompt reply.
I would add that I have already done some debug.
I see with traceroute that from opnsense I can reach each client network.
And from each client I can reach opnsense lan.
From each client I cannot reach other clients, traceroute get lost in opnsense.
I forgot to say that I see a strange thing in opnsense I try to explain with an example.
I have openvpn configured like this:

opnsense 172.22.23.1
client1     172.22.23.2
client2     172.22.23.3
client3     172.22.23.4
and so on

But when I see the routes in opnsense I see that all openvpn routes are using 172.22.23.2 as gateway and routes I put in CSO are ignored.



Title: Re: Are CSO working?
Post by: AdSchellevis on May 11, 2016, 09:46:07 am
Can you tell a bit more about your setup (what tunnel networks should they be using for example) and check the configuration like I asked in my previous post?

Also please try to ping and capture some data for the connection you think should work, to see if you data actually hits the firewall.
Your example seems to be using the same network between all clients, which is not what I expected (to route traffic it should be on a different net), but maybe you configured something else in your csc.


Title: Re: Are CSO working?
Post by: mgiammarco on May 11, 2016, 12:04:00 pm
This is my complete openvpn.conf file:

Quote
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
tls-server
server 172.22.23.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
ifconfig 172.22.23.1 172.22.23.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'oclab-cloud' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
push "route 10.3.0.0 255.255.255.0"
push "route 10.3.2.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
push "route 10.4.0.0 255.255.255.0"
push "route 10.3.3.0 255.255.255.0"
push "route 10.3.4.0 255.255.255.0"
push "route 10.3.5.0 255.255.255.0"
push "route 10.3.6.0 255.255.255.0"
push "route 10.4.1.0 255.255.255.0"
push "route 10.4.2.0 255.255.255.0"
push "route 10.4.3.0 255.255.255.0"
push "route 10.4.4.0 255.255.255.0"
push "route 10.4.5.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 10.2.2.0 255.255.255.0"
push "route 10.2.5.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.1024
passtos
persist-remote-ip
float
topology subnet


As you can see in the ifconfig openvpn uses 172.22.23.1 and 172.22.23.2 but one of the clients get the 172.22.23.2 ip and it seems strange to me.
The csc file is in the right location ( I had a problem in the past look at my past thread).
Please note that this is not my original configuration because I am doing some experimentation( I have removed the remote addresses part using the gui)
Title: Re: Are CSO working?
Post by: mgiammarco on May 11, 2016, 05:07:54 pm
I have deleted and recreated from scratch openvpn configuration.
The result is the same.
I begin to suspect that iroute command get not executed.

I have done packet tracing.
If I ping from 172.22.23.6 to 10.1.0.2 (its vpn is 172.22.23.18) I get:

16:52:37.423267 IP 172.22.23.6 > 10.1.0.2: ICMP echo request, id 19084, seq 318, length 64

I get no echo reply. It seems packets get lost in opnsense. I have checked the firewall is open (and it was open before).
Title: Re: Are CSO working?
Post by: mgiammarco on May 11, 2016, 05:20:05 pm
Here is an extract of my route table:

Quote
ipv4   default   89.186.73.17   UGS   668891   1500   em0   WAN   
ipv4   10.0.0.0/24   172.22.23.2   UGS   0   1500   ovpns1       
ipv4   10.1.0.0/24   172.22.23.2   UGS   64   1500   ovpns1       
ipv4   10.3.0.0/24   link#2   U   459446   1500   em1   lan   
ipv4   10.3.0.254   link#2   UHS   0   16384   lo0       
ipv4   10.3.2.0/24   172.22.23.2   UGS   0   1500   ovpns1       
ipv4   10.3.3.0/24   172.22.23.2   UGS   0   1500   ovpns1       
ipv4   10.8.0.0/24   89.186.73.17   US   1128   1500   em0   WA

openvpn.conf:

Quote
dev ovpns1
verb 5
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xx.xx.xx.xx
tls-server
server 172.22.23.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
ifconfig 172.22.23.1 172.22.23.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'oclab-cloud' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
push "route 10.2.2.0 255.255.255.0"
push "route 10.2.5.0 255.255.255.0"
push "route 10.3.0.0 255.255.255.0"
push "route 10.3.2.0 255.255.255.0"
push "route 10.3.3.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 10.0.0.0 255.255.255.0
route 10.1.0.0 255.255.255.0
route 10.3.2.0 255.255.255.0
route 10.3.3.0 255.255.255.0
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.1024
persist-remote-ip
float


And cso:

Quote
sedegiammar:
iroute 10.0.0.0 255.255.255.0
iroute 10.1.0.0 255.255.255.0
sedeoclab:
iroute 10.3.2.0 255.255.255.0
iroute 10.3.3.0 255.255.255.0


Title: Re: Are CSO working?
Post by: AdSchellevis on May 11, 2016, 06:27:48 pm
Hi Mario,

What do the networks on your clients look like? (ifconfig on the connected clients)
I'm using openvpn server with Remote access including overrides without any problems, at a first glance it looks like your override doesn't contain a tunnel definition to use.

Mine looks a bit like this:

(cat /var/etc/openvpn-csc/1/XXXX)

Code: [Select]
ifconfig-push 10.20.2.2 10.20.2.1
push "dhcp-option DNS 192.168.1.2"

When I connect my client (Viscosity), the log states something like this:

Code: [Select]
May 11 17:59:41: /sbin/ifconfig tun0 10.20.2.2 10.20.2.1 mtu 1500 netmask 255.255.255.255 up
May 11 17:59:41: Initialization Sequence Completed

And my client override has this in "Tunnel Network":
Code: [Select]
10.20.2.0/30
What server mode are you using?

Best regards,

Ad
Title: Re: Are CSO working?
Post by: mgiammarco on May 12, 2016, 11:05:02 am
Hi Mario,

What do the networks on your clients look like? (ifconfig on the connected clients)
I'm using openvpn server with Remote access including overrides without any problems,


What server mode are you using?


I am using peer 2 peer and in the clients (that are not clients but peers anyway) I can see that there are all routes needed.
If I ping from client A to client B I can see that client A sends traffic to opnsense via openvpn (so route is correct) but the ping does not reach client B. It is lost in opnsense.
Title: Re: Are CSO working?
Post by: AdSchellevis on May 12, 2016, 11:11:45 am
Have you checked your tunnel networks in the overrides? and the actual tunnel ip both clients received?
Title: Re: Are CSO working?
Post by: mgiammarco on May 12, 2016, 11:25:05 am
Thank you for help.
Now vpn has started again working correctly.
I have done nothing. This thing worries me because it stopped working and started working again without intervention from me.
I thank you for support I will now check for a reason internal or external to opnsense that has caused this problem.
Title: Re: Are CSO working?
Post by: franco on May 17, 2016, 10:44:33 am
Please check with your network, it's very likely this had nothing to do with OPNsense in the first place since it stopped working with a good version, and was later confirmed working with the latest version as well.