[SOLVED] Cannot get OpenVPN fixed client IP addresses to work

Started by gdur, July 18, 2024, 09:14:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 18, 2024, 09:14:32 PM Last Edit: July 22, 2024, 07:12:15 AM by gdur
Last year I ran into a similar problem https://forum.opnsense.org/index.php?topic=35447.msg172767 but that was solved somehow. During the OPNsense upgrades hereafter OpenVPN wouldn't upgrade anymore and got stuck at version 2.6.10. I did not bother too much as clients were still able to log into OpenVPN.
Now I'm setting up a new server and using the new Instance option for OpenVPN. Everything was rapidly up and running but I could not get assigning a fixed client IP address to work, no matter what option I tried after a whole afternoon Googling for a solution. None of the suggestions found solved the problem.

At last I decided to copy the settings of a working Legacy Server and Client from my "old" working FW but with that I stumbled into other problems. With the exact copy of Legacy settings from my old FW I all the time get a TLS Error: TLS handshake failed and the only difference is the newer OpenVPN version 2.6.11.

Does anyone know a proper guide on how to setup an Instance with fixed client addresses?
July 18, 2024, 09:37:09 PM #1
Would be good to see what is already set up ;)

Having a working ovpn instance there should be nothing more to do than adding CSO with two simple configurations:
Common name = Client / User name
IPv4 (and/or v6) Tunnel Network = IP to be assigned
i am not an expert... just trying to help...
July 18, 2024, 11:01:15 PM #2
CSO has been setup correctly but won't assign the given IP address.
Network is: 192.168.80.0/24
CSO  IPv4 Tunnel Network is 192.168.80.5/24
IP address given is 192.168.80.2
Works on my "old" FW.
July 19, 2024, 10:13:51 AM #3
[SOLVED] because I've got it to work but [NOT SOLVED] because I don't understand why.
After a hairpulling night I decided to assign another user and that worked right away(???).
So next I added all the users who should have VPN access and all worked fine with the proper assigned IP address.
After a deep thought I remembered that the only difference I could think of was that with the first account I struggled with I had generated the client Certificate in System->Trust->Certificates and NOT using the System-> Access->Users page option used for the other clients. Not that I believe it matters but for completeness I should say that all users are imported from a LDAP server.
So I unlinked in the Cert of my first troublesome user in the System-> Access->Users page and created a new client Cert from the same page. Exported the config and voila it worked as should.
Now I'd like to understand why a Cert generated  in System->Trust->Certificates caused this problem. This maybe something for the developers to sort out.
Print
Go Up Pages1
User actions