OpenVPN CSO what happened to custom_options

[gdur]

See my findings at https://forum.opnsense.org/index.php?topic=35447.0

[molnart]

Yes, but you need to put the correct subnet size.


Cheers,
Franco

If on version 23.1.11 we used the line

ifconfig-push 192.168.yyy.xxx 255.255.255.0

Now in the IPv4 Tunnel Network field, you need to set the value

192.168.yyyy.xxx/24 ?

Did I understand correctly?

i did various tries with IPv4 Tunnel network settings, but none of them were satisfactory:
- VPN server subnet is set to 10.0.8.0/24
- Client Specific override Tunnel IPv4 set to 10.0.8.10/32 -> resulting client IP is 10.0.8.12
- Client Specific override Tunnel IPv4 set to 10.0.8.10/24 -> resulting client IP is 10.0.8.2

Don't know what I am doiing wrong

[gdur]

This is exactly what I have experienced and it was solved after checking "Topology" of the Server configuration. See my post https://forum.opnsense.org/index.php?topic=35447.0

[molnart]

This is exactly what I have experienced and it was solved after checking "Topology" of the Server configuration. See my post https://forum.opnsense.org/index.php?topic=35447.0

thanks, that did it !!

[gdur]

You're welcome...

[mdesortis]

Hi All,
I'm Mario and this is my first post on this forum. Pleased to meet You.

I.ve upgraded OPNSense to version 23.7.6 and tried to reconfigure static ip assignment to my OpenVPN clients but this does not work.

My OpenVPN server creates the following subnet 192.168.20.0/24. I want a certain user to login and get always IP 192.168.20.8, so I configured in CSO "IPv4 Tunnel network" to "192.168.20.8/32". It does not work.  :-[

It seems that CSO are completely ignored when client with specific username is logging in. Confirmed also by trying to check the option "Connection blocking"; use can still login normally.

It seems that common name and username never match. I also checked "Force CSO Login Matching" but does not work.

Where am I wrong?
Thanks in advance.
Mario.

[gdur]

You have likely missed my previous post in this thread. Follow my solution at https://forum.opnsense.org/index.php?topic=35447.0

[mdesortis]

You have likely missed my previous post in this thread. Follow my solution at https://forum.opnsense.org/index.php?topic=35447.0

If you mean "Topology" check in server configuration, it's been always checked and never being disabled.

[gdur]

In my case "Topology" was disabled after the update but I only discovered that after redefining the CSO's which disappeared as well.
I noticed that although the CSO's were gone in the GUI they luckily still did exist in the config.xml file. I used that to reconstruct the CSO's but it still didn't work until I found out that "Topology" in the server setting was disabled as well. So after enabling the "Topology" setting it worked as before. What I didn't try out anymore is what would have happened if I would have checked the "Topology" setting prior to redefining the CSO's but it wouldn't surprise me if that would have been the case because I don't understand otherwise why these entrees were still present in the config.xml.
In your case in the example you gave the IP address in the CSO should be defined as 192.168.20.8/24 as the network is defined as 192.168.20.0/24.
So if in your case "Topology" in the server setting has been enabled and your CSO's are correctly defined it should work.

[mdesortis]

So sad, not resolved.

Tried to check and uncheck "Topology", "Dynamic IP" and "Force CSO Login Matching" in several tests usign 2 clients, 1 Windows and 1 Android.
In all cases the IP address associated with clients are always first available (192.168.20.2, 192.168.20.3 ...) despite I use common name in CSO configuration.

Do I need to modify any configuration file? XML or so on? Is there a patch that could be installed?
Version is 23.7.6.

Thanks in advance.
Mario.

[gdur]

How did you define IPv4 Tunnel Network?
You wrote

despite I use common name in CSO configuration

but Common name has nothing to do with your problem.
You may send me your config off-line to better understand what may be wrong...

[mdesortis]

Hi.
I try to explain more deeply.

VPN Server has "IPv4 Tunnel Network" is set to "192.168.20.0/24"
"Topology" flag is checked.
"Force CSO Login Matching" flag is checked.
No other options specified.

User I want to login has following CSO configuration:
"Common Name" is identical to username
"IPV4 Tunnel Network" is set to "192.168.20.5/24"
No other options specified.

When user connect to VPN Server It always get 192.168.20.2 IP address, not 192.168.20.5.

In previous version of OPNSense (don't remember which one) I was obliged to set "Force CSO Login Matching" because if not user's CSO were ignored because there was non matching between username and common name.

[gdur]

If "Common Name" is identical to username than there should be no need to enable "Force CSO Login Matching"
At least I have not enabled it in my working config as my Username is the same as common name
I have no experience with using a different username than the common name.
Does your client logs in using the common name or its username?

[urfin73]

Hello. Can I ask you to add a "push route..." block to the CSO? We provide the default gateway through the VPN, but on some clients, certain subnets need to be routed through their gateway. And of course, I hope that it will be possible to add any possible parameters to the CSO for those who are confident in what they are doing.

[jbe]

Hello
In the older version I was using this custom option:
push "inactive 900 750000"

It was used to force disconnect when client was inactive for some time. I've had different settings, depending on the client (different amounts of bytes defined depending on client activity type).

How can I realize that in the current version?

Greetings, Jakub