OPBSense lost client specific overrides after upgrade to OPNsense 23.7.1_3-amd64

[gdur]

SInce the upgrade I lost the fixed assigned IP addresses for my clients and now they are getting IP addresses assigned by the system. Also the Client Specific Overrides tab is empty now but I still can see the custom_options>ifconfig-push correctly defined in the config. A reboot doesn't help and it looks like the client specific overrides are ignored. This is very inconvenient as a lot of my firewall rules depend on fixed assigned IP addresses.
I should have looked better as there are some posts about this subject and will continue in the existing thread.

[franco]

ifconfg-push always translated to "IPv4 Tunnel Network" and this is still available. You just need to use it.


Cheers,
Franco

[gdur]

Last night I figured that besides all entrees under "Client Specific Overrides" disappeared after the upgrade to 23.7.1_3 also "Topology" was unchecked of the Server configuration. That seems to be the reason why redefining "IPv4 Tunnel Network" didn't work for me. After checking "Topology" and restoring all "CSO's" as before everything worked as should and everyone is getting the same IP address as before. Next step is to study the newly introduced "Instances" option as it appears that that's where this functionality should be moved to prior to the disappearance of CSO in future versions.

[franco]

> prior to the disappearance of CSO in future versions

Source? Not to my knowledge. It would have made the move to MVC/API pretty pointless.


Cheers,
Franco

[smema79]

Hello

I waited for version 23.7.2 before running the test.

I kept the legacy version of openvpn and then configured a new instance using the same certificates and settings, such as "Strict User/CN Matching" and "Username as CN" but changing the "Server (IPv4)" subnet network so that it would not overlap with the legacy.

I then cloned the previous "Common Name" line present into "Client Specific Override," associating it with the new OpenVPN instance server. Of course, I updated the "IPv4 Tunnel Network" with the correct octect.

Moving the incoming WAN NAT to the new OpenVPN instance, I noticed that it does not retrieve the overrides, let alone show any kind of error in the log. The user, with the correct "Common Name" is active in the status page.

If I move the WAN NAT back to the legacy instance, everything works and the override are working again.

Am I doing something wrong?
Thanks for the reply

[pfoo]

Hi,

I'm hitting the same issue, CSO is not working with new openvpn instance despite having the instance checked in the CSO 'Servers' field

According to the instance config file CSO directory is /var/etc/openvpn-csc/3/ but it stays empty

Log from legacy 'server' show mentions to OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/ but log from instance has no mention of this import

OPNsense 23.7.2-amd64

[newsense]

Hi,

I'm hitting the same issue, CSO is not working with new openvpn instance despite having the instance checked in the CSO 'Servers' field

According to the instance config file CSO directory is /var/etc/openvpn-csc/3/ but it stays empty

Log from legacy 'server' show mentions to OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/ but log from instance has no mention of this import

OPNsense 23.7.2-amd64

Do you have the d3af50a patch applied ?

https://forum.opnsense.org/index.php?topic=35568.0

[pfoo]

After applying d3af50a logs mention :

Code: [Select]

user 'pfoo' authenticated using 'Local Database' CSO [CN]:/var/etc/openvpn-csc/961988-0461-4-8933-779744/pfoo
However directory /var/etc/openvpn-csc/961988-0461-4-8933-779744/ does not exist.
If I create the directory, the file /var/etc/openvpn-csc/961988-0461-4-8933-779744/pfoo is created, but not used by openvpn.

instance config file (even after modifying the port to trigger a config regeneration) still mention

Code: [Select]

client-config-dir /var/etc/openvpn-csc/3

[newsense]

Ah just a sec, this patch is to be applied on 23.7.2, else you may be missing some other patches required for this to work.

If you get on 23.7.2 with this patch reapplied (will not be retained during the upgrade afaik) then please open an issue on Github mentioning this thread

[pfoo]

Yup was already on OPNsense 23.7.2-amd64 when I tried the patch

[newsense]

Then Github should be the fastest way to have this fixed

[pfoo]

Yep going to create an issue.

On 23.7.2 + patch d3af50a file /usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php :

Code: [Select]

                    // server only setttings
                    if (!empty((string)$node->server) || !empty((string)$node->server_ipv6)) {
                        $options['client-config-dir'] = "/var/etc/openvpn-csc/{$node->vpnid}";

$node->vpnid where it probably should now be $node_uuid

[newsense]

If reading this thread before 23.7.3 and have already applied patch d3af50a then
 

Code: [Select]

opnsense-patch 78d49d8


Otherwise if on vanilla 23.7.2 both patches are required

Code: [Select]

opnsense-patch d3af50a 78d49d8

https://github.com/opnsense/core/issues/6784

[cs1]

Do you guys happen to know what the status of "matching CSO to username" is in OPNsense 23.7.8_1-amd64 when using "Instances [new]"? I have enabled "Username as CN" in the advanced options and despite seeing the correct username in logs and API calls to get OpenVPN users, CSOs never seem to match. Any help would be appreciated.

[cs1]

Quick info:

Ad and Franco have located the cause for the issue with CSOs for "Instances [new]" type OpenVPN servers, see https://github.com/opnsense/core/issues/6915.