OpenVPN: Client Specific Overrides - Ifconfig-push problem

Started by myksto, August 24, 2023, 10:23:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2023, 10:23:46 AM
Hi.
Just upgraded to latest version 23.7.2.
I read in this topic https://forum.opnsense.org/index.php?topic=35149.0 that to push static IP to clients in the tunnel we just have to use the "IPv4 Tunnel Network" field.
Well, I just copied the command "ifconfig-push 10.160.71.2 255.255.255.255" and receive the error "please specify a valid network segment or address (IPv4/IPv6)" (see screenshot).

What am I doing wrong?

Thanks a lot,
Michele.
August 24, 2023, 10:56:52 AM #1
10.160.71.2/32
August 24, 2023, 11:07:35 AM #2
Sorry @franco,
how can I verify that CSOs are correctly read if I configure a new Instance using the new method?

As indicated here, https://forum.opnsense.org/index.php?topic=35447.msg172767#msg172767, I tried and it does not retrieve the CSO using the common name.

Thanks
August 24, 2023, 11:12:58 AM #3
Check the log for "client config created" under NOTICE log level.


Cheers,
Franco
August 24, 2023, 11:20:50 AM #4
Quote from: franco on August 24, 2023, 10:56:52 AM
10.160.71.2/32

The command " Ifconfig-push" has indeed to be removed.

Setting the field to 10.160.71.2/32 only works like a charm.

Thanks a lot.

Cheers,
Michele.
August 24, 2023, 11:23:49 AM #5
Quote from: franco on August 24, 2023, 11:12:58 AM
Check the log for "client config created" under NOTICE log level.
Cheers,
Franco

There is no trace. it seems not read the line made in CSO page.
August 24, 2023, 11:51:51 AM #6
Possibly yes. It's difficult for me to troubleshoot a condition I cannot reproduce.


Cheers,
Franco
August 24, 2023, 11:55:28 AM #7 Last Edit: August 24, 2023, 11:57:52 AM by smema79
With Legacy, I see this:
user 'xxxxxxx' authenticated using 'Local Database' CSO [CN]:/var/etc/openvpn-csc/1/xxxxxxx

With Instance, this line not exists and in CSO page I selected correctly the new Instance as server.
user 'xxxxxxx' authenticated using 'Local Database'
August 24, 2023, 12:00:13 PM #8
Ok, you have another mode there so you can't find that log line anyway.

Hmm, and does "user 'xxxxxxx' authenticated" at least show up in the log? The user is able to connect I suppose?


Cheers,
Franco
August 24, 2023, 12:39:02 PM #9
yes, it connects and gets the first ip of the subnet declared at the instance server level but it does not take the settings declared in the CSO, that are, the remote subnets to which it is to connect and the expected static IP it is to get.

As mentioned in the previous post, to do the test, I configured a new openvpn instance, leaving the legacy server configuration unchanged, assigning it a different listening port but using the same configurations (except the IPv4 Subnet).
August 25, 2023, 06:19:13 PM #10
Can you verify if this patch fixes your issue ?

Code Select
opnsense-patch d3af50a
August 25, 2023, 07:02:50 PM #11
When posting opnsense-patch commands please also provide the GitHub commit link for reference:

https://github.com/opnsense/core/commit/d3af50a

It helps to assess what could be happening and prevents posting malicious patches (like reverting a security patch for example).


Cheers,
Franco
August 25, 2023, 09:42:28 PM #12
Sure thing, apologies, forgot to add the URL this time (found the commit on the phone and then I copy pasted here only the patch command)


Code Select
root@OPNsense:~ # opnsense-patch d3af50a
Fetched d3af50a via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From d3af50ad9021ba586af5efdb39899a696794c8af Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Fri, 25 Aug 2023 16:53:56 +0200
|Subject: [PATCH] VPN: OpenVPN: Client Specific Overrides - fix mismatch issue
| when pinning a CSO to a specific instance. As new CSO's are stored by uuid,
| we should make sure to send events using them as well. cc @fichtner
|
|---
| src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php | 8 ++++----
| src/opnsense/scripts/openvpn/user_pass_verify.php        | 3 +--
| 2 files changed, 5 insertions(+), 6 deletions(-)
|
|diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
|index 55fffa5f39..b8ee06cc70 100644
|--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
|+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
--------------------------
Patching file opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php using Plan A...
Hunk #1 succeeded at 432 (offset -10 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/opnsense/scripts/openvpn/user_pass_verify.php b/src/opnsense/scripts/openvpn/user_pass_verify.php
|index 518d637ebd..2963302b7c 100755
|--- a/src/opnsense/scripts/openvpn/user_pass_verify.php
|+++ b/src/opnsense/scripts/openvpn/user_pass_verify.php
--------------------------
Patching file opnsense/scripts/openvpn/user_pass_verify.php using Plan A...
Hunk #1 succeeded at 119.
done
All patches have been applied successfully.  Have a nice day.
August 28, 2023, 01:04:17 PM #13
Hello

I applied the patch and I tested again but in the log "Notice" not appear the use of CSO:

Code Select

2023-08-28T13:01:28 Notice openvpn_server2 127.0.0.1:1959 PUSH: Received control message: 'PUSH_REQUEST'
2023-08-28T13:01:28 Notice openvpn user 'XXXXXXX' authenticated using 'Local Database'
2023-08-28T13:01:27 Notice openvpn_server2 127.0.0.1:1959 PUSH: Received control message: 'PUSH_REQUEST'


Regards
August 30, 2023, 02:42:42 PM #14
Hello, with 23.7.3 is now OK.

Thanks a lot.
Print
Go Up Pages1
User actions