Fixed IPs using "topology subnet" and ccd files failing with iOS

[jofre]

I need to assign fixed IPs to all users.
To achieve this I'm using topology subnet and ccd files. It works fine for all clients except for the iOS using the OpenVPN Connection application version 303(2104) where I get the following error:

Code: Select all

Client exception in transport_recv: addr_pair_mask_parse_error: AddrMaskPair parse error 'ifconfig': 10.50.0.12/10.50.0.1 : ipv4_exception: malformed netmask

the ccd files looks like as follows:

Code: Select all

ifconfig-push 10.50.0.8 10.50.0.1

and I have the same error if I push the "topology subnet" using the ccd file:

Code: Select all

ifconfig-push 10.50.0.8 10.50.0.1
push "topology subnet" 

the only way to solve the problem is to use the net30 format sending the netmask instead of the gateway IP in the ccd file:

Code: Select all

ifconfig-push 10.50.0.8 255.255.0.0

Is this the right workarround? Or I'm mixing network topologies with unexpected results?
If not, which other solution could I use to assign fixed IPs to all clients (including iOS)?


Server Configuration:

Code: Select all

port PORT
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh.pem
topology subnet
server 10.50.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
push "redirect-gateway def1"
push "dhcp-option DNS 10.50.0.1" 
#client-to-client
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
mute 20

[TinCanTech]

You have it all backwards ..

Code: Select all

--topology net30 --ifconfig 10.8.0.6 10.8.0.5

Code: Select all

--topology subnet --ifconfig 10.8.0.6 255.255.255.0

It is all clearly documented in the manual.

[dw07-02]

Hi,

I have a similar issue.

In the guide ‘configure client-specific rules and access policies’ it clearly advises to create 3 separate broadcast domains, x3 /24 subnets.

It then advises you to declare ONE OF THESE SUBNETS in the server-config as ‘Server 10.8.0.0 255.255.255.0 (a /24 class C).

It the advises your to declare the other two subnets as routes. ‘route 10.8.1.0 255.255.255.0’ & ‘route 10.8.2.0 255.255.255.0’

So far:
server 10.8.0.0 255.255.255.0
route 10.8.1.0 255.255.255.0
route 10.8.1.0 255.255.255.0

It then advises to create ccd files and use ‘ifconfig-push’ with particular client server ips from a list that throws ips in the bin 5 at a time. Lowest ip DECLARED FIRST.

Ok wonderful, I configured that and I have a ‘ipv_4 exception malformed mask’? I am trying to connect from an iPhone.

Look online is just confusing. You say this guys confit is back to front, but the official guide is back to front then.

Also I have seen others telling people their stupid for configuring a /24 under ‘server’ because it doesn’t include the other two /24 sudnets.

Can you confirm if the official guide it’s back to front upside down toppsyturnny. Because your advice is the opposite to the guide.

Tegards

[dw07-02]

Hi,

How do I post on this please. I read all the guides and instructions but I can’t post anything, and I can not see any way of contacting any admins. Please advise as I have an issue with restructuring traffic through an openvpn server hosted on windows. I have followed the setting up client restrictions guides, but receive an error that the ip addresses assigned through ifconfig push from the ccd folder are invalid. Tested on iphone, ipad, android phone they all fail. Windows 10 connects with errors.

Regards

[dw07-02]

Hi,

How do I post on this please. I read all the guides and instructions but I can’t post anything, and I can not see any way of contacting any admins. Please advise as I have an issue with restricting traffic through an openvpn server hosted on windows. I have followed the setting up client restrictions guides, but receive an error that the ip addresses assigned through ifconfig push from the ccd folder are invalid. Tested on iphone, ipad, android phone they all fail. Windows 10 connects with errors. If I exclude the ccd files (append letter x to the file name) all clients connect to the main client pool.with no issues.

I wish to apply policy to client traffic on a client/group basis. Do I configure this in windows firewall, or do I need iptables?

Regards