"OpenVPN Connected With Errors" -> Configuring Client-Specific Rules and Access Policies

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
virtualizer
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 09, 2023 3:59 pm

"OpenVPN Connected With Errors" -> Configuring Client-Specific Rules and Access Policies

Post by virtualizer » Thu Mar 09, 2023 5:06 pm

Howdy mates,

I'm relatively new to OpenVPN having only set up a couple of OpenVPN server/client configs in the past. I decided to get fancy this time and try something new, but it's not working.

I was using this tutorial (https://openvpn.net/community-resources ... s-policies) to configure client-specific rules and access policies based on the virtual IP address assigned to the client.

I've got a Linux box for my server with the latest version of OpenVPN; this is my server.conf file:
=====================================

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
topology subnet
server 10.109.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 10.111.109.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
++++++++++++++++++++

My client .ovpn file:
=====================================

Code: Select all

client
dev tun
proto udp
remote [DNS_NAME/STATIC_IP] 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-GCM
auth SHA256
verb 9
mute 20

[CERTS & KEYS -> REMOVED]
=====================================
My ccd folder is in the /etc/openvpn/server directory and doesn't error out. I've placed a file inside the ccd directory with the client's common name (e.g., "Batman") and the directive: "ifconfig-push 10.111.109.1 10.111.109.2" as the linked instructions direct.

I took down the iptables rules I had configured, just because everything was royally screwed up. I slowly removed pieces and found the problem to be the following two lines from server.conf:

Code: Select all

client-config-dir ccd
route 10.111.109.0 255.255.255.0
When I remove these lines, the client gets the IP of 10.109.0.2 and connects just fine, but I need to have it on a different subnet so I can configure access policies.

============

When I try to connect from the client, everything looks good initially, then I get a notification that "Batman has connected with errors", along with the IP of 10.111.109.1 that I wanted (note, this IP does not show with Batman in the "/var/log/openvpn/ipp.txt" file).

I checked the client log file and found the following messages of interest: "Warning: route gateway is not reachable on any active network adapters: 10.109.0.1"

This tells me that the OpenVPN server is pulling the first address from the given address pool, as it should. As such, I'm rather certain that the issue is that the client can't resolve its default gateway since the given one is not on its 10.111.109.0/24 subnet. However, I don't know what to do to resolve this.

I followed the instructions provided in the link very closely, so I'm not sure if something's outdated, or if something just wasn't written correctly.

I'd appreciate any help/thoughts on this!
Top
Post Reply

Return to “Configuration”