2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

VPN: OpenVPN: Client Specific Overrides - add small troubleshooting section

This commit is contained in:
Ad Schellevis 2024-02-04 19:46:02 +01:00
parent 4b3e99efcd
commit 157797f2f2

View File

@ -579,9 +579,11 @@ It is possible to specify the contents of these configurations in the gui under
Apart from that, an authentication server (:menuselection:`System -> Access -> Servers`) can also provide client details in special cases when returning Apart from that, an authentication server (:menuselection:`System -> Access -> Servers`) can also provide client details in special cases when returning
:code:`Framed-IP-Address`, :code:`Framed-IP-Netmask` and :code:`Framed-Route` properties. :code:`Framed-IP-Address`, :code:`Framed-IP-Netmask` and :code:`Framed-Route` properties.
.. Tip:: .. Note::
Client specific overwrites will be written **after** authentication or client connect (depending on the type of setup).
This in order for authentication services like RADIUS to be able to provision additional properties, such as tunnel and local networks.
Radius can be used to provisioning tunnel and local networks.
A selection of the most relevant settings can be found in the table below. A selection of the most relevant settings can be found in the table below.
@ -610,6 +612,24 @@ A selection of the most relevant settings can be found in the table below.
When using topology "subnet" the netmask usually equals the one defined in the instance itself as the gateway When using topology "subnet" the netmask usually equals the one defined in the instance itself as the gateway
being pushed to the client is the first adress in the network and otherwise unreachable. being pushed to the client is the first adress in the network and otherwise unreachable.
**Troubleshooting common issues**
The most common causes for non functional overwrites are caused by mismatches, in order to debug these, make sure to check the logs
for messages like the following:
* :code:`Locate overwrite for 'XXX' using server 'XXX' (vpnid: XXX)` << trying to find an overwrite (user authentication))
* Usually followed by :code:`user 'XXX' authenticated using 'XXX' XXX` showing username, authenticator used and optionally
the overwrite type and filename.
* :code:`client config created @ XXX` << file written on client connect (without user authentication)
* :code:`unable to write client config for XXX, missing target filename` << no matching overwrite found (without user authentication)
By default overwrites are matched by certificate common name, when :code:`Force CSO Login Matching` (legacy) or
:code:`Username as CN` (instances) are set the username will be used instead.
-------------------------- --------------------------
Wireguard Wireguard
-------------------------- --------------------------