Hello,
We are experiencing an issue with the OpenVPN server configuration on a RUTXR1 router.
Device model: RUTXR1
Firmware version: RUTX_R_00.07.22.3
OpenVPN role: Server
Tunnel type: TUN
Topology: NET30
VPN network: 192.168.253.0
Netmask: 255.255.255.0
Authentication: TLS
In the OpenVPN server configuration, we configured a static client assignment under TLS Clients.
The client certificate Common Name is configured correctly. For this client, the TLS Clients entry contains the following values:
Common Name (CN): <client_CN>
Virtual local endpoint: 192.168.253.102
Virtual remote endpoint: 192.168.253.101
The client certificate CN has been verified with OpenSSL and it matches the CN configured in the TLS Clients entry (also checked in the log).
However, when the client connects, the OpenVPN server does not assign the configured static NET30 endpoint pair. Instead, it assigns the first available address from the dynamic pool.
The relevant log entry is:
MULTI_sva: pool returned IPv4=192.168.253.6, IPv6=(Not enabled)
The client receives the following dynamic NET30 pair instead of the configured one:
Client VPN IP: 192.168.253.6
Peer endpoint: 192.168.253.5
Based on the TLS Clients configuration, we expected the client to receive the configured static NET30 pair, i.e. the address pair.
We also tried changing the endpoint order, but the server still assigns an address from the dynamic pool.
What could cause the OpenVPN server to ignore the TLS Clients static endpoint assignment and allocate the client address from the dynamic pool instead?
Is this a known issue or limitation in firmware version RUTX_R_00.07.22.3?
What is the recommended way to assign fixed OpenVPN client IP addresses or fixed NET30 endpoint pairs to clients based on their certificate CN on a RUTXR1?
Thank you in advance!