One openvpn server instance more than one client.

N8LBV

I have setup an OpenVPN server per:
link text
And am attempting to setup a server with several PEER-PEER client server connections.

It works just fine one client at a time.
But if the second client connects I lose connectivity from the first client.
I must be doing something really stupid.
I also don't FULLY understand the point-to-point tunnel.
The first client connection gets assigned a .2 address for the tunnel
And then the second client gets assigned the same remote tunnel address (.2)
And this appears to be the problem.
I would expect it would get a different address from the "pool" like .3 and then it would work.

Here is my route table with both clients connected.
And of course I i only have working connectivity between the server and one of the remote clients.

I see the real problem is that both remote sites are getting the same destination tunnel address.
One actually works at a time.
And I'm not sure how to get it to work correctly.
Each remote end of each tunnel should have a different address from the tunnel network.
Also update at the far end client I actually am assigned 10.3.3.3
and is pingable
But the route table is showing that subnet as being reachable from 10.3.3.2
I am going around in circles.
The remote clients actually ARE getting assigned successive numbers.
.2 and .3

I can even set the client override to give them .20 or .50 and they are setting.
And they can ping 10.3.3.1 (the vpn server) thr9ough the VPN!
But the route table at the server shows the subnet route for each client as .2
Being the route to that client subnet.
Banging me head against the wall.

[2.7.0-DEVELOPMENT][admin@pfsense.localdomain]/root: netstat -r
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default gw.michiganbroadba UGS hn0
10.3.3.0/24 link#10 U ovpns3
10.3.3.1 link#2 UHS lo0
10.73.73.0/24 link#6 U hn1
pfsense link#2 UHS lo0

localhost link#2 UH lo0

172.16.127.0/24 10.3.3.2 UGS ovpns3
172.16.128.0/24 10.3.3.2 UGS ovpns3

N8LBV

"IPv4 Tunnel Network
This is the IPv4 virtual network or network type alias with a single entry used for private communications between this server and client hosts expressed using CIDR notation (e.g. 10.0.8.0/24). The first usable address in the network will be assigned to the server virtual interface. The remaining usable addresses will be assigned to connecting clients."

10.3.3.0/24
Yes the server is getting assigned .1
The first client to connect gets .2
Then the next client gets .3
However the rout table (netstat -t) shows each client netblock
as reachable by gateway .2

172.16.127.0/24 10.3.3.2 UGS ovpns3
172.16.128.0/24 10.3.3.2 UGS ovpns3

And it needs to be:

172.16.127.0/24 10.3.3.2 UGS ovpns3
172.16.128.0/24 10.3.3.3 UGS ovpns3

For it to work.

and this does not work.

Clent override sets the address at the client as I instruct it.
But the route table at the server shows .2 for each client not matter what I do so far.

N8LBV

Well it's working now.
It had been assigning .3 to the second client (the client had .3)
But the server's route table was showing it's subnet routed to .2
Not sure why.
And not sure how it got fixed.

The ipsec internal routing is a bit confusing as well.
I'm not used to that yet.
Seems like it has it's own routes and not what you see out at the routing table.
Are there tools to much better see what's going on with it.
To make matters even more fun in packet capture you can choose the ipsec "interface".
But capture does not work when you click start. (1.7dev)
Anyhow I have a working single server instance and two site-site remote clients.
I have a lot more to learn.. and not a super pro yet here :)