VPN Same IP Addresses

Fede_Reghe

After Upgrade PFSense 1.2 >> PFSense 1.2.1, OpenVPN assigns to all client the same ip (192.168.190.6), and , obviously, clients continue to connect and disconnect… Certificates is different...

OpenVPN config:

Protocol: UDP
Dynamic IP:checked
Local Port: 27835
Address Pool: 192.168.190.0/24
Use static ip: unchecked
Local network: 192.168.115.0/24
Remote network: blank
Client-to-client VPN: checked
Cryptography: BF-CBC 128-bit
Authentication: PKI
LZO compression: checked

???

newmember

Are these all individual PCs that are connecting?  Or are they different networks?

Maybe try to disable "Client-to-client VPN"

Cheers

Fede_Reghe

Pcs are connecting from different location and IP, I've tried to disable "Client-to-client VPN", but it doesn't work…

I'm going to format and reinstall pfsense, beacuse "reset to default" solved nothing

GruensFroeschli

Did you doublecheck that the connecting clients really have different keys/certificates?
Resetuping pfSense doesnt help much.
I'd rather resutup the CA and rebuild the clients.

Fede_Reghe

Ok, I try to rebuild CA and certificates…

Fede_Reghe

Nothing… Also, I used certificates from another openvpn that certainly it works, but i've same problem...  :-\

GruensFroeschli

Can you show the 3 logoutputs when connecting to the pfSense server?

1: server
2: client1
3: client2

It would also help if you could provide the raw config files of all 3.
in /var/etc on the pf.

Fede_Reghe

Server:

Jan 6 19:08:40 	openvpn[12109]: omniservicesrl.it/151.***.***.***:59418 [***] Inactivity timeout (--ping-restart), restarting
Jan 6 19:07:57 	openvpn[12109]: 88.***.***.***:59266 [***] Peer Connection Initiated with 88.***.***.***:59266
Jan 6 19:07:56 	openvpn[12109]: 88.***.***.***:59266 LZO compression initialized
Jan 6 19:07:56 	openvpn[12109]: 88.***.***.***:59266 Re-using SSL/TLS context
Jan 6 19:06:29 	openvpn[12109]: 151.***.***.***:59418 [***] Peer Connection Initiated with 151.***.***.***:59418
Jan 6 19:06:28 	openvpn[12109]: 151.***.***.***:59418 LZO compression initialized
Jan 6 19:06:28 	openvpn[12109]: 151.***.***.***:59418 Re-using SSL/TLS context

Client 1 & Client 2 are identical:

Tue Jan 06 19:06:21 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Jan 06 19:06:21 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Jan 06 19:06:21 2009 LZO compression initialized
Tue Jan 06 19:06:21 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jan 06 19:06:21 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 06 19:06:21 2009 Local Options hash (VER=V4): '41690919'
Tue Jan 06 19:06:21 2009 Expected Remote Options hash (VER=V4): '530fdded'
Tue Jan 06 19:06:21 2009 UDPv4 link local: [undef]
Tue Jan 06 19:06:21 2009 UDPv4 link remote: 88.***.***.***:1194
Tue Jan 06 19:06:21 2009 TLS: Initial packet from 88.***.***.***:1194, sid=93c9ddcc 542da9de
Tue Jan 06 19:06:22 2009 VERIFY OK: depth=1, /C=IT/ST=Italy/L=Nerviano__MI/O=****/CN=****/emailAddress=info@****.it
Tue Jan 06 19:06:22 2009 VERIFY OK: nsCertType=SERVER
Tue Jan 06 19:06:22 2009 VERIFY OK: depth=0, /C=IT/ST=Italy/O=****/CN=****/emailAddress=info@****.it
Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 06 19:06:22 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan 06 19:06:22 2009 [***] Peer Connection Initiated with 88.***.***.***:1194
Tue Jan 06 19:06:24 2009 SENT CONTROL [***]: 'PUSH_REQUEST' (status=1)
Tue Jan 06 19:06:24 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.115.0 255.255.255.0,dhcp-option DNS 192.168.115.1,dhcp-option WINS 192.168.115.3,dhcp-option NTP 192.168.115.1,dhcp-option DISABLE-NBT,route 192.168.200.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.200.6 192.168.200.5'
Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: route options modified
Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 06 19:06:24 2009 TAP-WIN32 device [OpenVPN Omni] opened: \\.\Global\{633C2C01-88D5-4F6F-9413-F34D5E4F0FC6}.tap
Tue Jan 06 19:06:24 2009 TAP-Win32 Driver Version 8.4 
Tue Jan 06 19:06:24 2009 TAP-Win32 MTU=1500
Tue Jan 06 19:06:24 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Tue Jan 06 19:06:24 2009 Successful ARP Flush on interface [11] {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6}
Tue Jan 06 19:06:26 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue Jan 06 19:06:26 2009 route ADD 192.168.115.0 MASK 255.255.255.0 192.168.200.5
 OK
Tue Jan 06 19:06:26 2009 route ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.5
 OK
Tue Jan 06 19:06:26 2009 Initialization Sequence Completed

Server config:

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 192.168.200.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.115.0 255.255.255.0"
lport 1194
push "dhcp-option DNS 192.168.115.1"
push "dhcp-option WINS 192.168.115.3"
push "dhcp-option NTP 192.168.115.1"
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo

Clients config (obviously certificates are different):

####
client
dev tun
proto udp
remote 88.***.***.*** 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-omni.crt
cert fede-omni.crt
key fede-omni.key
ns-cert-type server
comp-lzo
pull
verb 3

#### FOR WINDOWS VISTA:
route-method exe
route-delay 2 
#