PfSense OpenVPN clients getting same IP address
-
Simple.
You need one server CA - Thats all.
You need one user cert per client thats connecting.
I like using TUN not TAP
Assign a subnet not in use anywhere else to openvpn - like 10.12.47.0/24
Don't allow multiple concurrent connections from same user.
I'm not putting any entries at all in DHCP server for the VPN interface or subnet.
It just works if you keep it simple.
-
Thanks for the reply.
Sorry, yes I'm using TUN. Don't want any extra problems with using TAP.
I've done all as you suggest, and just don't seem to be getting it right both times. The first one is fine, and I have a site to site VPN that works fine, but I just can't seem to add a second remote user and have it work right. Is there a particular order I need to be doing it in? These things can be finicky sometimes, I guess.
I was using the wizard to do the whole lot, but that seemed not to work at all. Now I'm creating the CA, then the user cert, then the user themselves, followed by going through the wizard to tie it all together, and then adding the user cert to the user profile.
I'm starting again with the whole lot, and will post back how I get on.
Thanks.
-
Okay, so I've recreated the whole shebang, and everything is working again except both connections are still getting the same IP address!
It turns our that if I assign 10.10.7.0/29 and 10.10.8.0/29 as the local networks then both connections will work fine. The reason that it wasn't working in my original is because of the 10.10.7.1/29 and 10.10.7.10/29 subnets.
It would seem that both connections have to be on a x.x.x.0 subnet or the TLS handshake will fail.
Is there any way that I can get this to work, or is it just a peculiarity of the system?
Thanks.
-
Which of these servers are you trying to create?
How about you post screenshots or your /var/etc/openvpn/serverx.conf
 -
Local Network/s should just have the LAN(s) that you want to be reached by the clients across the OpenVPN link. Do not put the tunnel network in there.
Have a single server, single CA, single server certificate. Make the Tunnel Network bigger, like 10.10.7.0/24
Create a client certificate for each user.
OpenVPN will give each connection a separate /30 part of the tunnel - e.g.
10.10.7.4/30 (server end .5 client end .6)
10.10.7.8/30 (server end .9 client end .10)
… -
Hint hint. Twice you have been recommended to move to a /24…
Just saying.
-
Which of these servers are you trying to create?
How about you post screenshots or your /var/etc/openvpn/serverx.conf
Yes, it's a User Auth with TLS authentication. Nothing wrong with both, right?
Please let me know if you need any other config info (even just for curiosity) I haven't the time to extract and redact the entire config file.Local Network/s should just have the LAN(s) that you want to be reached by the clients across the OpenVPN link. Do not put the tunnel network in there.
Have a single server, single CA, single server certificate. Make the Tunnel Network bigger, like 10.10.7.0/24
Create a client certificate for each user.
OpenVPN will give each connection a separate /30 part of the tunnel - e.g.
10.10.7.4/30 (server end .5 client end .6)
10.10.7.8/30 (server end .9 client end .10)
…Thanks for the confirmation. When you're this close to the trees, it's hard to see the forest. I've kept the same CA for all remote certificates, it seems to be working alright, but otherwise both configs have their own certs and users. The local networks are 10.10.0.0/16 - this includes the tunnel subnets, but I have four subnets so far, and I'm looking to add more, so I'd rather not add them all individually if possible.
The kicker is, even if I assign 10.10.7.0/24 to both openvpn configs as the tunnel network, they both get 10.10.7.6 as the IP address. This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work.
Hint hint. Twice you have been recommended to move to a /24…
Just saying.
See above - this didn't fix the issue, oddly.
-
Maybe I read wrong…
On the server side are you configuring the same 10.10.7.0/24 on two different openvpn configs running on a single pfsense?
"This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work" - Yeah - Because thats the only way you should do it.
-
You have to use a different tunnel network in every OpenVPN server instance.
Why are you making 2 OpenVPN servers?
You can have many clients connecting to the 1 server with no problem.
For security you should really give every client its own client certificate, create off the same CA as the server certificate. Then if needing you can use Client Specific Overrides to allocate particular /30 of the tunnel network to particular clients, and then make firewall rules specificto particular client addresses… -
phil.davis is correct on all counts.
The only time I run more than 1 openvpn instance on a single pfsense is when I need to provide seperate services to people with different needs, or to firewall different types of users from each other or the LAN etc.
If I just had a whole bunch of people who needed openvpn access and I could treat them all the same I'd use just 1 instance of pfsense.
No matter if you decide to use a single or multiple instance of openvpn, make sure the subnet you use for each tunnel doesnt overlap with any other subnet in use on the pfsense and be careful with using /16s because its real easy to have those overlap with all your /24s.
-
Okay, okay, so this seems to have hilighted that my setup is a bit backwards regardless.
I was under the impression that I need to set up a separate server for each client who wants to connect. Why would I need to do that, you ask? No idea, just thought I did. Hence, the allocation of a /24 address range when only one client was connecting seemed wasteful. This is why I was trying to assign a /29 subnet to each server, to keep them all on the same range.
Maybe I read wrong…
On the server side are you configuring the same 10.10.7.0/24 on two different openvpn configs running on a single pfsense?
"This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work" - Yeah - Because thats the only way you should do it.
Originally, yes. One server would get 10.10.7.0/29 and the next would get 10.10.7.10/29 - Thus allowing for up to ~eight addresses, but the /29 would only use 6. This should allow for reconnection if the connection drops out and the server keeps the connection open, not being aware it has been closed.
Apparently, my fundamental misunderstanding on how this is supposed to work has been the problem from the beginning.
You have to use a different tunnel network in every OpenVPN server instance.
Why are you making 2 OpenVPN servers?
You can have many clients connecting to the 1 server with no problem.
For security you should really give every client its own client certificate, create off the same CA as the server certificate. Then if needing you can use Client Specific Overrides to allocate particular /30 of the tunnel network to particular clients, and then make firewall rules specific to particular client addresses…After Googling exactly what you mentioned, I stumbled across this article (https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server) which appears to explain what you're referring to in detail. So, it's setting it up in a similar way, but correctly (which I wasn't). This should allow me to allocate only a small address space to each client, which makes much more sense than how I was doing it. Thank you.
phil.davis is correct on all counts.
The only time I run more than 1 openvpn instance on a single pfsense is when I need to provide seperate services to people with different needs, or to firewall different types of users from each other or the LAN etc.
If I just had a whole bunch of people who needed openvpn access and I could treat them all the same I'd use just 1 instance of pfsense.
No matter if you decide to use a single or multiple instance of openvpn, make sure the subnet you use for each tunnel doesnt overlap with any other subnet in use on the pfsense and be careful with using /16s because its real easy to have those overlap with all your /24s.
Yes, having extensive networking qualifications through the network+ course I completed some years ago (tongue-in-cheek) I'm trying to be as careful as possible with my subnetting. I think I'm over-allocating in the beginning, but I can always reduce as time goes on.
Thanks again for the help, guys. I think I've got my head around it now.
