FreeRADIUS simultaneous connection not working for OpenVPN

NogBadTheBad

I spent a few hours trying to get it to work and couldn't, in the freeradius documentation ippool is mentioned, it might help ?

https://wiki.freeradius.org/modules/Rlm_ippool

https://wiki.freeradius.org/guide/Ippool-and-radius-client

I was just trying to split my /24 into 2 x /25, the first /25 having access to everything and the last /25 access ti the internet only.

It's a bit of a PITA having to define a unique ip address for each user.

MacUsers

Can anyone from the pfSense team confirm if the format of the continues IP address format (e.g. 10.0.51.5+), as suggest, is correct or not? It's still hard for me to believe that it's flawed and overlooked for such a long time, versions after version. Any one?

-San

Pippin

You need to take into account how OpenVPN works.
It assigns an IP based on common name.
Maybe the following diagrams can shed some light on this:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts
https://community.openvpn.net/openvpn/wiki/HowPacketsFlow

Also look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

jimp

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

MacUsers

@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

if you mean this:
then its already there. And you probably miss in my 1st post that OVPN connection wise it's absolutely fine, if I keep the IP address field empty. But both of the sessions get the same IP, which is a problem on the client side network.

As I also said, if I follow what is suggested in-line for the simultaneous connection settings, freeRADIUS fails to start. Don't think it's a fair to say that nothing to do with [pfSense implementation of] RADIUS, IMO.

-San

MacUsers

@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:

Also look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

I think --duplicate-cn is the same thing that @jimp suggested above? I already have that checked and hence I can make two connections, I believe??

-San

NogBadTheBad

@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:

This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.

In the OpenVPN server settings, check the box to allow duplicate connections.

How about IPsec?

stephenw10

Hmm, almost impossible to find any reference to that notation in Radius. The only thing I can see is from the GNU Radius manual:

 If this attribute is present in the RHS and has the value of Yes, then the value of NAS-Port-Id attribute from the authentication request will be added to the value of Framed-IP-Address attribute from the RHS, and resulting value will be returned in Framed-IP-Address attribute to the NAS.

This provides the simplest form of organizing IP address pools.

This attribute is implicitly added to the RHS when the value of a Framed-IP-Address attribute ends with `+' sign. For example the following:

            Framed-IP-Address = 10.10.0.1+

is equivalent to

            Framed-IP-Address = 10.10.0.1,
            Add-Port-To-IP-Address = Yes

I'm guessing that is no longer supported. Hard to see how it would ever have been in the context of that comment.
It might also not be relevant to the OpenVPN plugin, PPPoE may work with that for example. I have not tried. And by the looks of it hardly anyone has since, as you say, that comment has been there for a long while.

Steve

MacUsers

@stephenw10
I think, I also tried the same thing a yr. or so ago and filed but that time I carried on with some other important things. Now, this time I really need to do some thing about it. Any thing else can you think of to supply two different IPs (dedicated or otherwise) for two simultaneous sessions from the same user, other than creating two a/c for the same user, as @NogBadTheBad suggested?
Anyone can think of any other trick(s)?

-San

Pippin

Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.

NogBadTheBad

@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:

Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.

You can't have two instance of an IPsec VPN can you ?

stephenw10

You can't have two mobile IPSec servers, no. But this is OpenVPN, you can have as many instances as you have ports/resources.