FreeRADIUS simultaneous connection not working for OpenVPN
-
You need to take into account how OpenVPN works.
It assigns an IP based on common name.
Maybe the following diagrams can shed some light on this:
https://community.openvpn.net/openvpn/wiki/AvoidRoutingConflicts
https://community.openvpn.net/openvpn/wiki/HowPacketsFlowAlso look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -
This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.
In the OpenVPN server settings, check the box to allow duplicate connections.
-
@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:
This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.
In the OpenVPN server settings, check the box to allow duplicate connections.
if you mean this:
then its already there. And you probably miss in my 1st post that OVPN connection wise it's absolutely fine, if I keep theIP address
field empty. But both of the sessions get the same IP, which is a problem on the client side network.As I also said, if I follow what is suggested in-line for the simultaneous connection settings, freeRADIUS fails to start. Don't think it's a fair to say that nothing to do with [pfSense implementation of] RADIUS, IMO.
-San
-
@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:
Also look at --duplicate-cn in the manual:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPageI think
--duplicate-cn
is the same thing that @jimp suggested above? I already have that checked and hence I can make two connections, I believe??-San
-
@jimp said in FreeRADIUS simultaneous connection not working for OpenVPN:
This has nothing to do with RADIUS and everything to do with OpenVPN not wanting you to connect with the same user+cert multiple times.
In the OpenVPN server settings, check the box to allow duplicate connections.
How about IPsec?
-
Hmm, almost impossible to find any reference to that notation in Radius. The only thing I can see is from the GNU Radius manual:
If this attribute is present in the RHS and has the value of Yes, then the value of NAS-Port-Id attribute from the authentication request will be added to the value of Framed-IP-Address attribute from the RHS, and resulting value will be returned in Framed-IP-Address attribute to the NAS. This provides the simplest form of organizing IP address pools. This attribute is implicitly added to the RHS when the value of a Framed-IP-Address attribute ends with `+' sign. For example the following: Framed-IP-Address = 10.10.0.1+ is equivalent to Framed-IP-Address = 10.10.0.1, Add-Port-To-IP-Address = Yes
I'm guessing that is no longer supported. Hard to see how it would ever have been in the context of that comment.
It might also not be relevant to the OpenVPN plugin, PPPoE may work with that for example. I have not tried. And by the looks of it hardly anyone has since, as you say, that comment has been there for a long while.Steve
-
@stephenw10
I think, I also tried the same thing a yr. or so ago and filed but that time I carried on with some other important things. Now, this time I really need to do some thing about it. Any thing else can you think of to supply two different IPs (dedicated or otherwise) for two simultaneous sessions from the same user, other than creating two a/c for the same user, as @NogBadTheBad suggested?
Anyone can think of any other trick(s)?-San
-
Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.
-
@Pippin said in FreeRADIUS simultaneous connection not working for OpenVPN:
Setup another server instance for those two users, check duplicate-cn and do not use CSO for that server.
You can't have two instance of an IPsec VPN can you ?
-
You can't have two mobile IPSec servers, no. But this is OpenVPN, you can have as many instances as you have ports/resources.