VPN Same IP Addresses



  • After Upgrade PFSense 1.2 >> PFSense 1.2.1, OpenVPN assigns to all client the same ip (192.168.190.6), and , obviously, clients continue to connect and disconnect… Certificates is different...

    OpenVPN config:

    Protocol: UDP
    Dynamic IP:checked
    Local Port: 27835
    Address Pool: 192.168.190.0/24
    Use static ip: unchecked
    Local network: 192.168.115.0/24
    Remote network: blank
    Client-to-client VPN: checked
    Cryptography: BF-CBC 128-bit
    Authentication: PKI
    LZO compression: checked

    ???



  • Are these all individual PCs that are connecting?  Or are they different networks?

    Maybe try to disable "Client-to-client VPN"

    Cheers



  • Pcs are connecting from different location and IP, I've tried to disable "Client-to-client VPN", but it doesn't work…

    I'm going to format and reinstall pfsense, beacuse "reset to default" solved nothing



  • Did you doublecheck that the connecting clients really have different keys/certificates?
    Resetuping pfSense doesnt help much.
    I'd rather resutup the CA and rebuild the clients.



  • Ok, I try to rebuild CA and certificates…



  • Nothing… Also, I used certificates from another openvpn that certainly it works, but i've same problem...  :-\



  • Can you show the 3 logoutputs when connecting to the pfSense server?

    1: server
    2: client1
    3: client2

    It would also help if you could provide the raw config files of all 3.
    in /var/etc on the pf.



  • Server:

    
    Jan 6 19:08:40 	openvpn[12109]: omniservicesrl.it/151.***.***.***:59418 [***] Inactivity timeout (--ping-restart), restarting
    Jan 6 19:07:57 	openvpn[12109]: 88.***.***.***:59266 [***] Peer Connection Initiated with 88.***.***.***:59266
    Jan 6 19:07:56 	openvpn[12109]: 88.***.***.***:59266 LZO compression initialized
    Jan 6 19:07:56 	openvpn[12109]: 88.***.***.***:59266 Re-using SSL/TLS context
    Jan 6 19:06:29 	openvpn[12109]: 151.***.***.***:59418 [***] Peer Connection Initiated with 151.***.***.***:59418
    Jan 6 19:06:28 	openvpn[12109]: 151.***.***.***:59418 LZO compression initialized
    Jan 6 19:06:28 	openvpn[12109]: 151.***.***.***:59418 Re-using SSL/TLS context
    
    

    Client 1 & Client 2 are identical:

    Tue Jan 06 19:06:21 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Tue Jan 06 19:06:21 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Tue Jan 06 19:06:21 2009 LZO compression initialized
    Tue Jan 06 19:06:21 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue Jan 06 19:06:21 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Jan 06 19:06:21 2009 Local Options hash (VER=V4): '41690919'
    Tue Jan 06 19:06:21 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Tue Jan 06 19:06:21 2009 UDPv4 link local: [undef]
    Tue Jan 06 19:06:21 2009 UDPv4 link remote: 88.***.***.***:1194
    Tue Jan 06 19:06:21 2009 TLS: Initial packet from 88.***.***.***:1194, sid=93c9ddcc 542da9de
    Tue Jan 06 19:06:22 2009 VERIFY OK: depth=1, /C=IT/ST=Italy/L=Nerviano__MI/O=****/CN=****/emailAddress=info@****.it
    Tue Jan 06 19:06:22 2009 VERIFY OK: nsCertType=SERVER
    Tue Jan 06 19:06:22 2009 VERIFY OK: depth=0, /C=IT/ST=Italy/O=****/CN=****/emailAddress=info@****.it
    Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Jan 06 19:06:22 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Jan 06 19:06:22 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Jan 06 19:06:22 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Tue Jan 06 19:06:22 2009 [***] Peer Connection Initiated with 88.***.***.***:1194
    Tue Jan 06 19:06:24 2009 SENT CONTROL [***]: 'PUSH_REQUEST' (status=1)
    Tue Jan 06 19:06:24 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.115.0 255.255.255.0,dhcp-option DNS 192.168.115.1,dhcp-option WINS 192.168.115.3,dhcp-option NTP 192.168.115.1,dhcp-option DISABLE-NBT,route 192.168.200.0 255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.200.6 192.168.200.5'
    Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: route options modified
    Tue Jan 06 19:06:24 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue Jan 06 19:06:24 2009 TAP-WIN32 device [OpenVPN Omni] opened: \\.\Global\{633C2C01-88D5-4F6F-9413-F34D5E4F0FC6}.tap
    Tue Jan 06 19:06:24 2009 TAP-Win32 Driver Version 8.4 
    Tue Jan 06 19:06:24 2009 TAP-Win32 MTU=1500
    Tue Jan 06 19:06:24 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
    Tue Jan 06 19:06:24 2009 Successful ARP Flush on interface [11] {633C2C01-88D5-4F6F-9413-F34D5E4F0FC6}
    Tue Jan 06 19:06:26 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Tue Jan 06 19:06:26 2009 route ADD 192.168.115.0 MASK 255.255.255.0 192.168.200.5
     OK
    Tue Jan 06 19:06:26 2009 route ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.5
     OK
    Tue Jan 06 19:06:26 2009 Initialization Sequence Completed
    
    

    Server config:

    
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 192.168.200.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.115.0 255.255.255.0"
    lport 1194
    push "dhcp-option DNS 192.168.115.1"
    push "dhcp-option WINS 192.168.115.3"
    push "dhcp-option NTP 192.168.115.1"
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    
    

    Clients config (obviously certificates are different):

    
    ####
    client
    dev tun
    proto udp
    remote 88.***.***.*** 1194
    ping 10
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca-omni.crt
    cert fede-omni.crt
    key fede-omni.key
    ns-cert-type server
    comp-lzo
    pull
    verb 3
    
    #### FOR WINDOWS VISTA:
    route-method exe
    route-delay 2 
    #
    
    

Locked