Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - only 1 user can connect per public IP?

    Scheduled Pinned Locked Moved OpenVPN
    openvpnone ip address
    18 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrichards555
      last edited by

      Running Netgate SG-8860, ver 4.2.2-release-p2 and I'm finding a problem that seems to have started just recently. User_1 connects via VPN and has no problems accessing what they need to access. User_2 connects from the same remote network (i.e. same public IP) and User_1 all of a sudden can't see anything across the VPN like the tunnel is dead however, the VPN client is still showing it as connected. When I look at the status of each, they're both being assigned the same virtual IP. When I look at my server config, I saw the client settings -> topology is set to "net30 - Isolated" and I've got clients limited to what they can access via IP blocks specified within the client specific override rules (i.e. User_1 is using 192.168.150.112/28, just as User_2 is using). From what I understand, the net30 option uses 4 addresses, but shouldn't it be assigning User_1 say .113 and User_2 say .116?

      If I switch the topology over to Subnet and assign each one a static IP, I can get each client to get their own IP (say .113 and .114) however, then I can't seem to access anything i.e. the firewall rules restricting the blocks don't seem to work BUT nothing shows in the firewall logs as being blocked.

      Server config: Remote Access(SSL/TLS +User Auth)
      Local DB backend auth
      UDP on IPv4 only
      tun - Layer 3
      local port 1194
      use TLS key
      TLS Authentication
      2048bit DH
      Default ECDH Curve
      AES-256-CBC
      NCP enabled
      SHA1
      Single cert depth
      192.168.150.0/24 tunnel network
      IPv4 local networks 172.16.0.0/13
      Adaptive LZO Compression
      Dynamic IP enabled
      net30 topology
      enable NetBIOS over TCP
      custom option: push "route 172.16.0.0 255.248.0.0";mute 10;comp-lzo;
      gateway creation: both

      I'm really scratching my head on this one especially since nothing has changed on my end in several months and this problem just seemed to crop up in the last week or two...

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Do your Users share the same Cert?

        -Rico

        1 Reply Last reply Reply Quote 0
        • J
          jrichards555
          last edited by

          Nope - all users have their own unique cert.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            With your custom options, you're stating the same options twice, partly with different values.
            "route 172.16.0.0 255.248.0.0" is not needed, since that is already given by "IPv4 Local Network/s".
            The compression is set by the "compression" option in the GUI and "comp-lzo" is another setting than "Adaptive LZO Compression".

            Despite of that, try to state a number at "Concurrent connections".

            1 Reply Last reply Reply Quote 0
            • dragoangelD
              dragoangel
              last edited by dragoangel

              There is an logic in OpenVPN that each client from same IPs need to use own source port for connection. By default this "not true" and this configuration done on client config only. In Client Export TAB:
              Enable "Use Random Local Port: Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." and not forget to push "Safe as Default buttom"

              Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
              Unifi AP-AC-LR with EAP RADIUS, US-24

              1 Reply Last reply Reply Quote 0
              • J
                jrichards555
                last edited by

                I've tried all 3 suggestions (removing custom options, adding concurrent connections (used 100 to start) and use random local port and re-exported clients - still the same problem.

                dragoangelD 1 Reply Last reply Reply Quote 0
                • dragoangelD
                  dragoangel @jrichards555
                  last edited by dragoangel

                  @jrichards555 can you give server and client logs? where errors occurred. Did you check that client config have lport option in it?

                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                  Unifi AP-AC-LR with EAP RADIUS, US-24

                  1 Reply Last reply Reply Quote 0
                  • J
                    jrichards555
                    last edited by

                    I can see the lport 0 option in the config but just to make sure, I set each to a static port, verified they were using that static port and re-tested. No change.

                    Here are the logs from user_1:
                    Jun 24 12:13:06 PM: State changed to Creating...
                    Jun 24 12:13:10 PM: State changed to Disconnected
                    Jun 24 12:13:21 PM: State changed to Connecting
                    Jun 24 12:13:21 PM: Viscosity Windows 1.7.16 (1616)
                    Jun 24 12:13:21 PM: Running on Microsoft Windows 7 Professional
                    Jun 24 12:13:21 PM: Running on .NET Framework Version 4.7.03062.461814
                    Jun 24 12:13:21 PM: Bringing up interface...
                    Jun 24 12:13:22 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
                    Jun 24 12:13:22 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
                    Jun 24 12:13:29 PM: Checking remote host "gw.itsgi.biz" is reachable...
                    Jun 24 12:13:30 PM: Server reachable. Connecting to 65.182.173.204.
                    Jun 24 12:13:30 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
                    Jun 24 12:13:30 PM: UDP link local (bound): [AF_INET][undef]:0
                    Jun 24 12:13:30 PM: UDP link remote: [AF_INET]65.182.173.204:1194
                    Jun 24 12:13:30 PM: State changed to Authenticating
                    Jun 24 12:13:30 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
                    Jun 24 12:13:32 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
                    Jun 24 12:13:33 PM: State changed to Connecting
                    Jun 24 12:13:39 PM: open_tun
                    Jun 24 12:13:39 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}.tap
                    Jun 24 12:13:39 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
                    Jun 24 12:13:39 PM: Successful ARP Flush on interface [71] {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}
                    Jun 24 12:13:44 PM: Initialization Sequence Completed
                    Jun 24 12:13:45 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
                    Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

                    Jun 24 12:13:45 PM: State changed to Connected

                    User_2:
                    Jun 24 12:16:06 PM: State changed to Creating...
                    Jun 24 12:16:09 PM: State changed to Disconnected
                    Jun 24 12:16:10 PM: State changed to Connecting
                    Jun 24 12:16:10 PM: Viscosity Windows 1.7.16 (1616)
                    Jun 24 12:16:10 PM: Running on Microsoft Windows 10 Pro
                    Jun 24 12:16:10 PM: Running on .NET Framework Version 4.7.03190.461814
                    Jun 24 12:16:10 PM: Bringing up interface...
                    Jun 24 12:16:11 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
                    Jun 24 12:16:11 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
                    Jun 24 12:16:23 PM: Checking remote host "gw.itsgi.biz" is reachable...
                    Jun 24 12:16:24 PM: Server reachable. Connecting to 65.182.173.204.
                    Jun 24 12:16:24 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
                    Jun 24 12:16:24 PM: UDP link local (bound): [AF_INET][undef]:0
                    Jun 24 12:16:24 PM: UDP link remote: [AF_INET]65.182.173.204:1194
                    Jun 24 12:16:24 PM: State changed to Authenticating
                    Jun 24 12:16:24 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
                    Jun 24 12:16:24 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
                    Jun 24 12:16:25 PM: State changed to Connecting
                    Jun 24 12:16:25 PM: open_tun
                    Jun 24 12:16:26 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{412E1144-0EB8-46D2-B1FF-2C10F6454CD1}.tap
                    Jun 24 12:16:26 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {412E1144-0EB8-46D2-B1FF-2C10F6454CD1} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
                    Jun 24 12:16:26 PM: Successful ARP Flush on interface [99] {412E1144-0EB8-46D2-B1FF-2C10F6454CD1}
                    Jun 24 12:16:30 PM: Initialization Sequence Completed
                    Jun 24 12:16:31 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
                    Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

                    Jun 24 12:16:31 PM: State changed to Connected

                    Server:
                    Jun 24 12:12:39 openvpn user 'elc_varya' authenticated
                    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
                    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'status 2'
                    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'quit'
                    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client disconnected
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Initial packet from [AF_INET]76.29.116.9:40380, sid=c6835101 c4c06ef6
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_VER=2.4.7
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PLAT=win
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PROTO=2
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_NCP=2
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4v2=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZO=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUB=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUBv2=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_TCPNL=1
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
                    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Username/Password authentication deferred for username 'imenu_1' [CN SET]
                    Jun 24 12:13:33 openvpn user 'imenu_1' authenticated
                    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 [imenu_1] Peer Connection Initiated with [AF_INET]76.29.116.9:40380
                    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
                    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_1
                    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_70912bca0ac5629b303a162db9042d6.tmp
                    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
                    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: primary virtual IP for imenu_1/76.29.116.9:40380: 192.168.150.114
                    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
                    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 SENT CONTROL [imenu_1]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 1,cipher AES-128-GCM' (status=1)
                    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Data Channel: using negotiated cipher 'AES-128-GCM'
                    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
                    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
                    Jun 24 12:14:11 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
                    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'status 2'
                    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'quit'
                    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: Client disconnected
                    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
                    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'status 2'
                    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'quit'
                    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client disconnected
                    Jun 24 12:16:16 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
                    Jun 24 12:16:16 openvpn 46486 MANAGEMENT: CMD 'status 2'
                    Jun 24 12:16:17 openvpn 46486 MANAGEMENT: CMD 'quit'
                    Jun 24 12:16:17 openvpn 46486 MANAGEMENT: Client disconnected
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Initial packet from [AF_INET]76.29.116.9:50526, sid=7e7ec38e d08dad30
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_VER=2.4.7
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PLAT=win
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PROTO=2
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_NCP=2
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4v2=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZO=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUB=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUBv2=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_TCPNL=1
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Username/Password authentication deferred for username 'imenu_2' [CN SET]
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 [imenu_2] Peer Connection Initiated with [AF_INET]76.29.116.9:50526
                    Jun 24 12:16:24 openvpn user 'imenu_2' authenticated
                    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_2
                    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4c9a1ab793b66d862fb8a0198c7fae6.tmp
                    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526
                    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: primary virtual IP for imenu_2/76.29.116.9:50526: 192.168.150.114
                    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 PUSH: Received control message: 'PUSH_REQUEST'
                    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 SENT CONTROL [imenu_2]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 3,cipher AES-128-GCM' (status=1)
                    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Data Channel: using negotiated cipher 'AES-128-GCM'
                    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
                    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
                    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
                    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'status 2'
                    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'quit'
                    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client disconnected

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      jrichards555 @jrichards555
                      last edited by

                      Note that these logs were taken after both were connected, i.e. user_1 connected, user_2 connected, then I took logs from everything...

                      dragoangelD 1 Reply Last reply Reply Quote 0
                      • dragoangelD
                        dragoangel @jrichards555
                        last edited by

                        @jrichards555 try look tomorrow, now at home

                        Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                        Unifi AP-AC-LR with EAP RADIUS, US-24

                        1 Reply Last reply Reply Quote 0
                        • dragoangelD
                          dragoangel
                          last edited by dragoangel

                          Did you tried use OpenVPN community version https://openvpn.net/community-downloads/ ? I'm not have viscosity, so maybe it client specific related case. We need remove this from possible case.

                          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                          Unifi AP-AC-LR with EAP RADIUS, US-24

                          1 Reply Last reply Reply Quote 0
                          • J
                            jrichards555
                            last edited by

                            My clients that found this issue do use OpenVPN. I just happen to use Viscosity...

                            1 Reply Last reply Reply Quote 0
                            • dragoangelD
                              dragoangel
                              last edited by

                              I doesn't see when user 1 was loss connection to VPN it good to see it time and error displayed. Could you recheck your post with logs provided.

                              Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                              Unifi AP-AC-LR with EAP RADIUS, US-24

                              1 Reply Last reply Reply Quote 0
                              • dragoangelD
                                dragoangel
                                last edited by

                                From server logs and client logs timestamp of initialize, auth and connect user_2 and disconnect of (some users: login not provide in logs) are not matching in minute. It strange, check yourself, maybe I lose something

                                Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                                Unifi AP-AC-LR with EAP RADIUS, US-24

                                J 1 Reply Last reply Reply Quote 0
                                • PippinP
                                  Pippin
                                  last edited by Pippin

                                  If you can switch to topology subnet, do it.
                                  It simplifies configuration.

                                  Anyway:
                                  Server log

                                  Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
                                  Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526
                                  

                                  They get assigned the same tunnel ip.

                                  This is after the server reads:

                                  OPTIONS IMPORT: reading client specific options from:
                                  

                                  So you need to check you client specific overides.

                                  I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                                  Halton Arp

                                  J 1 Reply Last reply Reply Quote 0
                                  • J
                                    jrichards555 @dragoangel
                                    last edited by

                                    @dragoangel Times might vary a tad. As far as your keen eye seeing that User 1 loses connection, you are correct - it never does lose connection. It just suddenly can't reach the network. So if I'm pinging say 172.16.0.1 constantly and I suddenly connect with User 2, User 2 will connect and I can ping 172.16.0.1. When I go back to User 1, the client is still connected, but my pings time out...

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jrichards555 @Pippin
                                      last edited by

                                      @Pippin As I said, I've tried switching to topology subnet however, then my firewall rules don't seem to work and there is nothing being logged telling me why.

                                      As far as my client specific overrides, my original configuration only has the IP subnet override - in the case of these users, 192.168.150.112/28. Both these users have this override and this has never been an issue. In my attempt to find this issue, I even tried it with 2 new users (in a different subnet - 150.2/29) and get the same thing. In the cased of the different subnet, both users get assigned the .2 address.

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jrichards555
                                        last edited by

                                        Thoughts anyone?

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.