OpenVPN - only 1 user can connect per public IP?



  • Running Netgate SG-8860, ver 4.2.2-release-p2 and I'm finding a problem that seems to have started just recently. User_1 connects via VPN and has no problems accessing what they need to access. User_2 connects from the same remote network (i.e. same public IP) and User_1 all of a sudden can't see anything across the VPN like the tunnel is dead however, the VPN client is still showing it as connected. When I look at the status of each, they're both being assigned the same virtual IP. When I look at my server config, I saw the client settings -> topology is set to "net30 - Isolated" and I've got clients limited to what they can access via IP blocks specified within the client specific override rules (i.e. User_1 is using 192.168.150.112/28, just as User_2 is using). From what I understand, the net30 option uses 4 addresses, but shouldn't it be assigning User_1 say .113 and User_2 say .116?

    If I switch the topology over to Subnet and assign each one a static IP, I can get each client to get their own IP (say .113 and .114) however, then I can't seem to access anything i.e. the firewall rules restricting the blocks don't seem to work BUT nothing shows in the firewall logs as being blocked.

    Server config: Remote Access(SSL/TLS +User Auth)
    Local DB backend auth
    UDP on IPv4 only
    tun - Layer 3
    local port 1194
    use TLS key
    TLS Authentication
    2048bit DH
    Default ECDH Curve
    AES-256-CBC
    NCP enabled
    SHA1
    Single cert depth
    192.168.150.0/24 tunnel network
    IPv4 local networks 172.16.0.0/13
    Adaptive LZO Compression
    Dynamic IP enabled
    net30 topology
    enable NetBIOS over TCP
    custom option: push "route 172.16.0.0 255.248.0.0";mute 10;comp-lzo;
    gateway creation: both

    I'm really scratching my head on this one especially since nothing has changed on my end in several months and this problem just seemed to crop up in the last week or two...


  • LAYER 8 Rebel Alliance

    Do your Users share the same Cert?

    -Rico



  • Nope - all users have their own unique cert.



  • With your custom options, you're stating the same options twice, partly with different values.
    "route 172.16.0.0 255.248.0.0" is not needed, since that is already given by "IPv4 Local Network/s".
    The compression is set by the "compression" option in the GUI and "comp-lzo" is another setting than "Adaptive LZO Compression".

    Despite of that, try to state a number at "Concurrent connections".



  • There is an logic in OpenVPN that each client from same IPs need to use own source port for connection. By default this "not true" and this configuration done on client config only. In Client Export TAB:
    Enable "Use Random Local Port: Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." and not forget to push "Safe as Default buttom"



  • I've tried all 3 suggestions (removing custom options, adding concurrent connections (used 100 to start) and use random local port and re-exported clients - still the same problem.



  • @jrichards555 can you give server and client logs? where errors occurred. Did you check that client config have lport option in it?



  • I can see the lport 0 option in the config but just to make sure, I set each to a static port, verified they were using that static port and re-tested. No change.

    Here are the logs from user_1:
    Jun 24 12:13:06 PM: State changed to Creating...
    Jun 24 12:13:10 PM: State changed to Disconnected
    Jun 24 12:13:21 PM: State changed to Connecting
    Jun 24 12:13:21 PM: Viscosity Windows 1.7.16 (1616)
    Jun 24 12:13:21 PM: Running on Microsoft Windows 7 Professional
    Jun 24 12:13:21 PM: Running on .NET Framework Version 4.7.03062.461814
    Jun 24 12:13:21 PM: Bringing up interface...
    Jun 24 12:13:22 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
    Jun 24 12:13:22 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
    Jun 24 12:13:29 PM: Checking remote host "gw.itsgi.biz" is reachable...
    Jun 24 12:13:30 PM: Server reachable. Connecting to 65.182.173.204.
    Jun 24 12:13:30 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
    Jun 24 12:13:30 PM: UDP link local (bound): [AF_INET][undef]:0
    Jun 24 12:13:30 PM: UDP link remote: [AF_INET]65.182.173.204:1194
    Jun 24 12:13:30 PM: State changed to Authenticating
    Jun 24 12:13:30 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jun 24 12:13:32 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
    Jun 24 12:13:33 PM: State changed to Connecting
    Jun 24 12:13:39 PM: open_tun
    Jun 24 12:13:39 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}.tap
    Jun 24 12:13:39 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
    Jun 24 12:13:39 PM: Successful ARP Flush on interface [71] {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}
    Jun 24 12:13:44 PM: Initialization Sequence Completed
    Jun 24 12:13:45 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
    Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

    Jun 24 12:13:45 PM: State changed to Connected

    User_2:
    Jun 24 12:16:06 PM: State changed to Creating...
    Jun 24 12:16:09 PM: State changed to Disconnected
    Jun 24 12:16:10 PM: State changed to Connecting
    Jun 24 12:16:10 PM: Viscosity Windows 1.7.16 (1616)
    Jun 24 12:16:10 PM: Running on Microsoft Windows 10 Pro
    Jun 24 12:16:10 PM: Running on .NET Framework Version 4.7.03190.461814
    Jun 24 12:16:10 PM: Bringing up interface...
    Jun 24 12:16:11 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
    Jun 24 12:16:11 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
    Jun 24 12:16:23 PM: Checking remote host "gw.itsgi.biz" is reachable...
    Jun 24 12:16:24 PM: Server reachable. Connecting to 65.182.173.204.
    Jun 24 12:16:24 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
    Jun 24 12:16:24 PM: UDP link local (bound): [AF_INET][undef]:0
    Jun 24 12:16:24 PM: UDP link remote: [AF_INET]65.182.173.204:1194
    Jun 24 12:16:24 PM: State changed to Authenticating
    Jun 24 12:16:24 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jun 24 12:16:24 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
    Jun 24 12:16:25 PM: State changed to Connecting
    Jun 24 12:16:25 PM: open_tun
    Jun 24 12:16:26 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{412E1144-0EB8-46D2-B1FF-2C10F6454CD1}.tap
    Jun 24 12:16:26 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {412E1144-0EB8-46D2-B1FF-2C10F6454CD1} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
    Jun 24 12:16:26 PM: Successful ARP Flush on interface [99] {412E1144-0EB8-46D2-B1FF-2C10F6454CD1}
    Jun 24 12:16:30 PM: Initialization Sequence Completed
    Jun 24 12:16:31 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
    Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

    Jun 24 12:16:31 PM: State changed to Connected

    Server:
    Jun 24 12:12:39 openvpn user 'elc_varya' authenticated
    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'status 2'
    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'quit'
    Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client disconnected
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Initial packet from [AF_INET]76.29.116.9:40380, sid=c6835101 c4c06ef6
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_VER=2.4.7
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PLAT=win
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PROTO=2
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_NCP=2
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4v2=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZO=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUB=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUBv2=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_TCPNL=1
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Username/Password authentication deferred for username 'imenu_1' [CN SET]
    Jun 24 12:13:33 openvpn user 'imenu_1' authenticated
    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 [imenu_1] Peer Connection Initiated with [AF_INET]76.29.116.9:40380
    Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_1
    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_70912bca0ac5629b303a162db9042d6.tmp
    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: primary virtual IP for imenu_1/76.29.116.9:40380: 192.168.150.114
    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 SENT CONTROL [imenu_1]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 1,cipher AES-128-GCM' (status=1)
    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Data Channel: using negotiated cipher 'AES-128-GCM'
    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Jun 24 12:14:11 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'status 2'
    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'quit'
    Jun 24 12:14:12 openvpn 46486 MANAGEMENT: Client disconnected
    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'status 2'
    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'quit'
    Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client disconnected
    Jun 24 12:16:16 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 24 12:16:16 openvpn 46486 MANAGEMENT: CMD 'status 2'
    Jun 24 12:16:17 openvpn 46486 MANAGEMENT: CMD 'quit'
    Jun 24 12:16:17 openvpn 46486 MANAGEMENT: Client disconnected
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Initial packet from [AF_INET]76.29.116.9:50526, sid=7e7ec38e d08dad30
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_VER=2.4.7
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PLAT=win
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PROTO=2
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_NCP=2
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4v2=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZO=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUB=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUBv2=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_TCPNL=1
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Username/Password authentication deferred for username 'imenu_2' [CN SET]
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 [imenu_2] Peer Connection Initiated with [AF_INET]76.29.116.9:50526
    Jun 24 12:16:24 openvpn user 'imenu_2' authenticated
    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_2
    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4c9a1ab793b66d862fb8a0198c7fae6.tmp
    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526
    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: primary virtual IP for imenu_2/76.29.116.9:50526: 192.168.150.114
    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 SENT CONTROL [imenu_2]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 3,cipher AES-128-GCM' (status=1)
    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Data Channel: using negotiated cipher 'AES-128-GCM'
    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'status 2'
    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'quit'
    Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client disconnected



  • Note that these logs were taken after both were connected, i.e. user_1 connected, user_2 connected, then I took logs from everything...



  • @jrichards555 try look tomorrow, now at home



  • Did you tried use OpenVPN community version https://openvpn.net/community-downloads/ ? I'm not have viscosity, so maybe it client specific related case. We need remove this from possible case.



  • My clients that found this issue do use OpenVPN. I just happen to use Viscosity...



  • I doesn't see when user 1 was loss connection to VPN it good to see it time and error displayed. Could you recheck your post with logs provided.



  • From server logs and client logs timestamp of initialize, auth and connect user_2 and disconnect of (some users: login not provide in logs) are not matching in minute. It strange, check yourself, maybe I lose something



  • If you can switch to topology subnet, do it.
    It simplifies configuration.

    Anyway:
    Server log

    Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
    Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526
    

    They get assigned the same tunnel ip.

    This is after the server reads:

    OPTIONS IMPORT: reading client specific options from:
    

    So you need to check you client specific overides.



  • @dragoangel Times might vary a tad. As far as your keen eye seeing that User 1 loses connection, you are correct - it never does lose connection. It just suddenly can't reach the network. So if I'm pinging say 172.16.0.1 constantly and I suddenly connect with User 2, User 2 will connect and I can ping 172.16.0.1. When I go back to User 1, the client is still connected, but my pings time out...



  • @Pippin As I said, I've tried switching to topology subnet however, then my firewall rules don't seem to work and there is nothing being logged telling me why.

    As far as my client specific overrides, my original configuration only has the IP subnet override - in the case of these users, 192.168.150.112/28. Both these users have this override and this has never been an issue. In my attempt to find this issue, I even tried it with 2 new users (in a different subnet - 150.2/29) and get the same thing. In the cased of the different subnet, both users get assigned the .2 address.



  • Thoughts anyone?


Log in to reply