OpenVPN - only 1 user can connect per public IP?

jrichards555

Running Netgate SG-8860, ver 4.2.2-release-p2 and I'm finding a problem that seems to have started just recently. User_1 connects via VPN and has no problems accessing what they need to access. User_2 connects from the same remote network (i.e. same public IP) and User_1 all of a sudden can't see anything across the VPN like the tunnel is dead however, the VPN client is still showing it as connected. When I look at the status of each, they're both being assigned the same virtual IP. When I look at my server config, I saw the client settings -> topology is set to "net30 - Isolated" and I've got clients limited to what they can access via IP blocks specified within the client specific override rules (i.e. User_1 is using 192.168.150.112/28, just as User_2 is using). From what I understand, the net30 option uses 4 addresses, but shouldn't it be assigning User_1 say .113 and User_2 say .116?

If I switch the topology over to Subnet and assign each one a static IP, I can get each client to get their own IP (say .113 and .114) however, then I can't seem to access anything i.e. the firewall rules restricting the blocks don't seem to work BUT nothing shows in the firewall logs as being blocked.

Server config: Remote Access(SSL/TLS +User Auth)
Local DB backend auth
UDP on IPv4 only
tun - Layer 3
local port 1194
use TLS key
TLS Authentication
2048bit DH
Default ECDH Curve
AES-256-CBC
NCP enabled
SHA1
Single cert depth
192.168.150.0/24 tunnel network
IPv4 local networks 172.16.0.0/13
Adaptive LZO Compression
Dynamic IP enabled
net30 topology
enable NetBIOS over TCP
custom option: push "route 172.16.0.0 255.248.0.0";mute 10;comp-lzo;
gateway creation: both

I'm really scratching my head on this one especially since nothing has changed on my end in several months and this problem just seemed to crop up in the last week or two...

Rico

Do your Users share the same Cert?

-Rico

jrichards555

Nope - all users have their own unique cert.

viragomann

With your custom options, you're stating the same options twice, partly with different values.
"route 172.16.0.0 255.248.0.0" is not needed, since that is already given by "IPv4 Local Network/s".
The compression is set by the "compression" option in the GUI and "comp-lzo" is another setting than "Adaptive LZO Compression".

Despite of that, try to state a number at "Concurrent connections".

dragoangel

There is an logic in OpenVPN that each client from same IPs need to use own source port for connection. By default this "not true" and this configuration done on client config only. In Client Export TAB:
Enable "Use Random Local Port: Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." and not forget to push "Safe as Default buttom"

jrichards555

I've tried all 3 suggestions (removing custom options, adding concurrent connections (used 100 to start) and use random local port and re-exported clients - still the same problem.

dragoangel

@jrichards555 can you give server and client logs? where errors occurred. Did you check that client config have lport option in it?

jrichards555

I can see the lport 0 option in the config but just to make sure, I set each to a static port, verified they were using that static port and re-tested. No change.

Here are the logs from user_1:
Jun 24 12:13:06 PM: State changed to Creating...
Jun 24 12:13:10 PM: State changed to Disconnected
Jun 24 12:13:21 PM: State changed to Connecting
Jun 24 12:13:21 PM: Viscosity Windows 1.7.16 (1616)
Jun 24 12:13:21 PM: Running on Microsoft Windows 7 Professional
Jun 24 12:13:21 PM: Running on .NET Framework Version 4.7.03062.461814
Jun 24 12:13:21 PM: Bringing up interface...
Jun 24 12:13:22 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
Jun 24 12:13:22 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
Jun 24 12:13:29 PM: Checking remote host "gw.itsgi.biz" is reachable...
Jun 24 12:13:30 PM: Server reachable. Connecting to 65.182.173.204.
Jun 24 12:13:30 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
Jun 24 12:13:30 PM: UDP link local (bound): [AF_INET][undef]:0
Jun 24 12:13:30 PM: UDP link remote: [AF_INET]65.182.173.204:1194
Jun 24 12:13:30 PM: State changed to Authenticating
Jun 24 12:13:30 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 24 12:13:32 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
Jun 24 12:13:33 PM: State changed to Connecting
Jun 24 12:13:39 PM: open_tun
Jun 24 12:13:39 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}.tap
Jun 24 12:13:39 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
Jun 24 12:13:39 PM: Successful ARP Flush on interface [71] {EF3EC380-79E2-40C5-9FF7-5988BC9FF19A}
Jun 24 12:13:44 PM: Initialization Sequence Completed
Jun 24 12:13:45 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

Jun 24 12:13:45 PM: State changed to Connected

User_2:
Jun 24 12:16:06 PM: State changed to Creating...
Jun 24 12:16:09 PM: State changed to Disconnected
Jun 24 12:16:10 PM: State changed to Connecting
Jun 24 12:16:10 PM: Viscosity Windows 1.7.16 (1616)
Jun 24 12:16:10 PM: Running on Microsoft Windows 10 Pro
Jun 24 12:16:10 PM: Running on .NET Framework Version 4.7.03190.461814
Jun 24 12:16:10 PM: Bringing up interface...
Jun 24 12:16:11 PM: OpenVPN 2.4.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [AEAD] built on May 29 2019
Jun 24 12:16:11 PM: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.09
Jun 24 12:16:23 PM: Checking remote host "gw.itsgi.biz" is reachable...
Jun 24 12:16:24 PM: Server reachable. Connecting to 65.182.173.204.
Jun 24 12:16:24 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]65.182.173.204:1194
Jun 24 12:16:24 PM: UDP link local (bound): [AF_INET][undef]:0
Jun 24 12:16:24 PM: UDP link remote: [AF_INET]65.182.173.204:1194
Jun 24 12:16:24 PM: State changed to Authenticating
Jun 24 12:16:24 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 24 12:16:24 PM: [gw.itsgi.biz] Peer Connection Initiated with [AF_INET]65.182.173.204:1194
Jun 24 12:16:25 PM: State changed to Connecting
Jun 24 12:16:25 PM: open_tun
Jun 24 12:16:26 PM: TAP-WIN32 device [Mobile Client] opened: \.\Global{412E1144-0EB8-46D2-B1FF-2C10F6454CD1}.tap
Jun 24 12:16:26 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.150.114/255.255.255.252 on interface {412E1144-0EB8-46D2-B1FF-2C10F6454CD1} [DHCP-serv: 192.168.150.113, lease-time: 31536000]
Jun 24 12:16:26 PM: Successful ARP Flush on interface [99] {412E1144-0EB8-46D2-B1FF-2C10F6454CD1}
Jun 24 12:16:30 PM: Initialization Sequence Completed
Jun 24 12:16:31 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
Server - 192.168.1.254:53; Lookup Type - Any; Domains - localdomain.

Jun 24 12:16:31 PM: State changed to Connected

Server:
Jun 24 12:12:39 openvpn user 'elc_varya' authenticated
Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'status 2'
Jun 24 12:13:09 openvpn 46486 MANAGEMENT: CMD 'quit'
Jun 24 12:13:09 openvpn 46486 MANAGEMENT: Client disconnected
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Initial packet from [AF_INET]76.29.116.9:40380, sid=c6835101 c4c06ef6
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_VER=2.4.7
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PLAT=win
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_PROTO=2
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_NCP=2
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZ4v2=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_LZO=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUB=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_COMP_STUBv2=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_TCPNL=1
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Jun 24 12:13:33 openvpn 46486 76.29.116.9:40380 TLS: Username/Password authentication deferred for username 'imenu_1' [CN SET]
Jun 24 12:13:33 openvpn user 'imenu_1' authenticated
Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 [imenu_1] Peer Connection Initiated with [AF_INET]76.29.116.9:40380
Jun 24 12:13:36 openvpn 46486 76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_1
Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_70912bca0ac5629b303a162db9042d6.tmp
Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: primary virtual IP for imenu_1/76.29.116.9:40380: 192.168.150.114
Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 PUSH: Received control message: 'PUSH_REQUEST'
Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 SENT CONTROL [imenu_1]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 1,cipher AES-128-GCM' (status=1)
Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Data Channel: using negotiated cipher 'AES-128-GCM'
Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jun 24 12:13:41 openvpn 46486 imenu_1/76.29.116.9:40380 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jun 24 12:14:11 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'status 2'
Jun 24 12:14:12 openvpn 46486 MANAGEMENT: CMD 'quit'
Jun 24 12:14:12 openvpn 46486 MANAGEMENT: Client disconnected
Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'status 2'
Jun 24 12:15:14 openvpn 46486 MANAGEMENT: CMD 'quit'
Jun 24 12:15:14 openvpn 46486 MANAGEMENT: Client disconnected
Jun 24 12:16:16 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 24 12:16:16 openvpn 46486 MANAGEMENT: CMD 'status 2'
Jun 24 12:16:17 openvpn 46486 MANAGEMENT: CMD 'quit'
Jun 24 12:16:17 openvpn 46486 MANAGEMENT: Client disconnected
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Initial packet from [AF_INET]76.29.116.9:50526, sid=7e7ec38e d08dad30
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=1, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=ITSGI-InternalCA
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY SCRIPT OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 VERIFY OK: depth=0, C=US, ST=Illinois, L=Joliet, O=IT Services Group Inc, emailAddress=domain@itsgi.com, CN=imenu_2
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_VER=2.4.7
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PLAT=win
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_PROTO=2
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_NCP=2
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZ4v2=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_LZO=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUB=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_COMP_STUBv2=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_TCPNL=1
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 peer info: IV_GUI_VER=Viscosity_1.7.16_1616
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 TLS: Username/Password authentication deferred for username 'imenu_2' [CN SET]
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 24 12:16:24 openvpn 46486 76.29.116.9:50526 [imenu_2] Peer Connection Initiated with [AF_INET]76.29.116.9:50526
Jun 24 12:16:24 openvpn user 'imenu_2' authenticated
Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/server1/imenu_2
Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4c9a1ab793b66d862fb8a0198c7fae6.tmp
Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526
Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: primary virtual IP for imenu_2/76.29.116.9:50526: 192.168.150.114
Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 PUSH: Received control message: 'PUSH_REQUEST'
Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 SENT CONTROL [imenu_2]: 'PUSH_REPLY,route 192.168.122.0 255.255.255.0,route 192.168.123.0 255.255.255.0,route 192.168.130.0 255.255.255.0,route 172.16.0.0 255.248.0.0,route 192.168.150.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.150.114 192.168.150.113,peer-id 3,cipher AES-128-GCM' (status=1)
Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Data Channel: using negotiated cipher 'AES-128-GCM'
Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jun 24 12:16:26 openvpn 46486 imenu_2/76.29.116.9:50526 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'status 2'
Jun 24 12:17:19 openvpn 46486 MANAGEMENT: CMD 'quit'
Jun 24 12:17:19 openvpn 46486 MANAGEMENT: Client disconnected

jrichards555

Note that these logs were taken after both were connected, i.e. user_1 connected, user_2 connected, then I took logs from everything...

dragoangel

@jrichards555 try look tomorrow, now at home

dragoangel

Did you tried use OpenVPN community version https://openvpn.net/community-downloads/ ? I'm not have viscosity, so maybe it client specific related case. We need remove this from possible case.

jrichards555

My clients that found this issue do use OpenVPN. I just happen to use Viscosity...

dragoangel

I doesn't see when user 1 was loss connection to VPN it good to see it time and error displayed. Could you recheck your post with logs provided.

dragoangel

From server logs and client logs timestamp of initialize, auth and connect user_2 and disconnect of (some users: login not provide in logs) are not matching in minute. It strange, check yourself, maybe I lose something

Pippin

If you can switch to topology subnet, do it.
It simplifies configuration.

Anyway:
Server log

Jun 24 12:13:36 openvpn 46486 imenu_1/76.29.116.9:40380 MULTI: Learn: 192.168.150.114 -> imenu_1/76.29.116.9:40380
Jun 24 12:16:25 openvpn 46486 imenu_2/76.29.116.9:50526 MULTI: Learn: 192.168.150.114 -> imenu_2/76.29.116.9:50526

They get assigned the same tunnel ip.

This is after the server reads:

OPTIONS IMPORT: reading client specific options from:

So you need to check you client specific overides.

jrichards555

@dragoangel Times might vary a tad. As far as your keen eye seeing that User 1 loses connection, you are correct - it never does lose connection. It just suddenly can't reach the network. So if I'm pinging say 172.16.0.1 constantly and I suddenly connect with User 2, User 2 will connect and I can ping 172.16.0.1. When I go back to User 1, the client is still connected, but my pings time out...

jrichards555

@Pippin As I said, I've tried switching to topology subnet however, then my firewall rules don't seem to work and there is nothing being logged telling me why.

As far as my client specific overrides, my original configuration only has the IP subnet override - in the case of these users, 192.168.150.112/28. Both these users have this override and this has never been an issue. In my attempt to find this issue, I even tried it with 2 new users (in a different subnet - 150.2/29) and get the same thing. In the cased of the different subnet, both users get assigned the .2 address.

jrichards555

Thoughts anyone?