Unable to work over multiple concurrent connections for the same client account



  • Greetings,

    I have the following setup: Active/Standby pfSense cluster on KVM virtualization. Remote access OpenVPN is configured in SSL/TLS Server mode and each client obtains /30 subnet according to net30 topology configured. Then I grant ACL access to each individual user based on obtained source IP. In OpenVPN server configuration I also have Duplicate Connection Allow option enabled (multiple concurrent connections from clients using the same Common Name).

    When user connects from his individual (CN based) account everything works fine. But when the second VPN session is established (from the other device), the first VPN tunnel stuck: it's in "UP" state both on the client and server side, but traffic doesn't pass anymore. The latest established tunnel still works fine though.

    Please advice how it can be fixed. Thank you.



  • UP!



  • So you've configured a CSO for each of your VPN users.
    Now, as you have a net30 topology you have to set at least a /29 tunnel network in the CSO for two connections. If you want more than two you have to set a respectively larger subnet.
    Is that given?

    In the firewall rules for your vpn clients you have to use the whole subnet of the CSO.



  • @viragomann

    Hi man, thank you for your reply. Whatever CIDR length I have in my CSO configuration I get the same IP on multiple VPN connections, just a different source port, but the problem remains. Is it possible to have multiple connections for the same user in net30 topology at all?



  • Yes multiple connections with the same user credentials are possible in a net30 topology, however, I don't know if it's possible in conjunction with CSO.
    I'm running multiple servers with TLS and user auth in net30 to have the possibility to assign different firewall rules to specific VPN user groups and some clients connect multiple times from different devices. Maybe that's an option for you.



  • @viragomann

    But to restrict a VPN user access in a firewall you have to explicitly assign the IP address to its connection, so the IP remains the same each time the user connects to VPN. And to do this you have to specify subnet per user in CSO. This is what I'm trying to do. But you tell me that it works for you, I mean the multiple connections from the same user account. And for me it doesn't: I am able to connect with the same account multiple times (from different devices), but traffic pass only for the latest VPN connection initialized for such user. What's the problem? Can we compare configuration files? Cause I think we are talking about the same thing, but it doesn't work for me.



  • @shshs said in Unable to work over multiple concurrent connections for the same client account:

    But to restrict a VPN user access in a firewall you have to explicitly assign the IP address to its connection, so the IP remains the same each time the user connects to VPN. And to do this you have to specify subnet per user in CSO.

    Not a single IP, but a subnet, since you have a net30 topology. As mentioned above you may set here at least a /29 subnet to realize two client connections from the same user, a /28 for four and so on.
    And you have to use exactly the same subnet in your filter rules source networks.
    It would be more clear if you post some screenshots of your OpenVPN server config and the CSOs and filter rules.

    Since I have separate VPN servers (not CSO!) for achieving different permissions to multiple user groups, I use the tunnel subnets in my filter rules.
    And I asked you if multiple OpenVPN servers may be an option for you.
    I've never run multiple connections with the client for which I've assigned a CSO.


Log in to reply