OpenVPN Server: 2 clients obtaining same tunnel IP address

  • Kind of like the subject says...

    pfSense is the server (obviously) running the latest DEVEL version. My 2 OpenVPN clients are a Windows 10 PC, and 1 Android Pie mobile phone using OpenVPN Connect 3.0.7

    If I connect just 1 device, everything works as I want it to. ..

    As soon as I connect the 2nd device, things go totally wrong. Looking on the GUI and on the clients, I discovered that both devices are obtaining the same IP address on the tunnelled network.

    Both devices are given IP

    What would possibly be causing this? In the GUI, the only settings I can see that relate to the topology are:

    IPv4 Tunnel Network: (my LAN is on 14.0/24)
    Topology: Subnet -- One IP address per client in a common subnet

    For clarity I have attached file /var/etc/openvpn/server1.conf (with sensitive info removed)server1(edited).txt

    Apologies if I'm being stupid, but I just can't see why OpenVPN would even attempt to dish out the same IP address twice

    Server mode is set to Remote Access (SSL/TLS + User Auth) and each device has a unique user certificate in the certificate manager. I checked that I'd sent the different configurations (from OpenVPN Client Export) to each device and not done something stupid like used the same one on both devices.

    Thoughts appreciated :)

  • LAYER 8 Rebel Alliance

    So you have two unique Usernames and both get the same IP?


  • Sorry for the delayed reply - just got out of hospital so now I'm back at home where the actual pfSense install is.

    I haven't got 2 unique usernames, I'm authenticating against FreeRADIUS, as I use this to log in to the Wi-Fi, but didn't think this would be an issue.

    I will try setting up a 2nd unique username and testing against it, but I believed it would be sufficient to use 2 unique certificates. (Under System / Certificate Manager / Certificates, I have 2 different User Certificates) which means when I go to "VPN / OpenVPN / Client Export" I am given 2 unique configurations and I am copying each one to their respective devices.

  • @LandRocket hi. Did you specify any client override option? If so there could be unique override settings for each user cn. Or just skip overriding options.

  • openvpn-client.txt @Renat [0_1567660333168_client1.ovpn](Uploading 100%)

    AFAIK it's all pretty OOB, nothing intentionally modified.

  • LAYER 8 Moderator

    If you get the same IP on both devices I would bet on:

    • you're using the same username
    • you have something like username-certificate-CN matching
    • either a CSO (client specific override) with a static IP configured OR
    • setup a static in FreeRadius that is pushed to the client
    • setup the OVPN server that multiple concurrent connections from the same user aren't allowed
    • setup the user in Freeradius with concurrent connections =1

    Something along those lines almost always is the culprit. :)

  • Testing with new FreeRADIUS user gave me unique IPs. It became a bit obvious when I read the logs too....

    Sep 6 06:13:26 openvpn 90065 (username)/(externalip):37496 MULTI_sva: pool returned IPv4=(vpntunnelip).2, IPv6=(Not enabled)

    So, I know for future that even with Server mode in OpenVPN set to Remote Access (SSL/TLS + User Auth) - you still need unique usernames..

    OSI Model Layer 8 issue in progress... 😀

  • LAYER 8 Moderator

    @LandRocket said in OpenVPN Server: 2 clients obtaining same tunnel IP address:

    So, I know for future that even with Server mode in OpenVPN set to Remote Access (SSL/TLS + User Auth) - you still need unique usernames..
    OSI Model Layer 8 issue in progress...

    Nah, not right. I'm running a FreeRadius Setup with OpenVPN users + certs. I can use my User with the same cert etc. on my phone and laptop simultaneously without problems. That's why I was betting on the points above. It is working with the same user, just not if some of the things I mentioned are configured the wrong way.

Log in to reply