Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple clients - VPN provider is sometimes assigning same subnet to different clients

    OpenVPN
    2
    2
    261
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MikkelBalle
      last edited by

      Hi,

      On PfSense 2.7.0, I have set up three OpenVPN clients, connected to servers in three different countries. The VPN provider is NordVPN.

      I have assigned an interface to each Ovpn-client, and set those interfaces up as gateways, using firewall rules to re-assign the correct gateway based on source and/or destination and block the traffic from leaving WAN using tagging and floating rules. They are of course added to outbound nat'ing, using hybrid outbound mode

      All that is working fine. Traffic goes where it is supposed to.

      The Ovpn-clients are usually being assigned internal IPv4 addresses and subnets from NordVPN in the range 10.8.[0-3].0/24. At least those are the subnets I have observed so far.

      However, sometimes NordVPN assigns the same internal IPv4 subnet to multiple clients. This can happen dynamically, probably when OpenVPN reconnects a client, or it can happen at initialization, eg. at boot.

      When this happens, the relevant gateway stops working as well.

      Here is an example, where all 3 clients got an address in the same IP subnet, 10.8.0.0/24.

      Adapters.png

      The routing table:

      OpenVPN_Routing_table.png

      In this case, only VPN traffic routed over ovpnc4 works, the other two interfaces do not allow any traffic.

      And the gateways:

      Gateways.png

      The normal situation should look like this:

      Screenshot 2023-07-10 at 11-35-11 Status Dashboard - pfSense.localdomain.png

      Routing table:

      Screenshot 2023-07-10 at 11-39-48 Diagnostics Routes - pfSense.localdomain.png

      Gateways:

      Screenshot 2023-07-10 at 11-40-23 System Routing Gateways - pfSense.localdomain.png

      My first thought was to write a script to check for duplicate subnets assigned to the Ovpn-clients, find the one(s) without a valid route entry and then keep sending SIGUSR1 or SIGHUP to the PIDs, until all 3 clients would have a unique subnet.

      However, as this only fixes the problem after it has occurred, and traffic has stopped for the clients being routed over the now non-working interface, I would like to be able to avoid the problem altogether.

      Is there anything else I can do to avoid the issue?

      The Ovpn interface does not support virtual IPs. Setting a specific subnet, like 10.8.3.0/24 in the client options does not have any effect, nor does selecting the option of a separate /30 subnet in the client options.

      I have as well tried to create a bridge with a fixed IP address, using the DE client as test, with just the Ovpn client interface as a member, and then set up that bridge as a gateway etc, but that didn't work either. Or at least I couldn't get it to work. The bridge would have an IP of 10.9.1.1/32, and the Ovpn interface would then get its usual 10.8.x.y/24 from NordVPN.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @MikkelBalle
        last edited by

        @MikkelBalle said in Multiple clients - VPN provider is sometimes assigning same subnet to different clients:

        Is there anything else I can do to avoid the issue?

        I don't think so. But in my experience the problem only occurs if gateways have the same ip-address, the same subnets don't matter. So maybe you should look into this weird behavior of your setup.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.