RoadWarrior OpenVPN



  • I have configure OpenVPN

    on pfsense 1.2RC2:

    Protocol: UDP
    Dynamic IP: on
    Local Port: 1194
    Address pool: 172.16.100.0/24
    Use static IPs: off
    Local network: 172.16.4.0/16
    Remote network: -
    Client-to-client VPN: on
    Cryptography: BF-CBC (128-bit)
    Authentication method: PKI
    DCHP-Opt.: DNS-Domainname: xxx.co.id
    DCHP-Opt.: DNS-Server: 172.16.4.16;172.16.4.52
    DCHP-Opt.: WINS-Server: 172.16.4.5;172.16.4.6
    DCHP-Opt.: NTP-Server: 172.16.4.52;172.16.4.16
    DCHP-Opt.: NetBIOS node type: b-node
    LZO Compression: on

    on windows client:
    float
    port 1194
    dev tun
    dev-node OpenVPN
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    ping 30
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert client-mbs.crt
    key client-mbs.key
    ns-cert-type server
    comp-lzo
    pull
    verb 4

    on linux client:
    float
    port 1194
    dev tun
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    ping 30
    persist-tun
    persist-key
    tls-client
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/client-mbs.crt
    key /etc/openvpn/client-mbs.key
    ns-cert-type server
    comp-lzo
    pull
    verb 4

    the question is:
    when linux client is connected, the ip address is 172.16.100.6. but when the windows client is connected also, the ip address is the same on linux client. i'm only testing with two clients.
    why the dynamic ip is not working on the client?



  • I'm not sure if this is related but your address pool and your local subnet are overlapping.
    You need to to use different subnets.



  • wrong type  ;D
    the right local network is 172.16.4.0/24.



  • Just to be sure: Do your two clients use a different key and certificate?



  • i'm using the same key and certificate



  • Well then this is your problem :)

    Every client needs to have its own key and vertificate.

    Otherwise the server wont be able to differ the clients.
    Also you have in your config the "float" option active.
    This means that a client change change his IP/port and reconnect immediatelly and still be recognised as the same client.

    If now two clients have the same key the server means the whole time that a ingle client changes his IP.

    –> Use two different keys/certificates and all will be ok.



  • oh i see… i missed that one.  :-[
    thanks for your info.


Log in to reply