PfSense OpenVPN clients getting same IP address



  • Hi All,

    I am trying to set up a second remote user connection to my pfsense box. The first one is set up and working correctly, but currently I can only have one device connected to it, and I have a second (and more in future) that I want to add.

    Infuriatingly, the only way I can get both devices to connect assigns them both the same IP address. (Let's say it's 10.10.4.6)

    Here's the skinny so far:

    I have set up a CA, server cert, port, and user entry. Client export works, and the device can connect. <- this is the working device.
    I have tried this setup in my second device (not at the same time), and it works from there, so I know the problem is not either device.

    Using the same CA, server cert and user entry but with a different port provides the same IP. Turns out using the same cert is not a good idea, so I changed it.

    Using the same CA and user entry, but a different certificate and port doesn't work.

    Using a different CA, a different certificate, different port and different user now fails with TLS Error: TLS key negotiation failed to occur within 60 seconds.

    But the original setup works, so I'm not sure what I'm doing wrong. The wizard is setting it all up, and creating the firewall entries, I am not touching them so they should be fine. nc can access both ports, so I know they're open.

    I've googled until I'm blue in the face, but can't seem to find anything that will solve my issue. All TLS timeout entries that I can find are designed when nothing works, but I have one that works already so it's just the new setup.

    I have deleted and recreated both entries from scratch a number of times. Maybe there's something I'm missing.

    I am under the impression that I can use the same CA for all remote user certificates, and would like to if possible to keep this whole thing as tidy as possible. I will need this to work for 20 staff all told.

    Each remote user setup has an IP address of 10.10.7.1/29 or 10.10.7.10/29 etc etc. So they should all be under the same subnet, but individually administered by each connection.

    Please let me know if any of this doesn't make sense. Any help is appreciated.



  • Simple.

    You need one server CA - Thats all.

    You need one user cert per client thats connecting.

    I like using TUN not TAP

    Assign a subnet not in use anywhere else to openvpn - like 10.12.47.0/24

    Don't allow multiple concurrent connections from same user.

    I'm not putting any entries at all in DHCP server for the VPN interface or subnet.

    It just works if you keep it simple.



  • Thanks for the reply.

    Sorry, yes I'm using TUN. Don't want any extra problems with using TAP.

    I've done all as you suggest, and just don't seem to be getting it right both times. The first one is fine, and I have a site to site VPN that works fine, but I just can't seem to add a second remote user and have it work right. Is there a particular order I need to be doing it in? These things can be finicky sometimes, I guess.

    I was using the wizard to do the whole lot, but that seemed not to work at all. Now I'm creating the CA, then the user cert, then the user themselves, followed by going through the wizard to tie it all together, and then adding the user cert to the user profile.

    I'm starting again with the whole lot, and will post back how I get on.

    Thanks.



  • Okay, so I've recreated the whole shebang, and everything is working again except both connections are still getting the same IP address!

    It turns our that if I assign 10.10.7.0/29 and 10.10.8.0/29 as the local networks then both connections will work fine. The reason that it wasn't working in my original is because of the 10.10.7.1/29 and 10.10.7.10/29 subnets.

    It would seem that both connections have to be on a x.x.x.0 subnet or the TLS handshake will fail.

    Is there any way that I can get this to work, or is it just a peculiarity of the system?

    Thanks.


  • Netgate

    Which of these servers are you trying to create?

    How about you post screenshots or your /var/etc/openvpn/serverx.conf

    ![Screen Shot 2015-02-21 at 10.22.55 PM.png](/public/imported_attachments/1/Screen Shot 2015-02-21 at 10.22.55 PM.png)
    ![Screen Shot 2015-02-21 at 10.22.55 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-21 at 10.22.55 PM.png_thumb)



  • Local Network/s should just have the LAN(s) that you want to be reached by the clients across the OpenVPN link. Do not put the tunnel network in there.

    Have a single server, single CA, single server certificate. Make the Tunnel Network bigger, like 10.10.7.0/24

    Create a client certificate for each user.

    OpenVPN will give each connection a separate /30 part of the tunnel - e.g.
    10.10.7.4/30 (server end .5 client end .6)
    10.10.7.8/30 (server end .9 client end .10)



  • Hint hint.  Twice you have been recommended to move to a /24…

    Just saying.



  • @Derelict:

    Which of these servers are you trying to create?

    How about you post screenshots or your /var/etc/openvpn/serverx.conf

    Yes, it's a User Auth with TLS authentication. Nothing wrong with both, right?
    Please let me know if you need any other config info (even just for curiosity) I haven't the time to extract and redact the entire config file.

    @phil.davis:

    Local Network/s should just have the LAN(s) that you want to be reached by the clients across the OpenVPN link. Do not put the tunnel network in there.

    Have a single server, single CA, single server certificate. Make the Tunnel Network bigger, like 10.10.7.0/24

    Create a client certificate for each user.

    OpenVPN will give each connection a separate /30 part of the tunnel - e.g.
    10.10.7.4/30 (server end .5 client end .6)
    10.10.7.8/30 (server end .9 client end .10)

    Thanks for the confirmation. When you're this close to the trees, it's hard to see the forest. I've kept the same CA for all remote certificates, it seems to be working alright, but otherwise both configs have their own certs and users. The local networks are 10.10.0.0/16 - this includes the tunnel subnets, but I have four subnets so far, and I'm looking to add more, so I'd rather not add them all individually if possible.

    The kicker is, even if I assign 10.10.7.0/24 to both openvpn configs as the tunnel network, they both get 10.10.7.6 as the IP address. This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work.

    @kejianshi:

    Hint hint.  Twice you have been recommended to move to a /24…

    Just saying.

    See above - this didn't fix the issue, oddly.



  • Maybe I read wrong…

    On the server side are you configuring the same 10.10.7.0/24 on two different openvpn configs running on a single pfsense?

    "This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work" - Yeah - Because thats the only way you should do it.



  • You have to use a different tunnel network in every OpenVPN server instance.
    Why are you making 2 OpenVPN servers?
    You can have many clients connecting to the 1 server with no problem.
    For security you should really give every client its own client certificate, create off the same CA as the server certificate. Then if needing you can use Client Specific Overrides to allocate particular /30 of the tunnel network to particular clients, and then make firewall rules specificto particular client addresses…



  • phil.davis is correct on all counts.

    The only time I run more than 1 openvpn instance on a single pfsense is when I need to provide seperate services to people with different needs, or to firewall different types of users from each other or the LAN etc.

    If I just had a whole bunch of people who needed openvpn access and I could treat them all the same I'd use just 1 instance of pfsense.

    No matter if you decide to use a single or multiple instance of openvpn, make sure the subnet you use for each tunnel doesnt overlap with any other subnet in use on the pfsense and be careful with using /16s because its real easy to have those overlap with all your /24s.



  • Okay, okay, so this seems to have hilighted that my setup is a bit backwards regardless.

    I was under the impression that I need to set up a separate server for each client who wants to connect. Why would I need to do that, you ask? No idea, just thought I did. Hence, the allocation of a /24 address range when only one client was connecting seemed wasteful. This is why I was trying to assign a /29 subnet to each server, to keep them all on the same range.

    @kejianshi:

    Maybe I read wrong…

    On the server side are you configuring the same 10.10.7.0/24 on two different openvpn configs running on a single pfsense?

    "This is the part I'm struggling with. Assigning a different /24 subnet to each is the only way I've managed to get it to work" - Yeah - Because thats the only way you should do it.

    Originally, yes. One server would get 10.10.7.0/29 and the next would get 10.10.7.10/29 - Thus allowing for up to ~eight addresses, but the /29 would only use 6. This should allow for reconnection if the connection drops out and the server keeps the connection open, not being aware it has been closed.

    Apparently, my fundamental misunderstanding on how this is supposed to work has been the problem from the beginning.

    @phil.davis:

    You have to use a different tunnel network in every OpenVPN server instance.
    Why are you making 2 OpenVPN servers?
    You can have many clients connecting to the 1 server with no problem.
    For security you should really give every client its own client certificate, create off the same CA as the server certificate. Then if needing you can use Client Specific Overrides to allocate particular /30 of the tunnel network to particular clients, and then make firewall rules specific to particular client addresses…

    After Googling exactly what you mentioned, I stumbled across this article (https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server) which appears to explain what you're referring to in detail. So, it's setting it up in a similar way, but correctly (which I wasn't). This should allow me to allocate only a small address space to each client, which makes much more sense than how I was doing it. Thank you.

    @kejianshi:

    phil.davis is correct on all counts.

    The only time I run more than 1 openvpn instance on a single pfsense is when I need to provide seperate services to people with different needs, or to firewall different types of users from each other or the LAN etc.

    If I just had a whole bunch of people who needed openvpn access and I could treat them all the same I'd use just 1 instance of pfsense.

    No matter if you decide to use a single or multiple instance of openvpn, make sure the subnet you use for each tunnel doesnt overlap with any other subnet in use on the pfsense and be careful with using /16s because its real easy to have those overlap with all your /24s.

    Yes, having extensive networking qualifications through the network+ course I completed some years ago (tongue-in-cheek) I'm trying to be as careful as possible with my subnetting. I think I'm over-allocating in the beginning, but I can always reduce as time goes on.

    Thanks again for the help, guys. I think I've got my head around it now.