Duplicate IP assigned by Remote Access server
-
Hello
I've for a Remote Access (SSL/TLS) vpn server.
The remote clients are using an exported archive config. Setup is on command line at /etc/openvpn .the issue I have is that 2 clients I;m working on have the same IP.
these are checked in pfsense for the server:
- Allow connected clients to retain their connections if their IP address changes.
- Provide a virtual adapter IP address to clients (see Tunnel Network)
- Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).
Is there something else that needs to be done in order to ensure unique IP addresses at client?
-
Are they getting the same IP when connected at the same time or getting the same IP when connecting in general?
-
They had same address at the same time.
Both are on Amazon Ec2 . I'm new at using EC2 , so there could be something wrong with my set up.
Both systems have different WAN addresses.
here is 'ifconfig ' on both :
bkup9-ec2 ~ # date;ifconfig tun0 Fri Feb 27 18:29:35 EST 2015 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.110.0.2 P-t-P:10.110.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:7208 errors:0 dropped:0 overruns:0 frame:0 TX packets:4792 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3967504 (3.7 MiB) TX bytes:637982 (623.0 KiB) debian-ec2-lxc ~ # date;ifconfig tun0 Fri Feb 27 23:29:37 UTC 2015 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.110.0.2 P-t-P:10.110.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:168 (168.0 B) TX bytes:168 (168.0 B)
they both use same openvpn files. :
debian-ec2-lxc /etc/openvpn # ll total 16 lrwxrwxrwx 1 root root 23 Feb 27 15:25 client.conf -> fbc2-udp-1194-bsdp.ovpn -rw-r--r-- 1 root root 280 Feb 25 12:13 fbc2-udp-1194-bsdp.ovpn -rw-r--r-- 1 root root 3989 Feb 25 12:13 fbc2-udp-1194-bsdp.p12 -rw-r--r-- 1 root root 657 Feb 25 12:13 fbc2-udp-1194-bsdp-tls.key -rwxr-xr-x 1 root root 1301 Dec 2 13:14 update-resolv-conf* bkup9-ec2 /etc/openvpn # ll total 16 lrwxrwxrwx 1 root root 23 Feb 25 12:15 client.conf -> fbc2-udp-1194-bsdp.ovpn -rw-r--r-- 1 root root 280 Feb 25 07:13 fbc2-udp-1194-bsdp.ovpn -rw-r--r-- 1 root root 3989 Feb 25 07:13 fbc2-udp-1194-bsdp.p12 -rw-r--r-- 1 root root 657 Feb 25 07:13 fbc2-udp-1194-bsdp-tls.key -rwxr-xr-x 1 root root 1301 Dec 2 08:14 update-resolv-conf*
-
Hmm. What does the server show at the time? Anything in the server logs that stands out? What's the network you're using for topology subnet?
-
Sounds like you're using the same cert on both. You'll want a unique cert on each one. the cert should be specific to an individual machine in that case.
-
That still seems like odd behavior that shouldn't happen even in that circumstance. Seems like the second attempt should either fail, supplant the first login, or, if multiple logins are permitted, get a different IP address assigned. Unless there's a client-specific ifconfig, then you should get what you set and if it's broken, it's broken.
-
@cmb:
Sounds like you're using the same cert on both. You'll want a unique cert on each one. the cert should be specific to an individual machine in that case.
Yep that is the reason.
Prior to now I'd require a name and password to use this connection. However I could not figure out how to do so using openvpn cli setup. These are not gui systems with network manager… dealing with certs to
I eliminated that , using Remote Access ( SSL/TLS ) instead of Remote Access ( SSL/TLS + User Auth )
Now a question - can you point me in the direction of setting up multiple certs for Remote Access ( SSL/TLS ) ?
Or do I need to use one vpn Remote Access ( SSL?TLS) setup per connection?
-
All you should need are other certs signed by the server's Peer Certificate Authority.
I just looked in the book and I don't see where it's explained just what OpenVPN uses to differentiate clients in Remote Access (SSL/TLS) mode. CN? Fingerprint?
-
CN. The whole client specific overrides thing works based on this.
-
Using per host [ user ] certs for archive file solved the issue. and of course is a lot easier to manage cert security.
thank you for the help.
-
Using per host [ user ] certs for archive file solved the issue. and of course is a lot easier to manage cert security.
Don't forget to tick this:
-
Thought that would only matter in SSL/TLS + User Auth mode.
-
at this screen: vpn_openvpn_server.php
that option is not avail when Sever Mode is Remote Access ( SSL/TLS )
I do see it when using Server Mode = Remote Access ( SSL/TLS + User Auth )
-
If it is the same Cert, try using the "duplicate-cn" option on the server. It is not recommended though, better use different Certs for each Client.