Duplicate IP assigned by Remote Access server

robfantini

Hello
I've for a  Remote Access (SSL/TLS) vpn server.
The remote clients are using an exported archive config.  Setup is on command line at /etc/openvpn .

the issue I have is that 2 clients I;m working on have the same IP.

these are checked in pfsense for the server:

• Allow connected clients to retain their connections if their IP address changes.
• Provide a virtual adapter IP address to clients (see Tunnel Network)
• Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30).

Is there something else that needs to be done in order to ensure unique IP addresses at client?

Derelict

Are they getting the same IP when connected at the same time or getting the same IP when connecting in general?

robfantini

They had same address at the same time.

Both are on Amazon Ec2 .  I'm new at using EC2 , so there could be something wrong with my set up.

Both systems have different WAN addresses.

here is 'ifconfig  ' on both :

bkup9-ec2  ~ # date;ifconfig tun0
Fri Feb 27 18:29:35 EST 2015
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.110.0.2  P-t-P:10.110.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:7208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4792 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3967504 (3.7 MiB)  TX bytes:637982 (623.0 KiB)

debian-ec2-lxc  ~ # date;ifconfig tun0
Fri Feb 27 23:29:37 UTC 2015
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.110.0.2  P-t-P:10.110.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:168 (168.0 B)  TX bytes:168 (168.0 B)

they both use same openvpn files.  :

debian-ec2-lxc  /etc/openvpn # ll
total 16
lrwxrwxrwx 1 root root   23 Feb 27 15:25 client.conf -> fbc2-udp-1194-bsdp.ovpn
-rw-r--r-- 1 root root  280 Feb 25 12:13 fbc2-udp-1194-bsdp.ovpn
-rw-r--r-- 1 root root 3989 Feb 25 12:13 fbc2-udp-1194-bsdp.p12
-rw-r--r-- 1 root root  657 Feb 25 12:13 fbc2-udp-1194-bsdp-tls.key
-rwxr-xr-x 1 root root 1301 Dec  2 13:14 update-resolv-conf*

bkup9-ec2  /etc/openvpn # ll
total 16
lrwxrwxrwx 1 root root   23 Feb 25 12:15 client.conf -> fbc2-udp-1194-bsdp.ovpn
-rw-r--r-- 1 root root  280 Feb 25 07:13 fbc2-udp-1194-bsdp.ovpn
-rw-r--r-- 1 root root 3989 Feb 25 07:13 fbc2-udp-1194-bsdp.p12
-rw-r--r-- 1 root root  657 Feb 25 07:13 fbc2-udp-1194-bsdp-tls.key
-rwxr-xr-x 1 root root 1301 Dec  2 08:14 update-resolv-conf*

Derelict

Hmm.  What does the server show at the time?  Anything in the server logs that stands out?  What's the network you're using for topology subnet?

cmb

Sounds like you're using the same cert on both. You'll want a unique cert on each one. the cert should be specific to an individual machine in that case.

Derelict

That still seems like odd behavior that shouldn't happen even in that circumstance.  Seems like the second attempt should either fail, supplant the first login, or, if multiple logins are permitted, get a different IP address assigned.  Unless there's a client-specific ifconfig, then you should get what you set and if it's broken, it's broken.

robfantini

@cmb:

Sounds like you're using the same cert on both. You'll want a unique cert on each one. the cert should be specific to an individual machine in that case.

Yep that is the reason.

Prior to now I'd  require a name and password to use this connection.  However I could not figure out how to do so using openvpn cli setup.  These are not gui systems with network manager…  dealing with certs to

I eliminated that , using  Remote Access ( SSL/TLS ) instead of  Remote Access ( SSL/TLS + User Auth )

Now a question -  can you point me in the direction of setting up multiple certs for Remote Access ( SSL/TLS ) ?

Or do I need to use one vpn Remote Access ( SSL?TLS) setup per connection?

Derelict

All you should need are other certs signed by the server's Peer Certificate Authority.

I just looked in the book and I don't see where it's explained just what OpenVPN uses to differentiate clients in Remote Access (SSL/TLS) mode.  CN?  Fingerprint?

doktornotor

CN. The whole client specific overrides thing works based on this.

robfantini

Using  per host [ user ] certs for archive file solved the issue.  and of course is a lot easier to manage cert security.

thank you for the help.

doktornotor

@robfantini:

Using  per host [ user ] certs for archive file solved the issue.  and of course is a lot easier to manage cert security.

Don't forget to tick this:

Derelict

Thought that would only matter in SSL/TLS + User Auth mode.

robfantini

@doktornotor:

at this screen: vpn_openvpn_server.php

that option is not avail when Sever Mode  is Remote Access ( SSL/TLS  )

I do see it when using  Server Mode = Remote Access ( SSL/TLS  + User Auth )

BoMbY

If it is the same Cert, try using the "duplicate-cn" option on the server. It is not recommended though, better use different Certs for each Client.