OpenVPN gateways will get the same IP address and interfere with each other.



  • Hi,

    i use a vpn account from a provider similar CyberGhost or HideMyAss. The provider runs different servers in different countries. Nothing special.

    Now i want setup multiple openvpn clients in my pfsense (2.2.1) and create firewall rules to route different local ips over the openvpn clients. This was my inspiration: http://www.retropixels.org/blog/use-pfsense-to-selectively-route-through-a-vpn

    In my example i want setup this:
    10.0.1.96/29 -> vpn client 1
    10.0.1.112/29 -> vpn client 2

    I configure the first openvpn client, create the interface, gateways, rules, nat, etc. So far, so good. If i change the ip from my notebook to 10.0.1.98, all my traffic goes over the first openvpn-client. Yeah.

    But now the problem: After this i configure the next openvpn-client, create the interface also, etc. If i disable the first vpn client, the second client works fine for the range 10.0.1.112/29.

    Now I have enabled the first client and see that both clients receive the same IP address and thus interfere with each other.

    Can you solve the problem so that I can run multiple openvpn clients from one provider?

    I attacked two screenshots. The firewall rules are reduced to the essentials. If you need other information, please ask me.

    PS: Sorry for my bad englisch.
    ![Rules stripped.png](/public/imported_attachments/1/Rules stripped.png)
    ![Rules stripped.png_thumb](/public/imported_attachments/1/Rules stripped.png_thumb)



  • Don't attack the screenshots…  They are innocent (-;

    Actually, you may be screwed.  How the servers assign IPs is up to them, not you.

    Also they have the same gateway address I bet, so that too may be an issue for you.



  • @kejianshi:

    Don't attack the screenshots…  They are innocent (-;

    Ups ;D

    @kejianshi:

    Actually, you may be screwed.  How the servers assign IPs is up to them, not you.

    Also they have the same gateway address I bet, so that too may be an issue for you.

    Hmmm if I understand correctly, I can not influence the assignment. I think I will contact the provider and ask him.

    Someone told me that i could maybe solve this with "Virtual IP Addresses". But I do not know enough about it to check his tip.



  • I'd advise using 2 separate openvpn services who don't assign same subnet ranges and don't use same gateways IPs.

    I assume you are trying to setup some sort of gateway-failover by using 2 separate VPN tunnels?

    Not a terrible idea actually.


  • LAYER 8 Netgate

    You'd think they'd be smart enough than to use 10.anything.  Especially 10.0.1.x.  I mean, why?



  • I agree but private ranges are limited, so you would hape that they would at least make the subnets they use random to the point that conflicts would be unlikely.

    Obviously not the case here.



  • @kejianshi:

    I assume you are trying to setup some sort of gateway-failover by using 2 separate VPN tunnels?

    Not really. I want a vpn solution without modify the local network clients (install openvpn, update, configure, …). We life in germany and my girlfriend wants to use Netflix US (with his desktop or/and notebook). She can not configure openvpn and i think she dont need that ;)

    My idea is: If she want watch Netflix, she must only change her ip address. That is no problem for her.

    And I need a exit point in the netherlands and switzerland. I can use openvpn directly but than i must protect every pc against dns leaks and so on.

    That is the reason why i want manage the vpn clients at pfsense and "select the route" on the clients only with the ip address.

    @kejianshi:

    I'd advise using 2 separate openvpn services who don't assign same subnet ranges and don't use same gateways IPs.

    This is possible but then I have to pay two accounts. And this sucks a little bit.


Log in to reply