same IP for different certificates (on is in ccd)

[ginga]

Hello,

could you please help me. This problem was bogging me for the whole day now.
I have two certificates. One is "specific_cert" and the other is "generic_cert". I want specific cert to have ip 10.8.0.6 and generic_cert may be any other. However, when both machines connect to the VPN, both get assigned the same 10.8.0.6 IP.

Could you provide me with any clue what may be wrong?

Much apprechiated!


ccd/specific_cert

Code: Select all

ifconfig-push 10.8.0.6 10.8.0.7

Server conf.:

Code: Select all

port 1194
proto tcp
dev tun

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0

client-config-dir ccd
client-to-client
duplicate-cn

keepalive 10 120
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 9

both clients hve a copy-paste identical cfg with the only difference - the certificate. either generic_cert or specific_cert :

Code: Select all

client
dev tun
proto tcp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/specific_cert.crt
key keys/specific_cert.key
ns-cert-type server
comp-lzo
verb 3

[JoshC]

I have two certificates. One is "specific_cert" and the other is "generic_cert". I want specific cert to have ip 10.8.0.6 and generic_cert may be any other. However, when both machines connect to the VPN, both get assigned the same 10.8.0.6 IP.

Your issue is that you didn't exclude the range of static IPs you are handing out from your pool range. The server directive is a helper-directive (see --server in the manpage) that automatically uses the entire remainder of the subnet for dynamic IP assignment. This creates a race-condition when the dynamic IP is assigned to the first client, then the 2nd one connects and is given a static IP that is identical to the one handed out earlier.

When using any form of static addressing, it is required to expand this helper-directive yourself and use a range that excludes any static IPs you wish to hand out; it may be wise to leave some growing room if you see the possibility to assign more IPs statically down the road

[edited to add]

A quick follow-up point: if you are using the default net30 topology, the IP peering you have pushed is invalid for Windows clients, as they require peering in the center two IPs in a /30 subnet. (which would be .6 and .5 for the 2nd usable subnet in the /24.) Non-Windows clients will happily work with any 2 IPs as they set configure their interfaces PtP anyway, but Windows will exit with an error if the /30 addressing is incorrect.

Your other option is to use the subnet topology where you configure each peer with an IP and a netmask, similar to a traditional subnet layout. This is supported on every platform since version 2.1, and is the recommended topology today. See --topology in the manpage for more details.

[ginga]

Thank you very much, Josh! That made things very clear now.
Seems that my "clone" network works just because of a miracle I copy-pasted the whole system. One works, and this one - doesn't.

However, I played around a bit and ended up with the error I the logs:

Code: Select all

Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
Use --help for more information.

Seems that --server does ifconfig-pool internally:

Code: Select all

--server network netmask

and only the following takes desired parameters (but I don't need bridging):

Code: Select all

 --server-bridge [IP netmask pool-start-IP pool-end-IP]

Help is identical to openvpn --help:
http://openvpn.net/index.php/open-sourc ... npage.html

Any ideas how to force -ifconfig-pool start-IP end-IP [netmask] ?

[JoshC]

Seems that --server does ifconfig-pool internally

Yes, this is why I said before you must expand the directive yourself. Don't use --server, but use the values --server "does for you" without it doing it for you.

To put it another way, don't let the "automagic" helper directive configure your setup since your needs don't work with the defaults this provides you.

[ginga]

Fantastic! Works perfectly!
My previous understanding of directives was wrong.

Thanks a ton, Josh.