How to preserve client’s IP when --duplicate-cn enabled

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
vbokashov
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 15, 2010 3:34 pm

How to preserve client’s IP when --duplicate-cn enabled

Post by vbokashov » Mon Nov 15, 2010 3:54 pm

Is there any way to preserve client’s IP when I have “--duplicate-cn” option enabled and I use one only cert/key pair to authenticate multiple clients?
Example:
One Windows-based OpenVPN server, 3 Windows OpenVPN clients.
Enabled “--duplicate-cn” option on server, one only cert/key pair used by all clients.
Each client receives the same IP from the server after a regular reboot, but sometimes when reboot is very fast client may get another IP (“keepalive“ is default : 10 120).
But if we reboot all 3 clients at the same time they all may change IPs, and and the worse case scenario they may use each other’s IPs.
What may be a way to avoid it with the condition we still use “--duplicate-cn” option on the server?

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: How to preserve client’s IP when --duplicate-cn enabled

Post by krzee » Tue Nov 16, 2010 9:59 am

post the server config, with no comments

vbokashov
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 15, 2010 3:34 pm

Re: How to preserve client’s IP when --duplicate-cn enabled

Post by vbokashov » Tue Nov 16, 2010 4:39 pm

port 1194
proto udp
dev tun
ca ca.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option WINS 10.8.0.1"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
cert *****.crt
key *****.key

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: How to preserve client’s IP when --duplicate-cn enabled

Post by krzee » Wed Nov 17, 2010 10:37 am

remove

Code: Select all

ifconfig-pool-persist ipp.txt
no, there is no way to use static ips for multiple machines while using only certificate auth, and every client having the same certificates.
your setup thinks every client is the same client!

you SHOULD go make more certificates, and setup your VPN correctly.
the only time production vpn should use duplicate-cn is when you also use password auth.
if you choose to add login/password auth to your setup, then use --username-as-common-name to set the common-name to be the username, instead of the one from the certificate.

vbokashov
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 15, 2010 3:34 pm

Re: How to preserve client’s IP when --duplicate-cn enabled

Post by vbokashov » Thu Nov 18, 2010 7:33 pm

thank you, krzee.
I use “duplicate-cn” for simplicity only, when you have max 2 or 3 client connected to each VPN server it’s almost as the same certificate …
One more, we seem to able keep the same IP if we use "bind" to some random port on client's side, sure as long as server is up.

Thanks again.

Post Reply