[resoved]How to implement same key can only one client ...

[suheng]

Hi All,

I am newbie of openvpn, I just follow the "howto" of the document to create PKI key, server config & client config.
I created a key named common.crt and common.key. I can connect to server properly and tunnel perfect. However, If I copy this key files and the configuration of the client to another PC, then both of the two PC can connect properly.

My question is how can I let a key can only used by one PC per time. i.e. If client A use key common and it is online then at the same time client B use key common can not be connected or just force client A offline then client B online.
Thanks.

My Server Config

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.108 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
keepalive 10 120
comp-lzo
status openvpn-status.log
verb 4

My Client Config

Code: Select all

client
dev tun
proto udp
#remote 58.182.197.226 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert common.crt
key common.key
ns-cert-type server
comp-lzo
verb 3

[maikcat]

hi there,

If client A use key common and it is online then at the same time client B use key common can not be connected or just force client A offline then client B online.

this is the default ,when duplicate-cn is NOT used...

are you sure that both clients gets connected and vpn is working?


also

push "route 192.168.1.108 255.255.255.0"

this is wrong,use

push "route 192.168.1.108 255.255.255.255"

or

push "route 192.168.1.0 255.255.255.0"


Michael.

[suheng]

Hi maikcat,

Thanks, your are right.

I have created a key 'common' and server key 'ca', and have two client, one it 'Fedora' another is 'Windows xp'.

My windows xp connect to server firstly, then the gui tell me the connection successfully.
Then I switch to Fedora client, it also give me success message "Initialization Sequence Completed".

And windows xp client have no any hint to me the connect has been disconnect. Just if I try to connect to internet, it give me message can not connect.

Thanks.


BTW,

also

Quote:
push "route 192.168.1.108 255.255.255.0"


this is wrong,use

push "route 192.168.1.108 255.255.255.255"

or

push "route 192.168.1.0 255.255.255.0"

My server have an internal IP 192.168.1.108 with mask 255.255.255.0, I want client can access the LAN of the server, why my config is not correct?


Fedora client:






Thanks

[maikcat]

you must decide if you want to push a route to host (/32 bit mask)
or a route to network (/24 bit mask)

if you are familiar with routing you will understand...

the most common is to push entire lan (/24).

cheers,

Michael.

[suheng]

you must decide if you want to push a route to host (/32 bit mask)
or a route to network (/24 bit mask)

if you are familiar with routing you will understand...

the most common is to push entire lan (/24).

cheers,

Michael.

Thanks Michael,

I will enhance related knowledge.

Regards,
Su Heng