How to preserve client’s IP when --duplicate-cn enabled

[vbokashov]

Is there any way to preserve client’s IP when I have “--duplicate-cn” option enabled and I use one only cert/key pair to authenticate multiple clients?
Example:
One Windows-based OpenVPN server, 3 Windows OpenVPN clients.
Enabled “--duplicate-cn” option on server, one only cert/key pair used by all clients.
Each client receives the same IP from the server after a regular reboot, but sometimes when reboot is very fast client may get another IP (“keepalive“ is default : 10 120).
But if we reboot all 3 clients at the same time they all may change IPs, and and the worse case scenario they may use each other’s IPs.
What may be a way to avoid it with the condition we still use “--duplicate-cn” option on the server?

[krzee]

post the server config, with no comments

[vbokashov]

port 1194
proto udp
dev tun
ca ca.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option WINS 10.8.0.1"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
cert *****.crt
key *****.key

[krzee]

remove

Code: Select all

ifconfig-pool-persist ipp.txt

no, there is no way to use static ips for multiple machines while using only certificate auth, and every client having the same certificates.
your setup thinks every client is the same client!

you SHOULD go make more certificates, and setup your VPN correctly.
the only time production vpn should use duplicate-cn is when you also use password auth.
if you choose to add login/password auth to your setup, then use --username-as-common-name to set the common-name to be the username, instead of the one from the certificate.

[vbokashov]

thank you, krzee.
I use “duplicate-cn” for simplicity only, when you have max 2 or 3 client connected to each VPN server it’s almost as the same certificate …
One more, we seem to able keep the same IP if we use "bind" to some random port on client's side, sure as long as server is up.

Thanks again.