Is there any way to preserve client’s IP when I have “--duplicate-cn” option enabled and I use one only cert/key pair to authenticate multiple clients?
Example:
One Windows-based OpenVPN server, 3 Windows OpenVPN clients.
Enabled “--duplicate-cn” option on server, one only cert/key pair used by all clients.
Each client receives the same IP from the server after a regular reboot, but sometimes when reboot is very fast client may get another IP (“keepalive“ is default : 10 120).
But if we reboot all 3 clients at the same time they all may change IPs, and and the worse case scenario they may use each other’s IPs.
What may be a way to avoid it with the condition we still use “--duplicate-cn” option on the server?
How to preserve client’s IP when --duplicate-cn enabled
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 15, 2010 3:34 pm
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: How to preserve client’s IP when --duplicate-cn enabled
post the server config, with no comments
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 15, 2010 3:34 pm
Re: How to preserve client’s IP when --duplicate-cn enabled
port 1194
proto udp
dev tun
ca ca.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option WINS 10.8.0.1"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
cert *****.crt
key *****.key
proto udp
dev tun
ca ca.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option WINS 10.8.0.1"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
cert *****.crt
key *****.key
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: How to preserve client’s IP when --duplicate-cn enabled
remove
no, there is no way to use static ips for multiple machines while using only certificate auth, and every client having the same certificates.
your setup thinks every client is the same client!
you SHOULD go make more certificates, and setup your VPN correctly.
the only time production vpn should use duplicate-cn is when you also use password auth.
if you choose to add login/password auth to your setup, then use --username-as-common-name to set the common-name to be the username, instead of the one from the certificate.
Code: Select all
ifconfig-pool-persist ipp.txt
your setup thinks every client is the same client!
you SHOULD go make more certificates, and setup your VPN correctly.
the only time production vpn should use duplicate-cn is when you also use password auth.
if you choose to add login/password auth to your setup, then use --username-as-common-name to set the common-name to be the username, instead of the one from the certificate.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Nov 15, 2010 3:34 pm
Re: How to preserve client’s IP when --duplicate-cn enabled
thank you, krzee.
I use “duplicate-cn” for simplicity only, when you have max 2 or 3 client connected to each VPN server it’s almost as the same certificate …
One more, we seem to able keep the same IP if we use "bind" to some random port on client's side, sure as long as server is up.
Thanks again.
I use “duplicate-cn” for simplicity only, when you have max 2 or 3 client connected to each VPN server it’s almost as the same certificate …
One more, we seem to able keep the same IP if we use "bind" to some random port on client's side, sure as long as server is up.
Thanks again.