OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

all openvpn clients recive the same virtual ip

https://forums.openvpn.net/viewtopic.php?t=12060

Page 1 of 1

all openvpn clients recive the same virtual ip

Posted: Thu Jan 31, 2013 9:19 pm
by p3tter
i have followed the instructions from this site http://geeksandtweaks.com/wp/how-to-cre ... mment-6119,
and the openvpn web site, but all my clients receive the same ip, 10.8.0.6, so when client1 is connected it have internet, but when client2 connects while client1 is online, client1 loose the internet connection. how do i fix this simply? i need a maximum of 5 clients total.
thank you.

Re: all openvpn clients recive the same virtual ip

Posted: Fri Feb 01, 2013 6:47 am
by maikcat
please post configs used,ccd files etc..

Michael.

Re: all openvpn clients recive the same virtual ip

Posted: Fri Feb 01, 2013 11:56 am
by p3tter
openvpn.conf:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

client-config-dir /etc/openvpn/ccd

max-clients 10
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
#ifconfig-pool-persist ipp.txt
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client


ifconfig-pool-linear 10.8.0.4/30 10.0.12.252 #ipp.txt

push "redirect-gateway def1 bypass-dhcp"

#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo



ccd/client1

#ifconfig-push clientIP Netmask
ifconfig-push 10.8.0.8 255.255.255.0
#--ifconfig-push local remote-netmask


i have also tried with ipp.txt (not enabled at the moment)
client1 client1,10.8.0.9



all got the same ip 10.8.0.4...
server: ubuntu 12.04,
clients: mac os x and android

Re: all openvpn clients recive the same virtual ip

Posted: Fri Feb 01, 2013 1:12 pm
by maikcat
hi there,

first remove this from your server config:

Code: Select all

ifconfig-pool-linear 10.8.0.4/30 10.0.12.252 #ipp.txt
the ifconfig-push statement inside your ccd is used when mode subnet is used...

is each client uses its own cert?
if yes try to use ccd files for all your certs -or-
try to allocate them ips from the end of the scope used...

Michael.

Re: all openvpn clients recive the same virtual ip

Posted: Fri Feb 01, 2013 3:49 pm
by p3tter
i have created 3 ccd files, named client1, client2, client3 with

Code: Select all

client1
ifconfig-push 10.8.0.8 255.255.255.0

client2
ifconfig-push 10.8.0.12 255.255.255.0

client3
ifconfig-push 10.8.0.16 255.255.255.0
all clients get the same ip 10.8.0.6
and i removed the ifconfig-pool-linear code

the openvpn server is a virtual guest os, do i need a another configuration for this?

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 9:32 am
by maikcat
please post server & client logs...

Michael.

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 10:07 am
by p3tter
server log for the last connection from mac os x client

Code: Select all

Sat Feb  2 10:51:00 2013 MULTI: multi_create_instance called
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Re-using SSL/TLS context
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 LZO compression initialized
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Local Options hash (VER=V4): '530fdded'
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Expected Remote Options hash (VER=V4): '41690919'
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 TLS: Initial packet from [AF_INET]128.39.112.9:60033, sid=36dbfb1f ee78663d
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 VERIFY OK: depth=1, /C=NO/ST=VF/L=horten/O=Fort-Funston/OU=changeme/CN=192.168.1.148/name=changeme/emailAddress=mail@host.domain
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 VERIFY OK: depth=0, /C=NO/ST=VF/L=horteen/O=Fort-Funston/OU=changeme/CN=192.168.1.148/name=mac/emailAddress=mail@host.domain
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Feb  2 10:51:00 2013 128.39.112.9:60033 [192.168.1.148] Peer Connection Initiated with [AF_INET]128.39.112.9:60033
Sat Feb  2 10:51:00 2013 MULTI: new connection by client '192.168.1.148' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sat Feb  2 10:51:00 2013 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=581b:3802:a47f::
Sat Feb  2 10:51:00 2013 MULTI: Learn: 10.8.0.6 -> 192.168.1.148/128.39.112.9:60033
Sat Feb  2 10:51:00 2013 MULTI: primary virtual IP for 192.168.1.148/128.39.112.9:60033: 10.8.0.6
Sat Feb  2 10:51:02 2013 192.168.1.148/128.39.112.9:60033 PUSH: Received control message: 'PUSH_REQUEST'
Sat Feb  2 10:51:02 2013 192.168.1.148/128.39.112.9:60033 send_push_reply(): safe_cap=960
Sat Feb  2 10:51:02 2013 192.168.1.148/128.39.112.9:60033 SENT CONTROL [192.168.1.148]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5' (status=1)

mac os x client log

Code: Select all

2013-02-02 10:50:52 *Tunnelblick: OS X 10.7.5; Tunnelblick 3.2.8 (build 2891.3099)
2013-02-02 10:50:52 *Tunnelblick: Attempting connection with open-vpn; Set nameserver = 1; monitoring connection
2013-02-02 10:50:52 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start open-vpn.tblk 1337 1 0 3 0 49 -atDASNGWrdasngw 
2013-02-02 10:50:52 *Tunnelblick: openvpnstart message: Loading tun.kext
2013-02-02 10:50:52 *Tunnelblick: Established communication with OpenVPN
2013-02-02 10:50:52 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Aug 10 2012
2013-02-02 10:50:52 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2013-02-02 10:50:52 Need hold release from management interface, waiting...
2013-02-02 10:50:52 MANAGEMENT: Client connected from 127.0.0.1:1337
2013-02-02 10:50:52 MANAGEMENT: CMD 'pid'
2013-02-02 10:50:52 MANAGEMENT: CMD 'state on'
2013-02-02 10:50:52 MANAGEMENT: CMD 'state'
2013-02-02 10:50:52 MANAGEMENT: CMD 'hold release'
2013-02-02 10:50:52 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2013-02-02 10:50:52 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-02-02 10:50:52 WARNING: file 'client1.key' is group or others accessible
2013-02-02 10:50:52 LZO compression initialized
2013-02-02 10:50:52 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2013-02-02 10:50:52 Socket Buffers: R=[42080->65536] S=[9216->65536]
2013-02-02 10:50:52 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2013-02-02 10:50:52 Local Options hash (VER=V4): '41690919'
2013-02-02 10:50:52 Expected Remote Options hash (VER=V4): '530fdded'
2013-02-02 10:50:52 UDPv4 link local: [undef]
2013-02-02 10:50:52 UDPv4 link remote: 128.39.165.152:1194
2013-02-02 10:50:52 MANAGEMENT: >STATE:1359798652,WAIT,,,
2013-02-02 10:50:52 write UDPv4: No route to host (code=65)
2013-02-02 10:50:52 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Shared/open-vpn.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Shared/open-vpn.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sopen--vpn.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart
2013-02-02 10:50:54 MANAGEMENT: >STATE:1359798654,AUTH,,,
2013-02-02 10:50:54 TLS: Initial packet from 128.39.165.152:1194, sid=ef4754a4 b22cd65f
2013-02-02 10:50:54 VERIFY OK: depth=1, /C=NO/ST=VF/L=horten/O=Fort-Funston/OU=changeme/CN=192.168.1.148/name=changeme/emailAddress=mail@host.domain
2013-02-02 10:50:54 VERIFY OK: depth=0, /C=NO/ST=VF/L=horten/O=Fort-Funston/OU=changeme/CN=192.168.1.148/name=changeme/emailAddress=mail@host.domain
2013-02-02 10:50:54 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-02-02 10:50:54 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-02-02 10:50:54 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-02-02 10:50:54 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-02-02 10:50:54 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2013-02-02 10:50:54 [192.168.1.148] Peer Connection Initiated with 128.39.165.152:1194
2013-02-02 10:50:56 MANAGEMENT: >STATE:1359798656,GET_CONFIG,,,
2013-02-02 10:50:57 SENT CONTROL [192.168.1.148]: 'PUSH_REQUEST' (status=1)
2013-02-02 10:50:57 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5'
2013-02-02 10:50:57 OPTIONS IMPORT: --ifconfig/up options modified
2013-02-02 10:50:57 OPTIONS IMPORT: route options modified
2013-02-02 10:50:57 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2013-02-02 10:50:57 ROUTE default_gateway=172.19.0.4
2013-02-02 10:50:57 TUN/TAP device /dev/tun0 opened
2013-02-02 10:50:57 MANAGEMENT: >STATE:1359798657,ASSIGN_IP,,10.8.0.6,
2013-02-02 10:50:57 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2013-02-02 10:50:57 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2013-02-02 10:50:57 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2013-02-02 10:50:57 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1542 10.8.0.6 10.8.0.5 init
                                          No such key
2013-02-02 10:50:59 *Tunnelblick: Flushed the DNS cache
2013-02-02 10:50:59 /sbin/route add -net 128.39.165.152 172.19.0.4 255.255.255.255
                                        add net 128.39.165.152: gateway 172.19.0.4
2013-02-02 10:50:59 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
                                        add net 0.0.0.0: gateway 10.8.0.5
2013-02-02 10:50:59 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
                                        add net 128.0.0.0: gateway 10.8.0.5
2013-02-02 10:50:59 MANAGEMENT: >STATE:1359798659,ADD_ROUTES,,,
2013-02-02 10:50:59 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
                                        add net 10.8.0.0: gateway 10.8.0.5
2013-02-02 10:50:59 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
                                        route: writing to routing socket: File exists
                                        add net 10.8.0.0: gateway 10.8.0.5: File exists
2013-02-02 10:50:59 Initialization Sequence Completed
2013-02-02 10:50:59 MANAGEMENT: >STATE:1359798659,CONNECTED,SUCCESS,10.8.0.6,128.39.165.152
2013-02-02 10:50:59 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 8.8.8.8 8.8.4.4 ] and WINS server(s) [ ] and using default domain name [ openvpn ]
2013-02-02 10:50:59 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored
2013-02-02 10:50:59 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use
2013-02-02 10:50:59 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with process-network-changes
2013-02-02 10:51:04 *Tunnelblick process-network-changes: A system configuration change was ignored because it was not relevant
2013-02-02 10:51:25 *Tunnelblick process-network-changes: A system configuration change was ignored because it was not relevant

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 11:32 am
by maikcat
hi there,
CN=192.168.1.148
did you set the CN (canonical name) certificate field to 192.168.1.148
on ALL created by you certificates?

Michael.

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 12:14 pm
by p3tter
yes in common name, in all certificates, i have build all the certs twice, but it did not help

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 12:28 pm
by maikcat
ccd files are using common name from certs ,thats why your setup isnt working...

recreate all certs and use cert name as common name per cert..

Michael.

Re: all openvpn clients recive the same virtual ip

Posted: Sat Feb 02, 2013 12:58 pm
by p3tter
ok i try that. thx!
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/