Do I have to have a client file for every pc?

[KyferEz]

I have a successful openvpn implementation, with one issue I'd like to resolve. Machines get the same ip address from the server, which causes problems.

I only want to have to create a security file per-location, not per computer, as each of my "Locations" may have 20-50 computers, and I don't want to have to customize every computer, so I used the same cert and key file for each client PC at the location.

Now I can connect successfully with multiple computers using the same security file, except they interfere with each other because they all get the same IP address from the vpn server, and all of them end up loosing the connection.

How can I keep them from getting the same IP but use the same client cert and key files? Preferably this will be a server-side fix, because I have over 300 PCs out there that will have to be modified if it's on the client side...

Here is my config files:
Server:

Code: Select all

local 192.168.1.61
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
dev tap
ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 192.168.10.0 255.255.255.128
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 1

Client:

Code: Select all

client
dev tap
#dev-node MyTAP
proto udp
remote blah.dyndns.org 1194
route 192.168.0.2 255.255.255.0 vpn_gateway 3
resolv-retry infinite
nobind
persist-key
persist-tun
ca "<path_to_client_ca>"
cert "<path_to_client_cert>"
key "<path_to_client_key>"
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 1

[krzee]

you only need 1 vpn node per LAN. you need different certs for each vpn node.
viewtopic.php?f=8&t=98

also, you have no reason to use tap, switch to dev tun

[KyferEz]

Ok, my setup is a little different than your graph here: http://www.secure-computing.net/wiki/index.php/Graph If you swap the client and the server, that's more like my setup. 1 server and multiple client networks connecting to the server.

I have a lan where the server is running, but I only care that remote networks can connect to the server; they don't need to connect to the rest of the lan the server is on, so as long as the remote PCs can see the virtural IP of the server (192.168.10.1 in my case), it's good enough.

That said, all of the computers on the remote lan need to be able to access the server. If I connect one client, that one client can connect, but none of the other pcs on the network can connect through that client. I assume because of the sort of situation you demonstrate on the above graph page? That said, my router does not have the ability to define a static route. What do I do now? Is there a software option?

[krzee]

Ok, my setup is a little different than your graph here: http://www.secure-computing.net/wiki/index.php/Graph If you swap the client and the server, that's more like my setup. 1 server and multiple client networks connecting to the server.

http://www.secure-computing.net/wiki/index.php/Graph is not meant to match your setup... you need to take it in context and see that it is about a single concept (the route you need outside of openvpn when sharing a lan with the vpn). It is all about having a route to return traffic to the vpn subnet. If you will have multiple LANs each talking to eachother, you will need multiple routes added to each gateway (1 for each foreign subnet that will reach local lan, including vpn subnet)
Still read my document, it still teaches you everything you need to know about a lan behind your clients. It wasnt meant to EXACTLY match your setup, it was meant for you to learn from.

That said, all of the computers on the remote lan need to be able to access the server. If I connect one client, that one client can connect, but none of the other pcs on the network can connect through that client. I assume because of the sort of situation you demonstrate on the above graph page?

maybe, maybe not. an easy way to test this is to ping the LAN ip of the client with the lan behind it. If you can ping the client's LAN ip but not another IP in the lan which has no firewall stopping you, this (or ipforwarding) can be the problem. Otherwise, it could be that you forgot one of the other client specific things from my routing doc (ie: will need a route / push route / iroute for each client)

That said, my router does not have the ability to define a static route. What do I do now? Is there a software option?

My document tells you the alternative to this as well (add a route to every lan machine)... I highly doubt a "router" does not allow for adding routes... but if it really does not, get a new one.

[KyferEz]

I realize it wasn't meant to exactly match what I'm doing. I was letting you know what was primarily different so you knew while attempting to help me.

I've read the document in it's entirety at least 3 times. I don't understand all of it. The details about how the routing works is confusing me, but I did the best I could, see my new server file below.

From the client network, (192.168.2.0) PCs, local PCs can ping each other no problem, until the vpn is connected, then they cannot ping the PC running the vpn client (192.168.2.245) and that pc cannot ping the local network. I think this is the first problem to solve... That said, when the vpn client is connected, that one computer can access the remote server just fine.

Also the pcs on the client network cannot ping the IP that gets assigned to the client when connected to the VPN (192.168.10.2), nor can they ping the VPN Server's virtual IP (192.168.10.1) or the server's real IP (192.168.0.2).

Here's the new server config I setup:

Code: Select all

local 192.168.0.2
port 1194
proto udp
mssfix 1400

;new stuff is below here
dev tun
client-config-dir "C:\\Program Files\\OpenVPN\\ccd\\"
route 192.168.2.0 255.255.255.0 #remote lan subnet
push "route 192.168.2.0 255.255.255.0" #remote lan subnet
push "route 192.168.10.0 255.255.255.0" #vpn server virtual ip subnet
client-to-client
;end new stuff

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 1

and the ccd file contains: iroute 192.168.2.0 255.255.255.0
Nothing on the page said exactly what to name the ccd file, so I named it client1.txt. Is that ok?

And the client file remained the same from before except that I changed dev tap to dev tun

There is a firewall setup page that looks like it's for setting up forwarding rules, but every time I try to set one up it logs me out of the router. The router is a dsl modem + router provided by isp. It's a real piece of crap, but it's a 8hr drive to replace it...

I also saw your other option for adding a route to each pc... Was looking for a 3rd option that didn't require changing settings on 50 pcs at a location; maybe one that allowed the PC with the VPN client to act as the internet gateway which would hand off the traffic to the internet router...

This is super complicated. No wonder so many people say to just use Hamachi... But I'd rather figure this out...

[KyferEz]

this quote, has no context:

maybe, maybe not. an easy way to test this is to ping the LAN ip of the client with the lan behind it. If you can ping the client's LAN ip but not another IP in the lan which has no firewall stopping you, this (or ipforwarding) can be the problem. Otherwise, it could be that you forgot one of the other client specific things from my routing doc (ie: will need a route / push route / iroute for each client)

Ping the client's lan ip from what machine? the client? The server? One of the pc's in the client lan?

I'm stuck here, don't even know why I can't ping local PCs from the vpn client pc when it connects to the vpn...

Here's an ascii graphic representing my network. Note that the VPNClients are just another PC on the network. Please read my prior post to see my new server config and for a few questions I need answered in that post, one important about the ccd file. The very 1st post has the client config.

Code: Select all

RealIP Server=192.168.1.2
VirturalIP Server=192.168.10.1
Server----internet---GatewayRouter----VPNClient1(192.168.2.0)
             |                     |---client1 lan
             |
             |---gatewayrouter------VPNClient2(192.168.3.0)
                                 |----client2 lan

Problem details:
VPN NOT CONNECTED: All clients in a lan can ping their local computers; of course cannot ping server
VPN CONNECTED: VPNClient can Ping server; VPNClient cannot ping local computers; local computers cannot ping VPNClient; local computers cannot ping Server

[krzee]

can the server ping the LAN ip (not vpn ip) of the vpn client, but not any machines in that LAN?
if so, your problem is the one illustrated in that graph you asked about above.