AX88U Merlin 384.19 OpenVPN new sessions dropped if one already connected "--duplicate-cn option" ?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JohnDeere

Regular Contributor
Hi,

I'm experiencing new OpenVPN connectioins dropped if one is already connected to my AX88U.

Error log:

new connection by client 'client' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

It worked well with my old AC68U with the same server settings, but it gives me this error since I migrated to AX88U. I have about 9 different user logins defined in the access list. Connections are not made with the same login details, of course. Previously all my 9 clients could connect without problem. Now if there is 1 connected, connections are not dropped. If another client connects, all connections start dropping and reconnecting, making the remote work impossible.

Please help me with a solution.
Thank you in advance.
 

RMerlin

Asuswrt-Merlin dev
If you use certificate-based authentication, then each user need to have a different cannonical name in their certificate as the error message states. If however you do password based authentication, you just need to have different usernames.
 

JohnDeere

Regular Contributor
I use different user names with different passwords. So there are no identical credentials in any way. This is why it is weird. It used to work perfectly with the same method on my AC68U, but since I moved to AX88U this error prevents using openvpn.
The error points to something I'm not using: same user name.
Is there anything I can do?
Thank you for your help.
 

elorimer

Very Senior Member
If however you do password based authentication, you just need to have different usernames.
I thought that if you did certificate + user/password authentication, the generated server config included the duplicate cn option and that multiple clients could connect with the same client configuration file (including the same user name/password combo and the same certs). It seems to work.
 

JohnDeere

Regular Contributor
I still can't figure out what I'm missing. I've played around with different settings. These are my actual settings:

1607014372717.png


1607014565572.png


So there is no duplicated user name, nor password.
Each client only connects once with only one PC.
I set openvpn server up from scratch when I bought my AX88U out of the box. Right after flashing 384.19
 

elorimer

Very Senior Member
What is going on with the client-specific options?
 

octopus

Very Senior Member
new connection by client will cause previous active sessions by this client to be dropped.
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.

Try to make a file in /jffs/scripts/openvpnserver1.postconf

CONFIG=$1
source /usr/sbin/helper.sh

pc_append "duplicate-cn" $CONFIG

chmode 0755


Restart server and try again
 

elorimer

Very Senior Member
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.
I think the default configuration already includes it.
 

JohnDeere

Regular Contributor
What is going on with the client-specific options?
I don't use any extra options on client side. I just import the config file I export from openvpn server config page. I don't even use the auth-nocache option on client config file.
 

JohnDeere

Regular Contributor
new connection by client will cause previous active sessions by this client to be dropped.
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.

Try to make a file in /jffs/scripts/openvpnserver1.postconf

CONFIG=$1
source /usr/sbin/helper.sh

pc_append "duplicate-cn" $CONFIG

chmode 0755


Restart server and try again
Thank you, I will try this.
Just to make things clear: I really don't use the same client username/password. I have different clients and a client only connects once, not more.
 

JohnDeere

Regular Contributor
I think the default configuration already includes it.
I have never had such a problem with any other Asus router with Merlin. And I always used the same number of clients connecting the same way as now. I did not modify anything "behind the scenes" option.
 

elorimer

Very Senior Member
I don't use any extra options on client side. I just import the config file I export from openvpn server config page. I don't even use the auth-nocache option on client config file.
I suspect this is your problem. You have that option selected, and for what you are doing I don't think you need it. When I select that option, I get a table sorting clients by CN into subnets. Try it without.
 

JohnDeere

Regular Contributor
I suspect this is your problem. You have that option selected, and for what you are doing I don't think you need it. When I select that option, I get a table sorting clients by CN into subnets. Try it without.
Which option do you mean? Username/Password Auth only? Now I set it to Yes.
 

elorimer

Very Senior Member
ACK! No. Sorry, I meant the client-specific options we were talking about in post #9: you have "Manage client-specific options" as "yes" in your screenshot in post #5 and I think you mean "no".

User/Password only means the client certs are not used in the authentication, and you don't want that.
 

JohnDeere

Regular Contributor
ACK! No. Sorry, I meant the client-specific options we were talking about in post #9: you have "Manage client-specific options" as "yes" in your screenshot in post #5 and I think you mean "no".

User/Password only means the client certs are not used in the authentication, and you don't want that.
Oh, okay, I am sorry, I have misunderstood it. Thanks for clarifying this for me. Now I have set client options to NO. Let's see what happens. Thank you.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top