What's new

AX88U Merlin 384.19 OpenVPN new sessions dropped if one already connected "--duplicate-cn option" ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JohnDeere

Regular Contributor
Hi,

I'm experiencing new OpenVPN connectioins dropped if one is already connected to my AX88U.

Error log:

new connection by client 'client' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

It worked well with my old AC68U with the same server settings, but it gives me this error since I migrated to AX88U. I have about 9 different user logins defined in the access list. Connections are not made with the same login details, of course. Previously all my 9 clients could connect without problem. Now if there is 1 connected, connections are not dropped. If another client connects, all connections start dropping and reconnecting, making the remote work impossible.

Please help me with a solution.
Thank you in advance.
 
If you use certificate-based authentication, then each user need to have a different cannonical name in their certificate as the error message states. If however you do password based authentication, you just need to have different usernames.
 
I use different user names with different passwords. So there are no identical credentials in any way. This is why it is weird. It used to work perfectly with the same method on my AC68U, but since I moved to AX88U this error prevents using openvpn.
The error points to something I'm not using: same user name.
Is there anything I can do?
Thank you for your help.
 
If however you do password based authentication, you just need to have different usernames.
I thought that if you did certificate + user/password authentication, the generated server config included the duplicate cn option and that multiple clients could connect with the same client configuration file (including the same user name/password combo and the same certs). It seems to work.
 
I still can't figure out what I'm missing. I've played around with different settings. These are my actual settings:

1607014372717.png


1607014565572.png


So there is no duplicated user name, nor password.
Each client only connects once with only one PC.
I set openvpn server up from scratch when I bought my AX88U out of the box. Right after flashing 384.19
 
What is going on with the client-specific options?
 
new connection by client will cause previous active sessions by this client to be dropped.
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.

Try to make a file in /jffs/scripts/openvpnserver1.postconf

CONFIG=$1
source /usr/sbin/helper.sh

pc_append "duplicate-cn" $CONFIG

chmode 0755


Restart server and try again
 
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.
I think the default configuration already includes it.
 
What is going on with the client-specific options?
I don't use any extra options on client side. I just import the config file I export from openvpn server config page. I don't even use the auth-nocache option on client config file.
 
new connection by client will cause previous active sessions by this client to be dropped.
Remember to use the --duplicate-cn option if you want multiple clients using the same
certificate or username to concurrently connect.

Try to make a file in /jffs/scripts/openvpnserver1.postconf

CONFIG=$1
source /usr/sbin/helper.sh

pc_append "duplicate-cn" $CONFIG

chmode 0755


Restart server and try again
Thank you, I will try this.
Just to make things clear: I really don't use the same client username/password. I have different clients and a client only connects once, not more.
 
I think the default configuration already includes it.
I have never had such a problem with any other Asus router with Merlin. And I always used the same number of clients connecting the same way as now. I did not modify anything "behind the scenes" option.
 
I don't use any extra options on client side. I just import the config file I export from openvpn server config page. I don't even use the auth-nocache option on client config file.
I suspect this is your problem. You have that option selected, and for what you are doing I don't think you need it. When I select that option, I get a table sorting clients by CN into subnets. Try it without.
 
I suspect this is your problem. You have that option selected, and for what you are doing I don't think you need it. When I select that option, I get a table sorting clients by CN into subnets. Try it without.
Which option do you mean? Username/Password Auth only? Now I set it to Yes.
 
ACK! No. Sorry, I meant the client-specific options we were talking about in post #9: you have "Manage client-specific options" as "yes" in your screenshot in post #5 and I think you mean "no".

User/Password only means the client certs are not used in the authentication, and you don't want that.
 
ACK! No. Sorry, I meant the client-specific options we were talking about in post #9: you have "Manage client-specific options" as "yes" in your screenshot in post #5 and I think you mean "no".

User/Password only means the client certs are not used in the authentication, and you don't want that.
Oh, okay, I am sorry, I have misunderstood it. Thanks for clarifying this for me. Now I have set client options to NO. Let's see what happens. Thank you.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top