Only one simultaneus connection to OpenVPN server?

[JohnBull]

I was running an RT-n66u with Merlin fw for years and could connect multiple simultaneous devices/users.
After swapping to an RT-AX86U, immediately flashed to Merlin fw. The new router can only handle one connected device at a time!
(Right now I'm on version 386.5_2, but when I started 3 versions back it was the same)

I have tried setup one TAP and one TUN server and if I connect a PC to the TAP server and then connect an Android to the TUN, the TAP stops working.
I have tried with different VPN user accounts, but it does not help.

Used to have one PC off-site connected and connect on my phone when needed, but now the PC goes down if I connect with the phone, or the phone doesn't work when PC is connected.

Anyone has some ideas?

cheers

 

[L&LD]

I don't believe I've seen this issue before.

How did you set up the RT-AX86U? Did you flash the latest firmware, then perform a full reset to factory defaults, and without using a saved backup config file to secure and configure the router?

[Wireless] ASUS router Hard Factory Reset | Official Support | ASUS Global

Fully Reset / Best Practice Setup / More


Have you studied the changelogs in the three firmware versions you've used? Specifically about VPN Director?

Can you share any screenshots with your OpenVPN setup? What changes have you made past defaults?

What other features/options and additional scripts are you running on the router?


The following links may also be possibly useful too, and help you get your router back to a good/known state.

About L&LD

Almost all L&LD Links

 

[JohnBull]

I don't believe I've seen this issue before.

How did you set up the RT-AX86U? Did you flash the latest firmware, then perform a full reset to factory defaults, and without using a saved backup config file to secure and configure the router?

[Wireless] ASUS router Hard Factory Reset | Official Support | ASUS Global

Fully Reset / Best Practice Setup / More


Have you studied the changelogs in the three firmware versions you've used? Specifically about VPN Director?

Can you share any screenshots with your OpenVPN setup? What changes have you made past defaults?

What other features/options and additional scripts are you running on the router?


The following links may also be possibly useful too, and help you get your router back to a good/known state.

About L&LD

Almost all L&LD Links

Installation:
Factory reset
Clean installation
Factory reset
Configured everything

Tried a bit more now.
When I connect first client, it takes IP 192.168.1.2 and then when I connect 2nd client it takes the same IP!!!
IP conflict looks to be the problem. But how to solve it?

 

[L&LD]

Use unique IP ranges within your OpenVPN configurations.

 

[JohnBull]

Installation:
Factory reset
Clean installation
Factory reset
Configured everything

Tried a bit more now.
When I connect first client, it takes IP 192.168.1.2 and then when I connect 2nd client it takes the same IP!!!
IP conflict looks to be the problem. But how to solve it?

Router is 192.168.0.1
TUN server setup as 192.168.1.1 / 255.255.255.0
Edit: TAP server is not same IP range....ofcause...it's supposed to go with the router normal DHCP scope

 

[octopus]

I was running an RT-n66u with Merlin fw for years and could connect multiple simultaneous devices/users.
After swapping to an RT-AX86U, immediately flashed to Merlin fw. The new router can only handle one connected device at a time!
(Right now I'm on version 386.5_2, but when I started 3 versions back it was the same)

I have tried setup one TAP and one TUN server and if I connect a PC to the TAP server and then connect an Android to the TUN, the TAP stops working.
I have tried with different VPN user accounts, but it does not help.

Used to have one PC off-site connected and connect on my phone when needed, but now the PC goes down if I connect with the phone, or the phone doesn't work when PC is connected.

Anyone has some ideas?

cheers

If you use same config in multiple device then only one can connect at same time. But you can add "duplicate-cn" in your "openvpnclient1.postconf" file.

Best is to genarate different config file for various clients.

 

[ColinTaylor]

TAP is a bridged connection and so should be getting a 192.168.0.x address. Make sure "Allocate from DHCP" is set to yes.

 

[JohnBull]

If you use same config in multiple device then only one can connect at same time. But you can add "duplicate-cn" in your "openvpnclient1.postconf" file.

Best is to genarate different config file for various clients.

Ehhh....I was so sure it worked on the old router...but maybe not then...or something has changed...

So, if I export a new config file from the router admin page, isn't that one identical with previous exported config file!?

Think I have more to learn...

 

[JohnBull]

TAP is a bridged connection and so should be getting a 192.168.0.x address. Make sure "Allocate from DHCP" is set to yes.

it is set to "allocate from DHCP" and it has worked...but today after trying to connect multiple clients it didn't get an IP....not sure why

trying to create a separate config file for my phone now and connect that to the TUN while this PC is connected

 

[JohnBull]

Tried exporting a new config file for my phone, imported and connected.
First phone started to work via openvpn but then PC stopped working (both connected on separate accounts as well). After about a minute PC started working again and phone stopped working.
Router admin page says phone account is disconnected.

 

[JohnBull]

phone still takes same IP (192.168.1.2) as PC...so still IP conflict

 

[ColinTaylor]

Same IP for all clients over TUN

I have Merlin 386.4 on my RT-AC68U router. I configured TUN OpenVPN, but all my VPN clients are getting same IP 10.8.0.2. Because of this, obviously, the clients are getting disconnected each other.

www.snbforums.com

 

[JohnBull]

compared the old client.ovpn file with the new one and they are idendical

What should I do to create unique ones so I can connect several devices?

 

[JohnBull]

Same IP for all clients over TUN

I have Merlin 386.4 on my RT-AC68U router. I configured TUN OpenVPN, but all my VPN clients are getting same IP 10.8.0.2. Because of this, obviously, the clients are getting disconnected each other.

www.snbforums.com

don't fully understand
I have "manage client specific options" set to yes. I don't understand what it is and I don't know if it has always been set to yes.
Will it solve the problem of connecting multiple devices if I set it to No?

I don't understand how to create client specific config files.
When I tried to export a new config file, it got named client1.ovpn and I renamed the file to keep tack of them and imported the new one to my phone, but it didn't worked and when I compared the config files they were identical

Edit: If I set "manage client specific options" to no, I can't set Allow Client <-> Client to Yes
I want to be able to connect to other clients within the network via RDP

Edit2: I tried setting "manage client specific optons" to no and connected phone and now I got IP 192.168.1.3 and I can still connect another PC via rdp from the TUN connected PC at 192.168.1.2!!!!

Thanks all for help!

But I'm still interested to learn and understand more - I would be grateful if someone could explain a bit more
What does "allow client <-> client" do?
Can I create unique config files for every clinent? How?

Edit3: with "manage client specific options"=No I can access my router config web page (192.168.0.1), connect RDP to another client on LAN and connect to my Synology NAS on another fixed IP outside router DHCP scope (but within router IP range). But I can't access my other two access points (192.168.0.2 and -3)...but I can access my two configurable switches at -5 and -6...
Not sure if I could access the APs via TUN before. Maybe not. But why?

 

[eibgrad]

Here's what happened.

When you enabled Manage Client-Specific Options, that *removed* the duplicate-cn directive from the underlying config file of the OpenVPN server. Since the default certs and keys of the GUI only creates *one* client cert (specifically w/ the CN (Common Name) of 'client1') to be shared by *all* OpenVPN clients of that particular server, if you want multiple clients to have access at the same time, the duplicate-cn directive must be specified.

So why did enabling Manage Client-Specific Options cause the removal? Because the purpose of that option is to configure the client side routing of individual OpenVPN clients based on their CN (Common Name), typically for site-to-site purposes. But you can't do that if all of the OpenVPN clients are using the same cert!!! You can't distinguish one from the other. So the GUI removes the duplicate-cn directive to enforce one-at-a-time semantics.

Now as it happens, there is a way around it. If you add the following directives to the custom config field ...

duplicate-cn
username-as-common-name

... NOW the individual OpenVPN clients can be disambiguated based on their usernames rather than the CN on the shared cert!

But all of this moot if you don't need what Manage Client-Specific Options is offering. That option is what allows the server to know how to initiate/route connections to the IP networks behind the respective OpenVPN clients (i.e., site-to-site). And if you want to allow the OpenVPN clients to access each other via the OpenVPN server (i.e., configure it as a gateway), then you enable the Client to Client option as well (otherwise they are isolated from one another).

 

[JohnBull]

Here's what happened.

When you enabled Manage Client-Specific Options, that *removed* the duplicate-cn directive from the underlying config file of the OpenVPN server. Since the defaults certs and keys of the GUI only creates *one* client cert (specifically w/ the CN (Common Name) of 'client1') to be shared by *all* OpenVPN clients of that particular server, if you want multiple clients to have access at the same time, the duplicate-cn directive must be specified.

So why did enabling Manage Client-Specific Options cause the removal? Because the purpose of that option is to configure the client side routing of individual OpenVPN clients based on their CN (Common Name), typically for site-to-site purposes. But you can't do that if all of the OpenVPN clients are using the same cert!!! You can't distinguish one from the other. So the GUI removes the duplicate-cn directive to enforce one-at-a-time semantics.

Now as it happens, there is a way around it. If you add the following directives to the custom config field ...

duplicate-cn
username-as-common-name

... NOW the individual OpenVPN clients can be disambiguated based on their usernames rather than the CN on the shared cert!

But all of this moot if you don't need what Manage Client-Specific Options is offering. That option is what allows the server to know how to initiate/route connections to the IP networks behind the respective OpenVPN clients (i.e., site-to-site). And if you want to allow the OpenVPN clients to access each other via the OpenVPN server (i.e., configure it as a gateway), then you enable the Client to Client option as well (otherwise they are isolated from one another).

aha - that made it much more clear!
I had completely missed the "custom config field"...it was so empty at the bottom of the config page...
I have to try to get some time to test and see if I can enable and reach client-client and still connect multiple users. Just have to set up enough user IDs then...

Thanks for a very good lesson!