Only one simultaneus connection to OpenVPN server?

JohnBull

Occasional Visitor
I was running an RT-n66u with Merlin fw for years and could connect multiple simultaneous devices/users.
After swapping to an RT-AX86U, immediately flashed to Merlin fw. The new router can only handle one connected device at a time!
(Right now I'm on version 386.5_2, but when I started 3 versions back it was the same)

I have tried setup one TAP and one TUN server and if I connect a PC to the TAP server and then connect an Android to the TUN, the TAP stops working.
I have tried with different VPN user accounts, but it does not help.

Used to have one PC off-site connected and connect on my phone when needed, but now the PC goes down if I connect with the phone, or the phone doesn't work when PC is connected.

Anyone has some ideas?

cheers
 

L&LD

Part of the Furniture
I don't believe I've seen this issue before.

How did you set up the RT-AX86U? Did you flash the latest firmware, then perform a full reset to factory defaults, and without using a saved backup config file to secure and configure the router?

[Wireless] ASUS router Hard Factory Reset | Official Support | ASUS Global

Fully Reset / Best Practice Setup / More


Have you studied the changelogs in the three firmware versions you've used? Specifically about VPN Director?

Can you share any screenshots with your OpenVPN setup? What changes have you made past defaults?

What other features/options and additional scripts are you running on the router?


The following links may also be possibly useful too, and help you get your router back to a good/known state.

About L&LD

Almost all L&LD Links
 

JohnBull

Occasional Visitor
I don't believe I've seen this issue before.

How did you set up the RT-AX86U? Did you flash the latest firmware, then perform a full reset to factory defaults, and without using a saved backup config file to secure and configure the router?

[Wireless] ASUS router Hard Factory Reset | Official Support | ASUS Global

Fully Reset / Best Practice Setup / More


Have you studied the changelogs in the three firmware versions you've used? Specifically about VPN Director?

Can you share any screenshots with your OpenVPN setup? What changes have you made past defaults?

What other features/options and additional scripts are you running on the router?


The following links may also be possibly useful too, and help you get your router back to a good/known state.

About L&LD

Almost all L&LD Links
Installation:
Factory reset
Clean installation
Factory reset
Configured everything

Tried a bit more now.
When I connect first client, it takes IP 192.168.1.2 and then when I connect 2nd client it takes the same IP!!!
IP conflict looks to be the problem. But how to solve it?
 

L&LD

Part of the Furniture
Use unique IP ranges within your OpenVPN configurations.
 

JohnBull

Occasional Visitor
Installation:
Factory reset
Clean installation
Factory reset
Configured everything

Tried a bit more now.
When I connect first client, it takes IP 192.168.1.2 and then when I connect 2nd client it takes the same IP!!!
IP conflict looks to be the problem. But how to solve it?
Router is 192.168.0.1
TUN server setup as 192.168.1.1 / 255.255.255.0
Edit: TAP server is not same IP range....ofcause...it's supposed to go with the router normal DHCP scope
 

octopus

Part of the Furniture
I was running an RT-n66u with Merlin fw for years and could connect multiple simultaneous devices/users.
After swapping to an RT-AX86U, immediately flashed to Merlin fw. The new router can only handle one connected device at a time!
(Right now I'm on version 386.5_2, but when I started 3 versions back it was the same)

I have tried setup one TAP and one TUN server and if I connect a PC to the TAP server and then connect an Android to the TUN, the TAP stops working.
I have tried with different VPN user accounts, but it does not help.

Used to have one PC off-site connected and connect on my phone when needed, but now the PC goes down if I connect with the phone, or the phone doesn't work when PC is connected.

Anyone has some ideas?

cheers
If you use same config in multiple device then only one can connect at same time. But you can add "duplicate-cn" in your "openvpnclient1.postconf" file.

Best is to genarate different config file for various clients.
 

ColinTaylor

Part of the Furniture
TAP is a bridged connection and so should be getting a 192.168.0.x address. Make sure "Allocate from DHCP" is set to yes.
 

JohnBull

Occasional Visitor
If you use same config in multiple device then only one can connect at same time. But you can add "duplicate-cn" in your "openvpnclient1.postconf" file.

Best is to genarate different config file for various clients.
Ehhh....I was so sure it worked on the old router...but maybe not then...or something has changed...

So, if I export a new config file from the router admin page, isn't that one identical with previous exported config file!?

Think I have more to learn... :)
 

JohnBull

Occasional Visitor
TAP is a bridged connection and so should be getting a 192.168.0.x address. Make sure "Allocate from DHCP" is set to yes.
it is set to "allocate from DHCP" and it has worked...but today after trying to connect multiple clients it didn't get an IP....not sure why

trying to create a separate config file for my phone now and connect that to the TUN while this PC is connected
 

JohnBull

Occasional Visitor
Tried exporting a new config file for my phone, imported and connected.
First phone started to work via openvpn but then PC stopped working (both connected on separate accounts as well). After about a minute PC started working again and phone stopped working.
Router admin page says phone account is disconnected.
 

ColinTaylor

Part of the Furniture
 

JohnBull

Occasional Visitor
compared the old client.ovpn file with the new one and they are idendical

What should I do to create unique ones so I can connect several devices?
 

JohnBull

Occasional Visitor
don't fully understand
I have "manage client specific options" set to yes. I don't understand what it is and I don't know if it has always been set to yes.
Will it solve the problem of connecting multiple devices if I set it to No?

I don't understand how to create client specific config files.
When I tried to export a new config file, it got named client1.ovpn and I renamed the file to keep tack of them and imported the new one to my phone, but it didn't worked and when I compared the config files they were identical

Edit: If I set "manage client specific options" to no, I can't set Allow Client <-> Client to Yes
I want to be able to connect to other clients within the network via RDP

Edit2: I tried setting "manage client specific optons" to no and connected phone and now I got IP 192.168.1.3 and I can still connect another PC via rdp from the TUN connected PC at 192.168.1.2!!!!

Thanks all for help!

But I'm still interested to learn and understand more - I would be grateful if someone could explain a bit more
What does "allow client <-> client" do?
Can I create unique config files for every clinent? How?

Edit3: with "manage client specific options"=No I can access my router config web page (192.168.0.1), connect RDP to another client on LAN and connect to my Synology NAS on another fixed IP outside router DHCP scope (but within router IP range). But I can't access my other two access points (192.168.0.2 and -3)...but I can access my two configurable switches at -5 and -6...
Not sure if I could access the APs via TUN before. Maybe not. But why?
 
Last edited:

eibgrad

Part of the Furniture
Here's what happened.

When you enabled Manage Client-Specific Options, that *removed* the duplicate-cn directive from the underlying config file of the OpenVPN server. Since the default certs and keys of the GUI only creates *one* client cert (specifically w/ the CN (Common Name) of 'client1') to be shared by *all* OpenVPN clients of that particular server, if you want multiple clients to have access at the same time, the duplicate-cn directive must be specified.

So why did enabling Manage Client-Specific Options cause the removal? Because the purpose of that option is to configure the client side routing of individual OpenVPN clients based on their CN (Common Name), typically for site-to-site purposes. But you can't do that if all of the OpenVPN clients are using the same cert!!! You can't distinguish one from the other. So the GUI removes the duplicate-cn directive to enforce one-at-a-time semantics.

Now as it happens, there is a way around it. If you add the following directives to the custom config field ...

Code:
duplicate-cn
username-as-common-name

... NOW the individual OpenVPN clients can be disambiguated based on their usernames rather than the CN on the shared cert!

But all of this moot if you don't need what Manage Client-Specific Options is offering. That option is what allows the server to know how to initiate/route connections to the IP networks behind the respective OpenVPN clients (i.e., site-to-site). And if you want to allow the OpenVPN clients to access each other via the OpenVPN server (i.e., configure it as a gateway), then you enable the Client to Client option as well (otherwise they are isolated from one another).
 
Last edited:

JohnBull

Occasional Visitor
Here's what happened.

When you enabled Manage Client-Specific Options, that *removed* the duplicate-cn directive from the underlying config file of the OpenVPN server. Since the defaults certs and keys of the GUI only creates *one* client cert (specifically w/ the CN (Common Name) of 'client1') to be shared by *all* OpenVPN clients of that particular server, if you want multiple clients to have access at the same time, the duplicate-cn directive must be specified.

So why did enabling Manage Client-Specific Options cause the removal? Because the purpose of that option is to configure the client side routing of individual OpenVPN clients based on their CN (Common Name), typically for site-to-site purposes. But you can't do that if all of the OpenVPN clients are using the same cert!!! You can't distinguish one from the other. So the GUI removes the duplicate-cn directive to enforce one-at-a-time semantics.

Now as it happens, there is a way around it. If you add the following directives to the custom config field ...

Code:
duplicate-cn
username-as-common-name

... NOW the individual OpenVPN clients can be disambiguated based on their usernames rather than the CN on the shared cert!

But all of this moot if you don't need what Manage Client-Specific Options is offering. That option is what allows the server to know how to initiate/route connections to the IP networks behind the respective OpenVPN clients (i.e., site-to-site). And if you want to allow the OpenVPN clients to access each other via the OpenVPN server (i.e., configure it as a gateway), then you enable the Client to Client option as well (otherwise they are isolated from one another).
aha - that made it much more clear!
I had completely missed the "custom config field"...it was so empty at the bottom of the config page...
I have to try to get some time to test and see if I can enable and reach client-client and still connect multiple users. Just have to set up enough user IDs then...

Thanks for a very good lesson!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top