Same IP for all clients over TUN

[alini76]

I have Merlin 386.4 on my RT-AC68U router. I configured TUN OpenVPN, but all my VPN clients are getting same IP 10.8.0.2. Because of this, obviously, the clients are getting disconnected each other.

 

[alini76]

It looks like if I change "Manage Client-Specific Options" to NO, then the IP is assigned differently.

 

[ColinTaylor]

Because of this, obviously, the clients are getting disconnected each other.

This shouldn't be the cause of any disconnection. 10.8.0.2 is the first IP address in the pool which is assigned to the first client. If that client disconnects the IP address is freed up and it will be reassigned to the next client that connects. The only time you'll see IP addresses 10.8.0.3, 10.8.0.4, etc. is when you have multiple clients connected at the same time.

 

[alini76]

It is about having multiple clients. My concern is that I have 2 clients connected and both are taking the same IP. Obviously that I do not care if a client takes the IP of a client that disconnected at his own will.

 

[ColinTaylor]

It is about having multiple clients. My concern is that I have 2 clients connected and both are taking the same IP.

I can't image how that is possible. Look at the router's syslog when the second client connects to see why it is assigning the invalid address.

You said in your previous posts that you couldn't create VPN user accounts. Is that still a problem? Maybe it's connected to this problem.

 

[alini76]

I do not see a reason in syslog why this happens.
With the latest merlin firmware, the problem with managing users and their password is gone.

 

[alini76]

As well, please notice that the problem of IP assignment is resolved if I set "Manage Client-Specific Options" to NO. [but I need this to be YES, so is not a permanent solution]

 

[ColinTaylor]

As well, please notice that the problem of IP assignment is resolved if I set "Manage Client-Specific Options" to NO. [but I need this to be YES, so is not a permanent solution]

What customisation are you doing to the default setup?

 

[octopus]

I have Merlin 386.4 on my RT-AC68U router. I configured TUN OpenVPN, but all my VPN clients are getting same IP 10.8.0.2. Because of this, obviously, the clients are getting disconnected each other.

if you have multiple clients with same client keys it's disconnect when other connecting.
You have to set "--duplicate-cn" If you don't want clients disconnecting.
Or you can create invidual certs for all vpnclients

 

[alini76]

I did not setup duplicate-cn in older versions of the Merin firmware. I kind of agree that the duplicate CN is the issue, even I am using it for many years, without setting up anything. but I will try this.

 

[ColinTaylor]

Look at the router's syslog when the second client connects to see why it is assigning the invalid address.

I do not see a reason in syslog why this happens.

It's strange you don't get this rather obvious message in your syslog:

Feb 19 16:30:07 ovpn-server1[25148]: MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

 

[eibgrad]

Most likely it's because when you configured Manage Client-Specific Options, you probably specified the CN (Common Name) of the cert (typically 'client' if using the auto-generated files), which is then the only means to distinguish one client from another. But since ALL your OpenVPN clients are using the same client cert, it throws off the current user in favor of the next to resolve the ambiguity.

I would try adding the following directive to the custom config field and then specifying the username rather than the common name of the cert in Manage Client-Specific Options.

username-as-common-name

Of course, each concurrent OpenVPN client should then use a different username.

This isn't normally a problem when each client is provided w/ its own client cert (and unique CN) and keys. But since most users don't both to do this (they probably should imo), but instead rely on *one* shared client cert, this becomes necessary.

 

[RMerlin]

I did not setup duplicate-cn in older versions of the Merin firmware.

That was changed a few release ago, to follow the recommendation of the OpenVPN developers. When using "Manage Client Options", you are expected to create a separate configuration for each client, including a unique certificate. That option enables the use-client-dir option.