| View previous topic :: View next topic |
| Author |
Message |
hujuice
Guru
Joined: 16 Oct 2007
Posts: 350
Location: Nicosia, Cyprus
|
 Posted: Fri Feb 21, 2025 5:37 pm Post subject: [SOLVED (wa)] OpenVPN: unable to connect multiple clients |
 |
|
Hello everybody,
I am trying to connect a handful of hosts via OpenVPN over an untrusted local network.
I can't connect more than one client. Why?
The setup works with every client, but when a second client connects, the first loses the link.
More exactly, after the second connection the ping from the first one (192.168.178.16) fails and the log in the server shows:
| Code: | | TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.178.16:1194 (received key id: 0, known key ids: [key#0 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 sid=506476f0 82b6b527] [key#1 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000]) |
According to 'ip addr', the tun device and its ip address are still there.
The problem occurs with both PKI and fingerprint authentications.
Note that, since the network is simple, the vpn is configured in a static way.
| Server: | # Local iface
local 192.168.178.2
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.2 255.255.255.0
# persistent device
persist-tun
# Type
tls-server
# certificates and keys paths
ca server/ca.crt
cert server/home.crt
key server/home.key
dh server/dh.pem
# persistent keys
persist-key
# connection
keepalive 60 300
# notify clients on deamon restart to reconnect quickly
explicit-exit-notify 1
# run the server as system user/group nobody
user openvpn
group openvpn
# Log
status /tmp/openvpn-status.log
verb 4
mute 10 |
| Client: | # Local iface
local 192.168.178.16
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.16 255.255.255.0
# persistent device
persist-tun
# set the target IP of trusted server
remote 192.168.178.2
# Type
tls-client
# keys settings
ca client/ca.crt
cert client/media.crt
key client/media.key
# persistent keys
persist-key
# run the server as system user/group nobody
user openvpn
group openvpn
status /tmp/openvpn-status.log
verb 4
mute 10 |
Does anybody understand what is wrong?
Regards,
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Last edited by hujuice on Sat Feb 22, 2025 8:27 am; edited 1 time in total |
|
| Back to top |
|
 |
Weezer
n00b
Joined: 19 Apr 2024
Posts: 25
|
| Posted: Fri Feb 21, 2025 9:31 pm Post subject: |
|
|
Though I've NOT tried any of this myself (my background is networking however), it "smells" a lot like an ip conflict when the second machine connects. Are you using the same client config for each client? As you aren't using DHCP on the server side you would need each client to have a different local ip address within the VPN network, I'm thinking (obviously).
Specifically this:
| Code: | # Local iface
local 192.168.178.16
|
or
| Code: | # Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.16 255.255.255.0
|
It seems that the server is kicking the established connected client in favor of the newer client. You mentioned that they work one at a time, but not together, also sounds like an ip issue.
Just some thoughts after a cursory look at your configs here.... |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 350
Location: Nicosia, Cyprus
|
| Posted: Sat Feb 22, 2025 5:54 am Post subject: |
|
|
| Weezer wrote: | | Are you using the same client config for each client? |
Yes, except ip addresses and certificates, clearly.
Consider also the TSL related error message, that appears exactly when I ping from the second client.
I didn't try the "traditional" DHCP way.
| Laptop: | # Local iface
local 192.168.178.11
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.11 255.255.255.0
# persistent device
persist-tun
# set the target IP of trusted server
remote 192.168.178.2
# Type
tls-client
# keys settings
ca client/ca.crt
cert client/lap.crt
key client/lap.key
# persistent keys
persist-key
# run the server as system user/group nobody
user openvpn
group openvpn
status /tmp/openvpn-status.log
verb 4
mute 10 |
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 350
Location: Nicosia, Cyprus
|
| Posted: Sat Feb 22, 2025 6:16 am Post subject: |
|
|
| Weezer wrote: | | it "smells" a lot like an ip conflict |
You are right, anyway.
Thank you Weezer.
I tried the "DHCP" way and it works smoothly.
| Server: | #ifconfig 192.168.100.2 255.255.255.0
server 192.168.155.0 255.255.255.0 |
| Client: | #ifconfig 192.168.100.16 255.255.255.0
pull |
(the 'pull' option didn't help in the ifconfig way).
Strange to have a TSL related error with ifconfig.
So, the question is: which is the right syntax to configure them statically?
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
hujuice
Guru
Joined: 16 Oct 2007
Posts: 350
Location: Nicosia, Cyprus
|
| Posted: Sat Feb 22, 2025 8:26 am Post subject: |
|
|
Solved, somehow.
I couldn't manage to achieve the goal in the 'ifconfig' way, but I could easily configure the 'dhcp' way with fixed addresses.
The relevant parts of the configurations are
| Server: | # set the topology
topology subnet
# mode
mode server
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.2 255.255.255.0
# push topology
push "topology subnet"
# dhcp pool
ifconfig-pool 192.168.100.10 192.168.100.19
# fixed ip addresses
client-config-dir clients
# Allow different clients to "see" each other
client-to-client |
| cat clients/*: | ifconfig-push 192.168.100.11 255.255.255.0
ifconfig-push 192.168.100.16 255.255.255.0 |
The file names in 'clients' are their X509 common names.
| Client: | # request topology and IP address
pull |
Now all the three hosts have the wanted IP addresses and can ping each other.
Doc: https://openvpn.net/community-resources/how-to/#configuring-client-specific-rules-and-access-policies
I mark the post as [SOLVED (workaround)] because I am not conceptually happy. A VPN, for what I think, should create a system of connected virtual interfaces. I expected to configure the IP layer more freely.
I understand that the purpose of OpenVPN is to create a centralised management, but I couldn't do what I wanted.
My limit?
HUjuice
_________________
Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
