OpenVPN, cannot accept two client

[Drusselnahg]

Hi all, i'm trying to get openvpn with more than one client working.

here is my config:


internet-----> eth0[gentoo server box] eth1<-----> [ethernet switch] <---> LAN

And, in the server:

eth0 ---> NAT,DHCP <----> br0 (tap0,eth1) where tap0 is used by openvpn

i have 2 purpose to get openvpn to act as a switch and not a router:
* PC have same IP if they are connected from LAN or VPN
* port forwarding

i have to use tap, not tun , for non-IP based protocol

If one openvpn is connected to the openvpn server, further client cannot.


here is my server.conf

local XX.XX.XX.XX (I hide my public address and port for security purpose)
port XX

proto tcp-server
dev tap0
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
log-append /var/log/openvpn.log



Here is the body of clients config:


client
dev tap
proto tcp
remote XX.XX.XX.XX XX
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert clientX.crt
key clientX.key
comp-lzo

client1 and client2 have the same config file (except that client1.crt is replaced by client2.crt, and client2 ...), the key are NOT identical, and ca.crt is the same file on every computer.


The problem i have: if one client is already connected, the second one cannot connect

here is a log of a windows client

OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
WE_INIT maxevents=4 flags=0x00000002
WE_INIT maxevents=4 capacity=8
LZO compression initialized
MTU DYNAMIC mtu=0, flags=1, 0 -> 140
TLS: tls_session_init: entry
PID packet_id_init seq_backtrack=0 time_backtrack=0
PID packet_id_init seq_backtrack=0 time_backtrack=0
TLS: tls_session_init: new session object, sid=836de333 06d6dcc5
TLS: tls_session_init: entry
PID packet_id_init seq_backtrack=0 time_backtrack=0
PID packet_id_init seq_backtrack=0 time_backtrack=0
tls_session_init: new session object, sid=462fb63f bb4a9a80
Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
MTU DYNAMIC mtu=1450, flags=2, 1576 -> 1450
REMOTE_LIST len=1 current=0
[0] XX.XX.XX.XX:XX
RESOLVE_REMOTE flags=0x0001 phase=1 rrs=0 sig=-1 status=1
Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Local Options hash (VER=V4): '31fdf004'
Expected Remote Options hash (VER=V4): '3e6d1056'
STREAM: RESET
INIT maxlen=1576
Attempting to establish TCP connection with XX.XX.XX.XX:XX
TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds
..
TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds
..
TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds
..

No special information in the server log can be read, not in openvpn.log (even with verb 9) ,nor in syslog.


And, when the first client disconnects, the second one can immediately connect.


if anyone could help me..


And sorry for my poor english.

Regards,
Drusselnahg.

[Mad Merlin]

What happens if you change tap0 in your server config to just tap?

(I ask because I don't think two clients can ultimately use the same tap interface, so with two clients connected you should have tap0 and tap1, and when you specify tap0 instead of just tap in the config file, it uses exactly that device rather than creating a new one.)
_________________
Game! - Where the stick is mightier than the sword!

[Drusselnahg]

it won't do it, because even if a new interface is created, how can I automaticly add it to my bridge (br0) afterwards ?

[Mike Hunt]

Isn't this more of a routing problem?

I use tun and ifconfig-pool-persist in the server conf, and I can connect many clients simultaneously.

I found this in the openvpn example configurations documentation.

On the server side I have this

[Drusselnahg]

As i said, i cannot use tun devices.

Tun tun..ells (bad play on words ,I know ) only IP packets

By the way, what is your 192.168.5.0 host ? An host generated by OpenVPN in your vpn ?

[bbgermany]

Hi,

i use OpenVPN with a bridged interface as well. Tap is the correct answer in this case. Maybe you dont have enough IPs left for the clients. I will just show my config, maybe you can find some useful information for you in it:

[Drusselnahg]

I don't understand why the number of IPs should interfer.

I use OpenVPN for the ethernet layer (OSI 2) , not the IP one (OSI 3).

And i already have more than "one IP" over the VPN tunnel , as fallow:




OpenVPN (server)------OpenVPN (client) tap0------bridge(tap0,eth0)

if I put a switch on eth0 connected to 3 computers , it works fine : all computers have access to the LAN behind the server (and vice-versa)

[Drusselnahg]

Well, okay, found it.

Just put

mode server
client-to-client

and that's all.
sorry for the loss of time