OpenVPN Question
Moderator: Moderators
OpenVPN Question
Does the Credential Re-Use: choice change anything in the downloadable client files or are these files the same regardless of any of the OpenVPN menu choices?
Re: OpenVPN Question
es the Credential Re-Use: choice change anything in the downloadable client files
my guess is yes
- alienheartbeat
- Posts: 22
- Joined: Fri Feb 15, 2013 6:59 am
- Location: Hong Kong
- Contact:
Re: OpenVPN Question
The ovpn files will be different as they will refer to different cert & key files.
Also the cert and key files
<client>.crt, <client>.crt, <client>.key
will be different:
I originally specified credential re-use as part of testing, then deleted the most of the contents of /etc/openvpn and recreated it specifying "Credentials are specific to each client". So you can test and recover from it. Ensure you backup /etc/openvpn before messing with it though.
Also the cert and key files
<client>.crt, <client>.crt, <client>.key
will be different:
I originally specified credential re-use as part of testing, then deleted the most of the contents of /etc/openvpn and recreated it specifying "Credentials are specific to each client". So you can test and recover from it. Ensure you backup /etc/openvpn before messing with it though.
http://alien-heartbeat.com
Re: OpenVPN Question
Can someone please clarify if there is a way to setup one set of openvpn configuration files from the router that can be used 'as-is' on multiple clients?
I thought that credentials can be used by multiple clients was exactly that but then when I tried the files on multiple clients they where both being given the same 10.8.0.x IP address and so that doesn't seem right!?
I thought that credentials can be used by multiple clients was exactly that but then when I tried the files on multiple clients they where both being given the same 10.8.0.x IP address and so that doesn't seem right!?
- alienheartbeat
- Posts: 22
- Joined: Fri Feb 15, 2013 6:59 am
- Location: Hong Kong
- Contact:
Re: OpenVPN Question
Just checked my credential files, and they don't inclde an ip address - so these must be assigned by dhcp.
It is hard to believe that the dhcp server would check credentials before allocating an ip address, but of course stranger things have happened.
Are you saying that two machines have the same vpn ip address at the same time?
or just that the vpn dhcp server reallocates the ip address?
It is hard to believe that the dhcp server would check credentials before allocating an ip address, but of course stranger things have happened.
Are you saying that two machines have the same vpn ip address at the same time?
or just that the vpn dhcp server reallocates the ip address?
http://alien-heartbeat.com
Re: OpenVPN Question
I'm saying that they have the same VPN ip address at the same time. I had a connected unix client which was given 10.8.0.2 and then copied the config files from its directory into a new unix client and booted that up. I noticed that it ALSO was given 10.8.0.2.Are you saying that two machines have the same vpn ip address at the same time?
or just that the vpn dhcp server reallocates the ip address?
I don't suspect reallocation as the initial client had a live connection to the gargoyle router on 10.8.0.2 so it should have given .3 to the next client.
- alienheartbeat
- Posts: 22
- Joined: Fri Feb 15, 2013 6:59 am
- Location: Hong Kong
- Contact:
Re: OpenVPN Question
hmmm... I wonder if they are different subnets, in which case it is fine for them to have the same ip address?
Remember the option:
If this was set to
then it may be they are considered separate address spaces, in which case they can both have 10.0.0.2.
Remember the option:
Code: Select all
Client-To-Client Traffic:
Clients can only communicate with server
Allow Clients to communicate with each other
Code: Select all
Clients can only communicate with server
http://alien-heartbeat.com
Re: OpenVPN Question
Thanks for the reply,
Are you referring to the VPNs (10.8.0.x) subnet? I'm not sure how that would be different.
Client-to-Client traffic is set to 'Allow Clients to communicate with each other' so I don't see that being the issue.
Under the 'Connected OpenVPN Clients' gargoyle page I see both unix clients listed with their different 'Connected From' (WAN IP) addresses listed.
Both clients are named as 'client1' under the 'Client Name' column.
I just don't understand why they are both given 10.8.0.2. If I try and ping that address the last one to connect (I think) overrides the previous client which is unreachable since there's an ip clash.
Not sure how to start diagnosing this problem, any suggestions would be much appreciated.
Thanks
Are you referring to the VPNs (10.8.0.x) subnet? I'm not sure how that would be different.
Client-to-Client traffic is set to 'Allow Clients to communicate with each other' so I don't see that being the issue.
Under the 'Connected OpenVPN Clients' gargoyle page I see both unix clients listed with their different 'Connected From' (WAN IP) addresses listed.
Both clients are named as 'client1' under the 'Client Name' column.
I just don't understand why they are both given 10.8.0.2. If I try and ping that address the last one to connect (I think) overrides the previous client which is unreachable since there's an ip clash.
Not sure how to start diagnosing this problem, any suggestions would be much appreciated.
Thanks
- alienheartbeat
- Posts: 22
- Joined: Fri Feb 15, 2013 6:59 am
- Location: Hong Kong
- Contact:
Re: OpenVPN Question
Yes, I was referring to the VPNs subnet. If you wanted clients to communicate you would have to put them on the same subnet. But agree, this doesn't look like the problem.
If you haven't already you might check:
http://openvpn.net/index.php/open-sourc ... .html#lbAH
and
http://svn.openvpn.net/projects/openvpn ... erver.conf
which shows a different format for the server.conf file if multiple ip addresses are being assigned.
(eg the statements
So if your server.conf does not have them, then it will use fixed ips I guess.
Also, I am guessing here, the /etc/config/openvpn_gargoyle will have a section:
with no option ip '10.8.0.2'
instead of like mine, a section for each client:
In fact the ubuntu guide looks helpful:
https://help.ubuntu.com/lts/serverguide/openvpn.html
and includes a section on openwrt.
If you haven't already you might check:
http://openvpn.net/index.php/open-sourc ... .html#lbAH
and
http://svn.openvpn.net/projects/openvpn ... erver.conf
which shows a different format for the server.conf file if multiple ip addresses are being assigned.
(eg the statements
Code: Select all
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt)
Also, I am guessing here, the /etc/config/openvpn_gargoyle will have a section:
Code: Select all
config openvpn client1
option enable 1
option client 1
...
instead of like mine, a section for each client:
Code: Select all
config allowed_client 'gg2'
option id 'gg2'
option name 'gg2'
option ip '10.8.0.2'
...
https://help.ubuntu.com/lts/serverguide/openvpn.html
and includes a section on openwrt.
http://alien-heartbeat.com
Re: OpenVPN Question
Thanks for sending me your config files and for the above info.
I see that your setup is using unique cert/key files whereas I intend to use the same cert/key files for multiple clients (Which I now understand to be defined by 'duplicate_cn' in config files).
Also, by looking at your openvpn_gargoyle file it seems you have what we might call static IP address definitions by using option ip definitions(?).
Some observations from my files:
Unlike your server.conf file I can see that I have an ifconfig-pool declaration that specifies 10.8.0.2 to 10.8.0.254. I guess this is a good start for a DHCP setup.
However:
I also notice that I have got in openvpn_gargoyle
this has a listing for which I am now thinking might be the reason for the same ip address being given out since I am using the same client1 key/cert and config files for all clients.
I also notice that there is a /etc/openvpn/ccd/client1 file which contains Might this be what's making it stick to 10.8.0.2 for all?
Don't want to start messing with files as the gargoyle router is in a production environment at the moment so I don't want to make changes until I know what I'm doing.
I'm thinking of removing the option ip '10.8.0.2' from openvpn_gargoyle under the allowed_client definition or maybe removing the ifconfig-push definition from /etc/openvpn/ccd/client1 but would like someone to confirm if I am heading in the right direction by doing so?
Or if possible, would love to see the following 2 files from someone with an openvpn setup that hands out different DHCP addresses:
/etc/config/openvpn_gargoyle
/etc/openvpn/server.conf
Thanks
I see that your setup is using unique cert/key files whereas I intend to use the same cert/key files for multiple clients (Which I now understand to be defined by 'duplicate_cn' in config files).
Also, by looking at your openvpn_gargoyle file it seems you have what we might call static IP address definitions by using option ip definitions(?).
Some observations from my files:
Unlike your server.conf file I can see that I have an ifconfig-pool declaration that specifies 10.8.0.2 to 10.8.0.254. I guess this is a good start for a DHCP setup.
However:
I also notice that I have got in openvpn_gargoyle
Code: Select all
config allowed_client 1 'client1'
Code: Select all
option ip 10.8.0.2
I also notice that there is a /etc/openvpn/ccd/client1 file which contains
Code: Select all
ifconfig-push 10.8.0.2 255.255.255.0
Don't want to start messing with files as the gargoyle router is in a production environment at the moment so I don't want to make changes until I know what I'm doing.
I'm thinking of removing the option ip '10.8.0.2' from openvpn_gargoyle under the allowed_client definition or maybe removing the ifconfig-push definition from /etc/openvpn/ccd/client1 but would like someone to confirm if I am heading in the right direction by doing so?
Or if possible, would love to see the following 2 files from someone with an openvpn setup that hands out different DHCP addresses:
/etc/config/openvpn_gargoyle
/etc/openvpn/server.conf
Thanks