Re: [Openvpn-users] clients getting same DHCP from openvpn

[Jan J. K. <ja...@ni...>]

Hi Darren,

Darren Govoni wrote:
> Hi folks,
>    Here's what I found out. I am running linux instances inside EC2. For
> some reason, every instance that I run with my client configuration,
> gets the same IP address back from openvpn server, even though they have
> different certificates (I regenerated them and did md5sum to ensure they
> were different).
>
> To prove this, I ran multiple clients in EC2 (all got same address). I
> ran an openvpn client outside of EC2, connecting to the same server, and
> it got a new address.
>
> I am using tun/tcp for this experiment.
>
>   
please post the relevant part of the openvpn *server* log file

cheers,

JJK

> Here is the client config.
>
> dev tun
> client
> proto tcp
> remote VPNSERVER 1194
> resolv-retry infinite
> nobind
> user nobody
> group nogroup
>
> # Try to preserve some state across restarts.
> persist-key
> persist-tun
> ca ca.crt
> cert client1.crt
> key client1.key
> comp-lzo
>
> # Set log file verbosity.
> verb 3 
>
> -----
>
> I tried Jan's suggestion and also tried removing the persist-xxx
> statements from the client. No change.
>
> Thanks for your insights!!
>
> Darren
>
>
> On Thu, 2009-01-29 at 08:38 -0500, Darren Govoni wrote:
>   
>> Hi Jan,
>>   Let me try that and get back to you. Thanks for the suggestion.
>>
>> Darren
>>
>> On Thu, 2009-01-29 at 10:24 +0100, Jan Just Keijser wrote:
>>     
>>> Hi Jonathan,
>>>
>>> sorry to correct you but this is not true... tun devices are perfectly 
>>> fine for the setup that Darren is attempting and I would strongly 
>>> recommend to get 'tun' devices working before attempting a tap (or even 
>>> bridged) setup.
>>>
>>> Darren,
>>>
>>> can you
>>> - try it without the "ifconfig-pool-persist ipp.txt" statement
>>> - post a server log file snippet after the first client connects and 
>>> then after the second client connects
>>> - make sure that both clients are using *different* certificates.
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>>
>>> Jonathan Petersson wrote:
>>>       
>>>> tun devices is generally only for Point-to-Point tunnels. If you want
>>>> multiple people to connect and get individual IPs I would recommend to
>>>> use tap interfaces or:
>>>>
>>>> "subnet -- Use a subnet rather than a point-to-point topology by
>>>> configuring the tun interface with a local IP address and subnet mask,
>>>> similar to the topology used in --dev tap and ethernet bridging mode.
>>>> This mode allocates a single IP address per connecting client and
>>>> works on Windows as well. Only available when server and clients are
>>>> OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually
>>>> patched with the --topology directive code. When used on Windows,
>>>> requires version 8.2 or higher of the TAP-Win32 driver. When used on
>>>> *nix, requires that the tun driver supports an ifconfig(8) command
>>>> which sets a subnet instead of a remote endpoint IP address. "
>>>>
>>>> See http://openvpn.net/index.php/documentation/manuals/openvpn-21.html
>>>> under topology
>>>>
>>>> /Jonathan
>>>>
>>>> On Wed, Jan 28, 2009 at 11:22 AM, Darren Govoni <da...@on...> wrote:
>>>>   
>>>>         
>>>>> Hi,
>>>>>  Here it is. Essentially taken from the example. The clients use the
>>>>> same ca.cert and generate their own certs. This is in linux environment.
>>>>>
>>>>> ----
>>>>> ;local a.b.c.d
>>>>>
>>>>> port 1194
>>>>>
>>>>> ;proto tcp
>>>>> proto udp
>>>>>
>>>>> ;dev tap
>>>>> dev tun
>>>>>
>>>>> ;dev-node MyTap
>>>>>
>>>>> ca ca.crt
>>>>> cert server.crt
>>>>> key server.key  # This file should be kept secret
>>>>>
>>>>> dh dh1024.pem
>>>>>
>>>>> server 10.8.0.0 255.255.255.0
>>>>>
>>>>> ifconfig-pool-persist ipp.txt
>>>>>
>>>>> ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
>>>>>
>>>>> ;push "route 192.168.10.0 255.255.255.0"
>>>>> ;push "route 192.168.20.0 255.255.255.0"
>>>>>
>>>>> ;client-config-dir ccd
>>>>> ;route 192.168.40.128 255.255.255.248
>>>>>
>>>>> ;client-config-dir ccd
>>>>> ;route 10.9.0.0 255.255.255.252
>>>>>
>>>>> ;learn-address ./script
>>>>>
>>>>> ;push "redirect-gateway"
>>>>>
>>>>> ;push "dhcp-option DNS 10.8.0.1"
>>>>> ;push "dhcp-option WINS 10.8.0.1"
>>>>>
>>>>> ;client-to-client
>>>>>
>>>>> ;duplicate-cn
>>>>>
>>>>> keepalive 10 120
>>>>>
>>>>> ;tls-auth ta.key 0 # This file is secret
>>>>>
>>>>> ;cipher BF-CBC        # Blowfish (default)
>>>>> ;cipher AES-128-CBC   # AES
>>>>> ;cipher DES-EDE3-CBC  # Triple-DES
>>>>>
>>>>> comp-lzo
>>>>>
>>>>> ;max-clients 100
>>>>>
>>>>> ;user nobody
>>>>> ;group nobody
>>>>>
>>>>> persist-key
>>>>> persist-tun
>>>>>
>>>>> status openvpn-status.log
>>>>>
>>>>> ;log         openvpn.log
>>>>> ;log-append  openvpn.log
>>>>>
>>>>> verb 3
>>>>>
>>>>> ;mute 20
>>>>>
>>>>> ----
>>>>>
>>>>>
>>>>> On Wed, 2009-01-28 at 11:10 -0800, Jonathan Petersson wrote:
>>>>>     
>>>>>           
>>>>>> Please post your server-config.
>>>>>>
>>>>>> You might want to have a look at the topology options.
>>>>>>
>>>>>> /Jonathan
>>>>>>
>>>>>> On Wed, Jan 28, 2009 at 10:27 AM, Darren Govoni <da...@on...> wrote:
>>>>>>       
>>>>>>             
>>>>>>> Hi,
>>>>>>>  Pardon me if this is well-documented. I read through the website
>>>>>>> looking for an answer.
>>>>>>>
>>>>>>> Basically, I have a server and routed network. The server correctly
>>>>>>> binds to 10.8.0.1 and the tun0 interface comes up.
>>>>>>>
>>>>>>> I run a client and it refers to the server fine and gets an address:
>>>>>>> 10.8.0.6. Works fine.
>>>>>>>
>>>>>>> I run another client on a different machine, and it also gets 10.8.0.6.
>>>>>>>
>>>>>>> There is no local DHCP server other than openvpn.
>>>>>>>
>>>>>>> The clients are using different certificates too.
>>>>>>>
>>>>>>> What could be causing this?
>>>>>>>
>>>>>>>         
>>>>>>>               
>>