It is currently 12.12.2017 10:27


All times are UTC




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Error - two clients connect to VPN server at the same time
PostPosted: 04.03.2010 02:30 
DES
DES

Joined: 03.03.2010 11:08
Posts: 4
Dear All,

My current situation is that when two pc using the same VPN account to login, the status of OpenVPN GUI status turns between yellow and green repeatly. Both sides attampt to reconnect...

Is there any server configuration to drop the current connected openvpn connection ( I don't want the client to reconnect ) while another PC use the same cn to connect to OpenVPN server?

It would be greatly appreciated if someone can provide me ideas.

Thanks and Regards,
Cowking


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 04.03.2010 11:50 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Hello

It's not intended that two clients use the same certificate to connect to the server. The server will always remove the old connection because it thinks it's stalled.
If you want that both clients stay connected, you should create own certificates for both clients or enable --duplicate-cn in your server config. duplicate-cn will allow more connections with the same certificate. However, if you are using UDP as transport protocol, you should use keepalive or ping-restart on the server side so that disconnected clients will be removed.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 04.03.2010 14:23 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
and you shold enable the "nobind" option...
F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 05.03.2010 02:29 
DES
DES

Joined: 03.03.2010 11:08
Posts: 4
Since I have use ipp ( means that the client will get the fix IP after connecting ) in Openvpn server, so the duplicate-cn option will make two clients encountering IP collison.

At this situation, I only hope that as one client connect, it drops the other client's connection. Is there any config to achieve this @@?

Thanks in advanced.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 05.03.2010 13:10 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
OpenVPN drops the old client as long as you are not using duplicate-cn. However, the clients will try to reconnect if they lose the connection to the server.

If you use UDP, you may want to use ping-exit n instead of ping-restart on the client, so that the client will exit gracefully if the server won't respond in more than n seconds. This will prevent the client from doing a reconnect. Additionally, use explicit-exit-notify on the server side to send the clients an explict exit message before connections will be dropped.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 10.03.2010 09:54 
DES
DES

Joined: 03.03.2010 11:08
Posts: 4
My configuration is using tcp for vpn connection. Both connected clients can reach server for several seconds and then disconnect for several seconds repeatly. Even I have tried to add ping-exit 3 to server.conf. The behaviours between clients and server remain the same... :(


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 10.03.2010 12:26 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
all Clients are using different (outgoing) ports ?
destination port is defined on serverside ...
source port must be different, if more than one client in same (NAT) network.
for further informations we would need the cleint (+ server?) config-file(s)
F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 11.03.2010 01:44 
DES
DES

Joined: 03.03.2010 11:08
Posts: 4
Noted that the source and destination ports work in order. The problem only occurs when two users with the same cn login simultaneously.

Following is the log,

Wed Mar 10 17:48:32 2010 Re-using SSL/TLS context
Wed Mar 10 17:48:32 2010 LZO compression initialized
Wed Mar 10 17:48:32 2010 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 10 17:48:32 2010 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 10 17:48:32 2010 Local Options hash (VER=V4): '31fdf004'
Wed Mar 10 17:48:32 2010 Expected Remote Options hash (VER=V4): '3e6d1056'
Wed Mar 10 17:48:32 2010 Attempting to establish TCP connection with 172.22.1.97:1195
Wed Mar 10 17:48:32 2010 TCP connection established with 172.22.1.97:1195
Wed Mar 10 17:48:32 2010 TCPv4_CLIENT link local: [undef]
Wed Mar 10 17:48:32 2010 TCPv4_CLIENT link remote: 172.22.1.97:1195
Wed Mar 10 17:48:32 2010 TLS: Initial packet from 172.22.1.97:1195, sid=a3301c8b 6381bbfb
Wed Mar 10 17:48:32 2010 VERIFY OK: depth=1, /C=MA/ST=STCA/L=Macau/O=ABC/OU=ABC/CN=STCA/emailAddress=mois@ABC.com
Wed Mar 10 17:48:32 2010 VERIFY OK: depth=0, /C=MA/ST=STCA/L=Macau/O=ABC/OU=ABC/CN=BankServer/emailAddress=mois@ABC.com
Wed Mar 10 17:48:33 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 10 17:48:33 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 10 17:48:33 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 10 17:48:33 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 10 17:48:33 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 10 17:48:33 2010 [BankServer] Peer Connection Initiated with 172.22.1.97:1195
Wed Mar 10 17:48:34 2010 SENT CONTROL [BankServer]: 'PUSH_REQUEST' (status=1)
Wed Mar 10 17:48:34 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.240.1,ifconfig 192.168.240.2 255.255.255.0'
Wed Mar 10 17:48:34 2010 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 10 17:48:34 2010 OPTIONS IMPORT: route options modified
Wed Mar 10 17:48:34 2010 Preserving previous TUN/TAP instance: Local Area Connection 10
Wed Mar 10 17:48:34 2010 Initialization Sequence Completed
Wed Mar 10 17:48:37 2010 Connection reset, restarting [0]
Wed Mar 10 17:48:37 2010 TCP/UDP: Closing socket
Wed Mar 10 17:48:37 2010 SIGUSR1[soft,connection-reset] received, process restarting
Wed Mar 10 17:48:37 2010 Restart pause, 5 second(s)

Two clients shows the similar log.

Besides, because of using ipp ( cn, tap ip mapping ), using of "duplicate-cn" with causing IP collision.

Thanks in advanced.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Error - two clients connect to VPN server at the same time
PostPosted: 11.03.2010 07:04 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
let's call it an idea:
you take 2 clintes with different (2) certificates
you set the nobind option, if both clients are in the same local network - needed on UDP
(TCP never tested here ...UDP is a bit faster)
and it works !
even if more than 2 clients (in same local network ). the trick is: each cleint has its own sourceport and so correct packets and packet-answers will be sent.

Had (long time ago) yours problems too, solution was: see avove!

F.


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net