[SOLVED (wa)] OpenVPN: unable to connect multiple clients

Message

hujuice · Post by **hujuice** » Fri Feb 21, 2025 5:37 pm

Hello everybody,
I am trying to connect a handful of hosts via OpenVPN over an untrusted local network.
I can't connect more than one client. Why?

The setup works with every client, but when a second client connects, the first loses the link.

More exactly, after the second connection the ping from the first one (192.168.178.16) fails and the log in the server shows:

Code: Select all

TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.178.16:1194 (received key id: 0, known key ids:  [key#0 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 sid=506476f0 82b6b527] [key#1 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])

According to 'ip addr', the tun device and its ip address are still there.

The problem occurs with both PKI and fingerprint authentications.
Note that, since the network is simple, the vpn is configured in a static way.

Code: Select all

# Local iface
local 192.168.178.2
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.2 255.255.255.0
# persistent device
persist-tun

# Type
tls-server
# certificates and keys paths
ca server/ca.crt
cert server/home.crt
key server/home.key
dh server/dh.pem
# persistent keys
persist-key

# connection
keepalive 60 300
# notify clients on deamon restart to reconnect quickly
explicit-exit-notify 1
# run the server as system user/group nobody
user openvpn
group openvpn
# Log
status /tmp/openvpn-status.log
verb 4
mute 10

Code: Select all

# Local iface
local 192.168.178.16
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.16 255.255.255.0
# persistent device
persist-tun
# set the target IP of trusted server
remote 192.168.178.2

# Type
tls-client
# keys settings
ca client/ca.crt
cert client/media.crt
key client/media.key
# persistent keys
persist-key

# run the server as system user/group nobody
user openvpn
group openvpn
status /tmp/openvpn-status.log
verb 4
mute 10

Does anybody understand what is wrong?

Regards,
HUjuice

Weezer · Post by **Weezer** » Fri Feb 21, 2025 9:31 pm

Though I've NOT tried any of this myself (my background is networking however), it "smells" a lot like an ip conflict when the second machine connects. Are you using the same client config for each client? As you aren't using DHCP on the server side you would need each client to have a different local ip address within the VPN network, I'm thinking (obviously).

Specifically this:

Code: Select all

# Local iface
local 192.168.178.16

or

Code: Select all

# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.16 255.255.255.0

It seems that the server is kicking the established connected client in favor of the newer client. You mentioned that they work one at a time, but not together, also sounds like an ip issue.

Just some thoughts after a cursory look at your configs here....

hujuice · Post by **hujuice** » Sat Feb 22, 2025 5:54 am

Weezer wrote:Are you using the same client config for each client?

Yes, except ip addresses and certificates, clearly.

Consider also the TSL related error message, that appears exactly when I ping from the second client.
I didn't try the "traditional" DHCP way.

Code: Select all

# Local iface
local 192.168.178.11
# set protocol
proto udp
# set port
port 1194
# set interface
dev tun1
# set the topology
topology subnet
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.11 255.255.255.0
# persistent device
persist-tun
# set the target IP of trusted server
remote 192.168.178.2

# Type
tls-client
# keys settings
ca client/ca.crt
cert client/lap.crt
key client/lap.key
# persistent keys
persist-key

# run the server as system user/group nobody
user openvpn
group openvpn
status /tmp/openvpn-status.log
verb 4
mute 10

hujuice · Post by **hujuice** » Sat Feb 22, 2025 6:16 am

Weezer wrote:it "smells" a lot like an ip conflict

You are right, anyway.
Thank you Weezer.

I tried the "DHCP" way and it works smoothly.

Code: Select all

#ifconfig 192.168.100.2 255.255.255.0
server 192.168.155.0 255.255.255.0

Code: Select all

#ifconfig 192.168.100.16 255.255.255.0
pull

(the 'pull' option didn't help in the ifconfig way).

Strange to have a TSL related error with ifconfig.
So, the question is: which is the right syntax to configure them statically?

HUjuice

hujuice · Post by **hujuice** » Sat Feb 22, 2025 8:26 am

Solved, somehow.
I couldn't manage to achieve the goal in the 'ifconfig' way, but I could easily configure the 'dhcp' way with fixed addresses.

The relevant parts of the configurations are

Code: Select all

# set the topology
topology subnet
# mode
mode server
# Subnet with static IPs (no dhcp, no ruoute, no dns)
ifconfig 192.168.100.2 255.255.255.0
# push topology
push "topology subnet"
# dhcp pool
ifconfig-pool 192.168.100.10 192.168.100.19
# fixed ip addresses
client-config-dir clients
# Allow different clients to "see" each other
client-to-client

Code: Select all

lap
media

Code: Select all

ifconfig-push 192.168.100.11 255.255.255.0
ifconfig-push 192.168.100.16 255.255.255.0

The file names in 'clients' are their X509 common names.

Code: Select all

# request topology and IP address
pull

Now all the three hosts have the wanted IP addresses and can ping each other.

Doc: https://openvpn.net/community-resources ... s-policies

I mark the post as [SOLVED (workaround)] because I am not conceptually happy. A VPN, for what I think, should create a system of connected virtual interfaces. I expected to configure the IP layer more freely.
I understand that the purpose of OpenVPN is to create a centralised management, but I couldn't do what I wanted.
My limit?

HUjuice