OpenVPN server assigns same IP address (10.8.0.6) to all connected clients

0

I followed How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 to setup OpenVPN server. I noticed, when any clients connects to OpenVPN Server, each of them is getting same IP address: 10.8.0.6.

In /etc/openvpn/server/server.conf, I have these settings so that it can assigns IP addresses in 10.8.0.X.

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

In ubuntu client:

askar@ubuntu:~$ ifconfig 
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.11.23  netmask 255.255.255.0  broadcast 192.168.11.255
        inet6 240b:11:8a62:bc10:f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::f64d:30ff:fe6c:7f6c  prefixlen 64  scopeid 0x20<link>
        ether f4:4d:30:6c:7f:6c  txqueuelen 1000  (Ethernet)
        RX packets 8323  bytes 1066513 (1.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6078  bytes 957451 (957.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xdf100000-df120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 92  bytes 6838 (6.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 92  bytes 6838 (6.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::2fa0:961f:7ba8:c04c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

On my Mac PC:

~  ifconfig                                                                                          ok  00:08:23 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
    ether ac:87:a3:3b:d2:32 
    inet6 fe80::1043:7119:8f77:8977%en0 prefixlen 64 secured scopeid 0x4 
    inet 192.168.11.2 netmask 0xffffff00 broadcast 192.168.11.255
    inet6 240b:11:8a62:bc10:1421:50dd:7a2:7e21 prefixlen 64 autoconf secured 
    inet6 240b:11:8a62:bc10:31ac:632d:c084:ae98 prefixlen 64 autoconf temporary 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (1000baseT <full-duplex,flow-control>)
    status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether ac:29:3a:96:06:8d 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (<unknown type>)
    status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=460<TSO4,TSO6,CHANNEL_IO>
    ether 82:11:02:40:01:80 
    media: autoselect <full-duplex>
    status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=460<TSO4,TSO6,CHANNEL_IO>
    ether 82:11:02:40:01:81 
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether 82:11:02:40:01:80 
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x0
    member: en2 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 6 priority 0 path cost 0
    member: en3 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 7 priority 0 path cost 0
    nd6 options=201<PERFORMNUD,DAD>
    media: <unknown type>
    status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
    options=400<CHANNEL_IO>
    ether 0e:29:3a:96:06:8d 
    media: autoselect
    status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
    options=400<CHANNEL_IO>
    ether 26:a4:4e:7d:9d:c5 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: inactive
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=400<CHANNEL_IO>
    ether 26:a4:4e:7d:9d:c5 
    nd6 options=201<PERFORMNUD,DAD>
ham0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1404
    ether 7a:79:00:00:00:00 
    open (pid 93)
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::1c90:674b:fb2:43af%utun0 prefixlen 64 scopeid 0xd 
    nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
    inet6 fe80::40a2:3ba4:1052:11a7%utun1 prefixlen 64 scopeid 0xe 
    nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::b950:55ea:84f4:8c39%utun2 prefixlen 64 scopeid 0xf 
    nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::c30a:1bc7:4681:81ee%utun3 prefixlen 64 scopeid 0x10 
    nd6 options=201<PERFORMNUD,DAD>
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 

enter image description here

106.73.138.98 is my IP address I checked with https://whatismyipaddress.com/

Ubuntu, Mac OS and iPhone are behind 106.73.138.98, which is assigned by local ISP.

/var/log/syslog of when 3 clients connected at the same time:

Feb 24 15:27:47 openvpn openvpn[590]: 106.73.138.98:35783 TLS: Initial packet from [AF_INET]106.73.138.98:35783, sid=0822333e 11f09c9c
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_VER=2.4.9
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PLAT=mac
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_PROTO=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_NCP=2
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZ4v2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_LZO=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUB=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_TCPNL=1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5601_3.8.4a__build_5601)"
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:48 openvpn openvpn[590]: 106.73.138.98:35783 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:48 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:35783
Feb 24 15:27:48 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:35783: 10.8.0.6
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:49 openvpn openvpn[590]: client1/106.73.138.98:35783 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 TLS: Initial packet from [AF_INET]106.73.138.98:39883, sid=b85cdfeb 0c4565bb
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 VERIFY OK: depth=0, CN=client1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_VER=2.4.7
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PLAT=linux
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_PROTO=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_NCP=2
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZ4v2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_LZO=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUB=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_COMP_STUBv2=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 peer info: IV_TCPNL=1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:27:55 openvpn openvpn[590]: 106.73.138.98:39883 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:27:55 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:39883
Feb 24 15:27:55 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:39883: 10.8.0.6
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:27:56 openvpn openvpn[590]: client1/106.73.138.98:39883 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 TLS: Initial packet from [AF_INET]106.73.138.98:43971, sid=41f8d815 33e079cb
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=1, CN=Easy-RSA CA
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 VERIFY OK: depth=0, CN=client1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_VER=3.git::58b92569
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PLAT=ios
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_NCP=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_TCPNL=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_PROTO=2
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_AUTO_SESS=1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 peer info: IV_SSO=openurl
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Feb 24 15:28:06 openvpn openvpn[590]: 106.73.138.98:43971 [client1] Peer Connection Initiated with [AF_INET]106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 24 15:28:06 openvpn openvpn[590]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: Learn: 10.8.0.6 -> client1/106.73.138.98:43971
Feb 24 15:28:06 openvpn openvpn[590]: MULTI: primary virtual IP for client1/106.73.138.98:43971: 10.8.0.6
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 PUSH: Received control message: 'PUSH_REQUEST'
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:06 openvpn openvpn[590]: client1/106.73.138.98:43971 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 24 15:28:12 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed
Feb 24 15:28:22 openvpn openvpn[590]: AEAD Decrypt error: cipher final failed
ubuntu
openvpn
ip-address
asked on Server Fault Feb 24, 2021 by Askar • edited Feb 24, 2021 by Askar

1 Answer

1

Your logs show that each client connected using the same client certificate, and when that happened OpenVPN dropped the other connection.

Feb 24 15:28:06 openvpn openvpn[590]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

As a general rule, different users should have different certificates, but if you want to allow the same user to use the same certificate on multiple devices, you can do what it says and start OpenVPN with the --duplicate-cn option. On Ubuntu you can do this by editing the /etc/default/openvpn file and adding the option to OPTARGS.

# Optional arguments to openvpn's command line
OPTARGS=""

would become:

# Optional arguments to openvpn's command line
OPTARGS="--duplicate-cn"

Then restart OpenVPN.

answered on Server Fault Feb 24, 2021 by Michael Hampton

User contributions licensed under CC BY-SA 3.0