OpenVPN: fixed Ip for Client, allow only one connection!

[Hummel]

Hey guys,

i build a Network with a OpenVPN Host-to-LAN Connection for Roadwarriors.
There are different groups of users, who want to connect. Each group has one User on the ZS and a fix IP via the ccd-directory.
Everything works fine an d every client can connect. This day i tried to connect with the same configuration from another Pc, while i was connected on my own PC. The connection was succsessful and i was able to ping the Network behind the Zeroshell from both (??) Pc´s…..

I don´t know how it works, because they both had the same (virtual) IP!!!

Is there any way to allow only one connection per client with a fixed iP?

I need this because every Client is for a group of users, and if e.g. two users (or more) of the group are connected with the same IP, i think it will cause Network errors.

[Hummel]

hello,

i tried to add the Option “–duplicate-cn no” to the Command line in zeroshell, but connection from both pc´s is still possible…

i there any way to remove the option “–duplicate-cn” from the server-config file on the zs?

[redfive]

You can copy the file vpn_start (which is in /root/kerbynet.cgi/scripts/) in /Database , then modify it, eg. by removing the interested lines , (I, personally, have modified also the keepalives) , and add a command in pre-boot which replaces the original script.
Regards

[Hummel]

Hey Redfive,
thank you for your comment!

Can you tell me what (and how 😉 ) i have to add in the pre-boot?
Never done this before….

Thanks a lot!

[redfive]

I’ve created a dir (patch) where I’ve placed all my modified scripts, something like to

mkdir /Database/patch

then I’ve copied some files , eg. with vpn_start

cd /root/kerbynet.cgi/scripts/

cp vpn_start  /Database/patch/

then edited this file, saved, and in pre-boot , this line

cp /Database/patch/vpn_start  /root/kerbynet.cgi/scripts/

Regards

[Hummel]

Ok, got it!
Thank you… easy way, if you know howto 🙂

It works, but i have the same problem as before… i can connect with the same account from both Pcs. the latest Connection is now the only one which is working. If I connect with Pc A and afterwards with Pc B with the same Client.conf, then I can ping the VPN-Network only with Pc B. On Pc A i get a “Destination Host Unreachable”-warning from the point, when Pc B connects but the VPN-Client on Pc A appears still connected! I think for the most of the client users this will appear as a connection error…

Is there any way to “kick” the duplicated clients or not to let same client connect if another connection is already established?

thanks in advance!

[Hummel]

extension:

If both Clients are still active, they are switching the connection between them. e.g. keepalive 5 60 = every 60s the other client connects again…

[Hummel]

I found a solution for my problem:

I deleted the keepalive command from the “vpn_start”-file and added in the command line:

–ping 10
–push ping-exit 25

If Client A connects and Client B afterwards, only Client B will receive the ping from the Server every 10s. Client A gets no more pings an disconnects himself.

Additionally i found out:
If you are in use of user-specified file in the ccd-directory and have an “inactive” command this will not be affected by these changes.

thank you redfive for the essential hint 😀

[Author]

Posts