# OpenVPN, cannot accept two client

## Drusselnahg

Hi all, i'm trying to get openvpn with more than one client working.

here is my config:

internet-----> eth0[gentoo server box] eth1<-----> [ethernet switch] <---> LAN

And, in the server:

eth0 ---> NAT,DHCP <----> br0 (tap0,eth1) where tap0 is used by openvpn

i have 2 purpose to get openvpn to act as a switch and not a router:

* PC have same IP if they are connected from LAN or VPN

* port forwarding

i have to use tap, not tun , for non-IP based protocol

If one openvpn is connected to the openvpn server,  further client cannot.

here is my server.conf

local XX.XX.XX.XX (I hide my public address and port for security purpose)

port XX

proto tcp-server

dev tap0

tls-server

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh2048.pem

keepalive 10 120

comp-lzo

max-clients 10

persist-key

persist-tun

log-append /var/log/openvpn.log

Here is the body of clients config:

client

dev tap

proto tcp

remote XX.XX.XX.XX XX

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert clientX.crt

key clientX.key

comp-lzo

client1 and client2 have the same config file (except that client1.crt is replaced by client2.crt, and client2 ...), the key are NOT identical, and ca.crt is the same file on every computer.

The problem i have: if one client is already connected, the second one cannot connect

here is a log of a windows client

OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

WE_INIT maxevents=4 flags=0x00000002

WE_INIT maxevents=4 capacity=8

LZO compression initialized

MTU DYNAMIC mtu=0, flags=1, 0 -> 140

TLS: tls_session_init: entry

PID packet_id_init seq_backtrack=0 time_backtrack=0

PID packet_id_init seq_backtrack=0 time_backtrack=0

TLS: tls_session_init: new session object, sid=836de333 06d6dcc5

TLS: tls_session_init: entry

PID packet_id_init seq_backtrack=0 time_backtrack=0

PID packet_id_init seq_backtrack=0 time_backtrack=0

tls_session_init: new session object, sid=462fb63f bb4a9a80

Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]

MTU DYNAMIC mtu=1450, flags=2, 1576 -> 1450

REMOTE_LIST len=1 current=0

[0] XX.XX.XX.XX:XX

RESOLVE_REMOTE flags=0x0001 phase=1 rrs=0 sig=-1 status=1

Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'

Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

Local Options hash (VER=V4): '31fdf004'

Expected Remote Options hash (VER=V4): '3e6d1056'

STREAM: RESET

INIT maxlen=1576

Attempting to establish TCP connection with XX.XX.XX.XX:XX

TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds

..

TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds

..

TCP: connect to XX.XX.XX.XX:XX failed, will try again in 5 seconds

..

No special information in the server log can be read, not in openvpn.log (even with verb 9) ,nor in  syslog.

And, when the first client disconnects, the second one can immediately connect.

if anyone could help me..

And sorry for my poor english.

Regards,

Drusselnahg.

----------

## Mad Merlin

What happens if you change tap0 in your server config to just tap?

(I ask because I don't think two clients can ultimately use the same tap interface, so with two clients connected you should have tap0 and tap1, and when you specify tap0 instead of just tap in the config file, it uses exactly that device rather than creating a new one.)

----------

## Drusselnahg

it won't do it, because even if a new interface is created, how can I automaticly add it to my bridge (br0) afterwards ?

----------

## Mike Hunt

Isn't this more of a routing problem?

I use tun and ifconfig-pool-persist in the server conf, and I can connect many clients simultaneously.

I found this in the openvpn example configurations documentation.

On the server side I have this

```
# cat /etc/openvpn/openvpn.conf

port 11194

proto tcp

dev tun

ca privnet/ca.crt

cert privnet/server.crt

key privnet/server.key

dh privnet/dh1024.pem

server 192.168.5.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3
```

 

```
# cat /etc/openvpn/ipp.txt

tango,192.168.5.5

alpha,192.168.5.6

test,192.168.5.7

windows1,192.168.5.8

client2,192.168.5.9

client1,192.168.5.10

bambi,192.168.5.11

```

On the clients I have something like this

```
client

dev tun

proto tcp

remote <servername> 11194

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert bambi.crt

key bambi.key

comp-lzo

ns-cert-type server

cipher BF-CBC

status openvpn-status.log

verb 3

```

----------

## Drusselnahg

As i said, i cannot use tun devices.

Tun tun..ells (bad play on words ,I know  :Mad: ) only IP packets

By the way, what is your 192.168.5.0 host ? An host generated  by OpenVPN   in your vpn ?

----------

## bbgermany

Hi,

i use OpenVPN with a bridged interface as well. Tap is the correct answer in this case. Maybe you dont have enough IPs left for the clients. I will just show my config, maybe you can find some useful information for you in it:

```

port 1194

proto udp

dev tap0

dev-type tap

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key

dh /etc/openvpn/dh1536.pem

server-bridge 192.168.23.20 255.255.255.0 192.168.23.250 192.168.23.251

ifconfig-pool-persist /etc/openvpn/ipp-ext.txt

keepalive 10 120

tls-server

tls-auth /etc/openvpn/tls.key 0

cipher AES-256-CBC

comp-lzo

verb 3

status /etc/openvpn/openvpn-status.log

client-config-dir /etc/openvpn/ccd

persist-key

persist-tun

reneg-sec 1200

keepalive 10 120

client-to-client

```

i can connect 2 clients, coz of the range from 250 to 251.

bb

----------

## Drusselnahg

I  don't understand why the number of IPs should interfer.

I use OpenVPN for the ethernet layer (OSI 2) , not the IP one (OSI 3).

And i already have more than "one IP" over the VPN tunnel , as fallow:

OpenVPN (server)------OpenVPN (client) tap0------bridge(tap0,eth0)

if I put a switch on eth0 connected to  3 computers , it works fine : all computers have access to the LAN behind the server (and vice-versa)

----------

## Drusselnahg

Well, okay, found it.

Just put 

mode server

client-to-client

and that's all.

sorry for the loss of time

----------

