[pfSense Support] multiple openvpn users behind same nat gateway

Sat, 13 Sep 2008 16:05:50 -0700 

I've googled around for quite a while and I am wondering if this is a
problem specific to pfsense-1.2 and the built-in openvpn version.

Client A and Client B are both behind a NAT gateway whose public IP is
n.n.n.n (a linux firewall box with iptables masquerading).

VPN server v.v.v.v has a server, with a pool of IPs set to
10.10.10.40/29, using X509 certificates to authenticate - clients are
my-vpn-client1 and my-vpn-client2

Client A connects and gets a tunnel 10.10.10.45 -> 10.10.10.45, and
everything works exactly as expected. netmask is /32.

Oddly, VPN server things the tunnel is 10.10.10.41 -> 10.10.10.42, but
it seems OK. netmask is /32.

Client B connects but the tunnel isn't established; the tun device
appear but no IP address gets set, no traffic flows.  If I disconnect A,
eventually B works. The natting on the gateway is working fine, A and B
end up being natted to different source ports.

If A is working, I can get B to work by manually setting up B's tunnel thus:
        ifconfig tun0 10.10.10.44 dstaddr 10.10.10.43
and then it all works very happily.


Meanwhile, the following message appears in the vpn server's logs:

Sep 13 22:23:13 localhost openvpn[55031]: v.v.v.v:9680 Re-using SSL/TLS
context
Sep 13 22:23:13 localhost openvpn[55031]: n.n.n.n:9680 LZO compression
initialized
Sep 13 22:23:14 localhost openvpn[55031]: n.n.n.n:9680 [my-vpn-client2]
Peer Connection Initiated with n.n.n.n:9680
Sep 13 22:23:14 localhost openvpn[55031]: my-vpn-client2/n.n.n.n:9680
MULTI: no free --ifconfig-pool addresses are available
Sep 13 22:23:14 localhost openvpn[55031]: my-vpn-client2/n.n.n.n:9680
MULTI: no dynamic or static remote --ifconfig address is available for
my-vpn-client2/n.n.n.n:9680
Sep 13 22:25:25 localhost openvpn[55031]: my-vpn-client2/n.n.n.n:9680
[my-vpn-client2] Inactivity timeout (--ping-restart), restarting



I am wondering whether it's my choice of /29 for the server pool? I have
a large number of openvpn listeners, all on their own port and all
subnetted off the 10.10.10.0/24, one server for each small group of
users, so that I can tightly lock down their network access.

thanks for any thoughts!

Paul


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to