next »

[TLP]

Hello, my clients are getting the same ip from the same certificate, but i enabled Duplicate Connections on the server config

is anything else to do???

[GruensFroeschli]

You have to disable the "Duplicate Connections" checkbox.
Otherwise you get the behaviour you're observing.

Also: Dont assign multiple clients the same certificate.
Every client has to have his own key/certificate pair.

[TLP]

It says

"Allow multiple concurrent connections from clients using the same Common Name."
and that is what I need

I need to generate a certificate for each branch, and every branch has 2 or 3 computers

so i created a certificate and a Client Specific Override for each cert, setting the ip to 192.168.xxx.0/24
but they all get the ip 192.168.xxx.2

[TLP]

Also, the clients are getting mask 255.255.255.252
and i configured /24

I am doomed

[cmb]

The clients always get a /30 mask, the /24 just defines the range. If you are allowing concurrent connections (you need that checked), and clients are getting the same IP, then I suspect you have a client specific override that assigns a static IP which you can't have in such scenarios.

[TLP]

I have a custom for every certificate, so each branch gets an unique IP range

so Branch 1 i created an override with Tunnel Network = 192.168.101.0/24
Branch 2 Tunnel Network = 192.168.102.0/24

This cant be done???

[cmb]

You can't and don't want to do that. Only the iroute goes in the override in that case.

[TLP]

Why I dont wanna do this??

All the hosts are trusted managed computers, there is no workaround to this??

[cmb]

Every client on a single OpenVPN server must have an address within the server's tunnel network. One server isn't able to use multiple subnets there. If you're trying to route that network to that branch, then you need an iroute.

[TLP]

On the previous post u said "You [...] don't want to do that"

I did some research and found this can be done with tap, but tap generetes a lot of overhead, this isnt a real problem to me, can I do what I described before with tap???

I also found "topology subnet", is this possible??

[cmb]

you don't want tap either, that's only very, very rarely desirable, and pretty much never for site to site.

Take out the hard coded tunnel network, add iroute as needed, and you're set.