Question

Hello,

I apologize for any misunderstanding, as I am new to OpenVPN and have primarily worked with WireGuard before. However, WireGuard does not seem meet my requirements in this case.

I would like to connect three RUTX11 routers via VPN, where all routers and clients operate on the same network. I prefer not to create separate subnets for each router. Here is my planned setup:

The objective is to create a mobile network deployment solution. We already have a network with all the clients, dhcp and devices configured on the primary router. We want to take two routers and some of the clients and deploy them in different locations (Using LTE), allowing them to reconnect through the site-to-site VPN. The secondary routers woul'd only be turned on for such mobile deployments, and are not a usual part of the network.

I followed this Wiki-guide to set up the primary RUTX11 as the server and the other two as clients:

Connecting two same subnet office networks using OpenVPN bridge (TAP) on RUTX

The Open-VPN Server on the primary RUTX11 is reachable via a public ip thats constantly updated via dyndns.

Now, here's the issue:

The connection works, but only one device stays connected. After approximately 2 minutes (which matches the keepalive 10 120 value in the configuration), secondary 1 (246) disconnects, and secondary 2 (247) connects. This switching continues indefinitely in a loop.

Do I need to adjust any configurations to enable this scenario? Or should I approach it in a completely different way?

I attached the troubleshoot file for all three devices. Allthough i only see the disconnect by pinging the router IP-s from clients. In the UI it does not show. If i tail the openvpn logread output, all i see is the timeout and connection restart.

Thank you for your input :) and i hope my issue is understandable

Answer 1

Hello,

One of the possible causes for your issue is the use of pre-shared or static keys used for authentication, if configuration is performed following the aforementioned guide.

You need to use TLS authentication, and generate TLS certificates. The simplest way to generate certificates is by using certificate generator from the router itself System -> Administration -> Certificates page.

You will get a certificate and key pairs for client and server. In order to use the same certificates for multiple clients, you will need to enable Allow duplicate certificates, or create additional certificates for the clients, and, if necessary, Client to client (allows communication between OpenVPN clients) options in server's configuration. 

Best regards,

Comments

Thank you for the fast reply. I did apply the suggested changes and it's been running stable for around 15 Minutes now, with 0% package loss. No more disconnects.

Just for future reference and other users sake, I wan't to Document the steps i took here:

#1 Creating the Certs:
Going to System -> Administration -> Certificates . Unter "Certificate Generation" I left the File-Type Drop-Down on "Simple" and hit "Generate". 

After around 30 seconds i was able to download the descibed ca, server, client and dh cert/key files from the Tab "Certificates Manager". 

#2 Adjusting the Server Settings on my primary RUTX11
Navigating to Services -> VPN -> OpenVPN and hiting the "edit" button on my existing server configuration. Here i changed and added the files downloaded before as follows:

• Authentication = TLS
• Client to Client = on
• Allow duplicate certificates = on
• Certificate authority = ca.cert.pem
• Server certificate = server.cert.pem
• Server key = server.key.pem
• Diffie Hellman parameters = dh.pem

#2 Adjusting the Client Settings on my secondary RUTX11's

Navigating to Services -> VPN -> OpenVPN and hiting the "edit" button on my existing client configuration. Here i changed and added the files downloaded before as follows:

• Authentication = TLS
• Certificate authority = ca.cert.pem
• Client certificate = client.cert.pem
• Client key = client.key.pem

Thanks again