Configuring OpenVPN Server for Multiple Client Connections: IP Allocation and Routing Solutions


3 views

The existing configuration uses a secret key file (static key mode) which fundamentally limits you to a single tunnel endpoint pair. This explains why your second client fails to connect properly - both clients are trying to use identical IP addresses (192.168.2.1/192.168.2.2) and the same authentication credentials.

For multiple concurrent connections, we need to switch from static key to TLS mode:

# New server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 172.16.0.23"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Each client needs its own certificate/key pair:

client
dev tun
proto udp
remote your.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

The server directive automatically handles IP allocation from the specified pool (10.8.0.0/24 in this case). For more control, consider:

# Alternative IP management
ifconfig-pool 10.8.0.4 10.8.0.251 255.255.255.0
ifconfig-pool-persist ipp.txt

Update your iptables rules to match the new subnet:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

For advanced scenarios where clients need special routing:

# In server config
client-config-dir /etc/openvpn/ccd
# Then create per-client files like:
# /etc/openvpn/ccd/client1
ifconfig-push 10.8.0.100 10.8.0.101

Check active connections with:

cat /etc/openvpn/openvpn-status.log

You should see multiple client entries with unique virtual IPs.

For handling numerous concurrent connections:

max-clients 100
mute 20

The fundamental issue with your configuration lies in using a static-key (shared secret) method, which inherently supports only a single point-to-point connection. The ifconfig directive in both server and client configs creates an exclusive tunnel between two fixed IP addresses (192.168.2.1 ↔ 192.168.2.2).

To support multiple concurrent connections, we need to shift from static-key to TLS mode with client certificates and implement a dynamic IP allocation system:

# Revised server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 172.16.0.23"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir ccd

Each client needs its own certificate/key pair. The client config becomes:

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Create a ccd directory (as specified in server.conf) for client-specific overrides:

# Example ccd/client1 file
ifconfig-push 10.8.0.101 10.8.0.102
iroute 192.168.1.0 255.255.255.0

Update your iptables rules to handle the new subnet:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Use EasyRSA to create the PKI infrastructure:

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Check connection status using:

cat /etc/openvpn/openvpn-status.log
# Should show multiple connected clients