Re: [Openvpn-users] IP pool exhaustion issue

Tue, 04 Apr 2017 03:36:08 -0700 

On 04/04/17 11:50, Илья Шипицин wrote:
> hello,
> 
> you did not use "topology", so, I guess "net30" is used by default.
> if so, you spent 4 addresses per connection.

Yes --topology net30 is the default.  Unfortunately, we cannot easily
change that without breaking many setups.

> if you are not using too old clients (I guess, released 10 years ago),
> you can switch to "topology subnet"

Any OpenVPN version as of 2.1 and newer supports --topology subnet.  And
if you are using anything older than v2.3, you should upgrade ASAP
regardless.


--
kind regards,

David Sommerseth


> 2017-04-04 14:39 GMT+05:00 <saato...@keemail.me
> <mailto:saato...@keemail.me>>:
> 
>     I'm performing a number of tests with OpenVPN, where amongst other
>     things, I connect and disconnect with the same client certificate
>     and slightly different client config settings over and over (>75
>     times, withing a short time).
> 
>     I realised that I exhaust my servers IP pool pretty quickly. Even
>     waiting for >10 minutes before exhausting the IP pool doesn't seem
>     to help.
> 
>     The goal is to find a way to prevent this from the client side. I do
>     not want to amend the server configuration if possible.
> 
>     The server configuration is pretty simple:
>     port 443
> 
>     proto udp
> 
>     dev tun
> 
>     server 172.16.0.0 255.255.255.0
> 
>     ca /etc/openvpn/server/ca.crt
> 
>     cert /etc/openvpn/server/stretch-server.crt
> 
>     key /etc/openvpn/server/stretch-server.key
> 
>     dh /etc/openvpn/server/dh4096.pem
> 
>     tls-crypt /etc/openvpn/server/static.key
> 
>     tls-version-min 1.2
> 
>     tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> 
>     cipher AES-256-CBC
> 
>     auth SHA512
> 
>     verb 3
> 
>     log-append /etc/openvpn/server/log/stretch-server.log
> 
>     comp-lzo
> 
>     duplicate-cn
> 
>     ncp-disable
> 
> 
>     ------
> 
>     For every new connection to the VPN  the client makes, the server
>     hands out a new IP address. Is there some way to re-use IP addresses
>     on the client?
> 
>     I know that it would be possible to reserve an IP for the client on
>     the server, but that would make it highly static.
> 
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to