Re: [Openvpn-users] IP pool exhaustion issue

Tue, 04 Apr 2017 04:00:48 -0700 

Hi,

On 04/04/17 11:39, saato...@keemail.me wrote:
I'm performing a number of tests with OpenVPN, where amongst other things, I connect and disconnect with the same client certificate and slightly different client config settings over and over (>75 times, withing a short time). 


I realised that I exhaust my servers IP pool pretty quickly. Even 
waiting for >10 minutes before exhausting the IP pool doesn't seem to 
help.




as others have stated, using "topology subnet" would help.

However, I also noticed that you're using "proto udp" in which case the 
server does not 'realize' that a client has gone until a certain timeout 
has expired. You can add the flag

  explicit-exit-notify 3

to the client config to ensure that each client "signs out" when the 
connection is terminated. This will most likely solve your exhaustion 
problem.


HTH,

JJK


The goal is to find a way to prevent this from the client side. I do 
not want to amend the server configuration if possible.


The server configuration is pretty simple:
port 443

proto udp

dev tun

server 172.16.0.0 255.255.255.0

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/stretch-server.crt

key /etc/openvpn/server/stretch-server.key

dh /etc/openvpn/server/dh4096.pem

tls-crypt /etc/openvpn/server/static.key

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

cipher AES-256-CBC

auth SHA512

verb 3

log-append /etc/openvpn/server/log/stretch-server.log

comp-lzo

duplicate-cn

ncp-disable


------


For every new connection to the VPN  the client makes, the server 
hands out a new IP address. Is there some way to re-use IP addresses 
on the client?



I know that it would be possible to reserve an IP for the client on 
the server, but that would make it highly static.





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to