Re: [Openvpn-users] Openvpn-users Digest, Vol 131, Issue 4

Zulfazli 1994 Tue, 04 Apr 2017 05:07:29 -0700

Pada 4 Apr 2017 8:03 PM, <openvpn-users-requ...@lists.sourceforge.net>
menulis:


> Send Openvpn-users mailing list submissions to
>         openvpn-users@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/openvpn-users
> or, via email, send a message with subject or body 'help' to
>         openvpn-users-requ...@lists.sourceforge.net
>
> You can reach the person managing the list at
>         openvpn-users-ow...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Openvpn-users digest..."
>
>
> Today's Topics:
>
>    1. Re: IP pool exhaustion issue (???? ???????)
>    2. Re: IP pool exhaustion issue (Jan Just Keijser)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Apr 2017 15:41:44 +0500
> From: ???? ??????? <chipits...@gmail.com>
> Subject: Re: [Openvpn-users] IP pool exhaustion issue
> To: "openvpn-users@lists.sourceforge.net"
>         <openvpn-users@lists.sourceforge.net>
> Cc: saato...@keemail.me
> Message-ID:
>         <CAFHpkQHzuQiOvYMJHCdM8eZ7kpns4RW7bup+Nyy5htCN85c0Lw@mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> 2017-04-04 15:34 GMT+05:00 David Sommerseth <
> open...@sf.lists.topphemmelig.net>:
>
> > On 04/04/17 11:50, ???? ??????? wrote:
> > > hello,
> > >
> > > you did not use "topology", so, I guess "net30" is used by default.
> > > if so, you spent 4 addresses per connection.
> >
> > Yes --topology net30 is the default.  Unfortunately, we cannot easily
> > change that without breaking many setups.
> >
>
>
> unfortunately, there's a caveat, people use default setting and they get
> only 25% of expected pool size.
> maybe we should mark "net30" as deprecated and give a warning.
>
>
> >
> > > if you are not using too old clients (I guess, released 10 years ago),
> > > you can switch to "topology subnet"
> >
> > Any OpenVPN version as of 2.1 and newer supports --topology subnet.  And
> > if you are using anything older than v2.3, you should upgrade ASAP
> > regardless.
> >
> >
> > --
> > kind regards,
> >
> > David Sommerseth
> >
> >
> > > 2017-04-04 14:39 GMT+05:00 <saato...@keemail.me
> > > <mailto:saato...@keemail.me>>:
> > >
> > >     I'm performing a number of tests with OpenVPN, where amongst other
> > >     things, I connect and disconnect with the same client certificate
> > >     and slightly different client config settings over and over (>75
> > >     times, withing a short time).
> > >
> > >     I realised that I exhaust my servers IP pool pretty quickly. Even
> > >     waiting for >10 minutes before exhausting the IP pool doesn't seem
> > >     to help.
> > >
> > >     The goal is to find a way to prevent this from the client side. I
> do
> > >     not want to amend the server configuration if possible.
> > >
> > >     The server configuration is pretty simple:
> > >     port 443
> > >
> > >     proto udp
> > >
> > >     dev tun
> > >
> > >     server 172.16.0.0 255.255.255.0
> > >
> > >     ca /etc/openvpn/server/ca.crt
> > >
> > >     cert /etc/openvpn/server/stretch-server.crt
> > >
> > >     key /etc/openvpn/server/stretch-server.key
> > >
> > >     dh /etc/openvpn/server/dh4096.pem
> > >
> > >     tls-crypt /etc/openvpn/server/static.key
> > >
> > >     tls-version-min 1.2
> > >
> > >     tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> > >
> > >     cipher AES-256-CBC
> > >
> > >     auth SHA512
> > >
> > >     verb 3
> > >
> > >     log-append /etc/openvpn/server/log/stretch-server.log
> > >
> > >     comp-lzo
> > >
> > >     duplicate-cn
> > >
> > >     ncp-disable
> > >
> > >
> > >     ------
> > >
> > >     For every new connection to the VPN  the client makes, the server
> > >     hands out a new IP address. Is there some way to re-use IP
> addresses
> > >     on the client?
> > >
> > >     I know that it would be possible to reserve an IP for the client on
> > >     the server, but that would make it highly static.
> > >
> > >
> > >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Tue, 04 Apr 2017 12:59:08 +0200
> From: Jan Just Keijser <janj...@nikhef.nl>
> Subject: Re: [Openvpn-users] IP pool exhaustion issue
> To: saato...@keemail.me, Openvpn Users
>         <openvpn-users@lists.sourceforge.net>
> Message-ID: <58e37c7c.3000...@nikhef.nl>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi,
>
> On 04/04/17 11:39, saato...@keemail.me wrote:
> > I'm performing a number of tests with OpenVPN, where amongst other
> > things, I connect and disconnect with the same client certificate and
> > slightly different client config settings over and over (>75 times,
> > withing a short time).
> >
> > I realised that I exhaust my servers IP pool pretty quickly. Even
> > waiting for >10 minutes before exhausting the IP pool doesn't seem to
> > help.
> >
>
> as others have stated, using "topology subnet" would help.
> However, I also noticed that you're using "proto udp" in which case the
> server does not 'realize' that a client has gone until a certain timeout
> has expired. You can add the flag
>    explicit-exit-notify 3
> to the client config to ensure that each client "signs out" when the
> connection is terminated. This will most likely solve your exhaustion
> problem.
>
> HTH,
>
> JJK
>
> > The goal is to find a way to prevent this from the client side. I do
> > not want to amend the server configuration if possible.
> >
> > The server configuration is pretty simple:
> > port 443
> >
> > proto udp
> >
> > dev tun
> >
> > server 172.16.0.0 255.255.255.0
> >
> > ca /etc/openvpn/server/ca.crt
> >
> > cert /etc/openvpn/server/stretch-server.crt
> >
> > key /etc/openvpn/server/stretch-server.key
> >
> > dh /etc/openvpn/server/dh4096.pem
> >
> > tls-crypt /etc/openvpn/server/static.key
> >
> > tls-version-min 1.2
> >
> > tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
> >
> > cipher AES-256-CBC
> >
> > auth SHA512
> >
> > verb 3
> >
> > log-append /etc/openvpn/server/log/stretch-server.log
> >
> > comp-lzo
> >
> > duplicate-cn
> >
> > ncp-disable
> >
> >
> > ------
> >
> > For every new connection to the VPN  the client makes, the server
> > hands out a new IP address. Is there some way to re-use IP addresses
> > on the client?
> >
> > I know that it would be possible to reserve an IP for the client on
> > the server, but that would make it highly static.
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
> End of Openvpn-users Digest, Vol 131, Issue 4
> *********************************************
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn-users Digest, Vol 131, Issue 4

Reply via email to