Hello!I'll have to look into the topology topic. But it seems reasonable to me,
to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client
configuration. It appears to be working, if I start one process after the
other. However, during my tests I start multiple OpenVPN instances on the
client at the same time.I add `nobind` to the client config to make this
possible and the IP pool exhaustion situation does not change with the
explicit-exit-notify.
How else could I tackle this issue?
4. Apr 2017 12:59 by janj...@nikhef.nl:
> > Hi,
>
> On 04/04/17 11:39, > saato...@keemail.me> wrote:
> >
>> I'm performing a number of tests with OpenVPN, where amongst
>> other things, I connect and disconnect with the same client certificate
>> and slightly different client config settings over and over (>75
>> times, withing a short time).
>> >> >> I realised that I exhaust my servers IP pool pretty
>> quickly. Even waiting for >10 minutes before exhausting the IP pool
>> doesn't seem to help.>>
>> >>
>
> as others have stated, using "topology subnet" would help.
> However, I also noticed that you're using "proto udp" in which case
> the server does not 'realize' that a client has gone until a certain
> timeout has expired. You can add the flag
> explicit-exit-notify 3
> to the client config to ensure that each client "signs out" when the
> connection is terminated. This will most likely solve your exhaustion
> problem.
>
> HTH,
>
> JJK
>
>
>> >> The goal is to find a way to prevent this from the client
>> side. I do not want to amend the server configuration if possible.>>
>>
>> >> >> The server configuration is pretty simple:>> >>
>> >> port 443>>
>> >> >> proto udp>>
>> >> >> dev tun>>
>> >> >> server 172.16.0.0 255.255.255.0>>
>> >> >> ca /etc/openvpn/server/ca.crt>>
>> >> >> cert /etc/openvpn/server/stretch-server.crt>>
>> >> >> key /etc/openvpn/server/stretch-server.key>>
>> >> >> dh /etc/openvpn/server/dh4096.pem>>
>> >> >> tls-crypt /etc/openvpn/server/static.key>>
>> >> >> tls-version-min 1.2>>
>> >> >> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>
>>
>> >> >> cipher AES-256-CBC>>
>> >> >> auth SHA512>>
>> >> >> verb 3>>
>> >> >> log-append
>> /etc/openvpn/server/log/stretch-server.log>>
>> >> >> comp-lzo>>
>> >> >> duplicate-cn>>
>> >> >> ncp-disable>> >>
>> >>
>> >> >> ------>>
>> >> >> For every new connection to the VPN the client makes, the
>> server hands out a new IP address. Is there some way to re-use
>> IP addresses on the client?>>
>> >> >> I know that it would be possible to reserve an IP for the
>> client on the server, but that would make it highly static.>>
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
