Hello!I'll have to look into the topology topic. But it seems reasonable to me, 
to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client 
configuration. It appears to be working, if I start one process after the 
other. However, during my tests I start multiple OpenVPN instances on the 
client at the same time.I add `nobind` to the client config to make this 
possible and the IP pool exhaustion situation does not change with the 
explicit-exit-notify. 
How else could I tackle this issue?

4. Apr 2017 12:59 by janj...@nikhef.nl:


>         > Hi,
>       
>       On 04/04/17 11:39, > saato...@keemail.me>  wrote:
>     >     
>>             I'm performing a number of tests with OpenVPN, where amongst 
>> other      things, I connect and disconnect with the same client certificate 
>>      and slightly different client config settings over and over      (>75 
>> times, withing a short time).      
>>       >>       >> I realised that I exhaust my servers IP pool pretty 
>> quickly.        Even waiting for >10 minutes before exhausting the IP pool   
>>      doesn't seem to help.>>       
>>       >>     
>     
>     as others have stated, using "topology subnet" would help.
>     However, I also noticed that you're using "proto udp" in which case    
> the server does not 'realize' that a client has gone until a certain    
> timeout has expired. You can add the flag
>       explicit-exit-notify 3
>     to the client config to ensure that each client "signs out" when the    
> connection is terminated. This will most likely solve your    exhaustion 
> problem.
>     
>     HTH,
>     
>     JJK
>     
>     
>>       >> The goal is to find a way to prevent this from the client        
>> side. I do not want to amend the server configuration if        possible.>>  
>>      
>>       >>       >> The server configuration is pretty simple:>>       >>      
>>    >> port 443>>         
>>         >>         >> proto udp>>         
>>         >>         >> dev tun>>         
>>         >>         >> server 172.16.0.0 255.255.255.0>>         
>>         >>         >> ca /etc/openvpn/server/ca.crt>>         
>>         >>         >> cert /etc/openvpn/server/stretch-server.crt>>         
>>         >>         >> key /etc/openvpn/server/stretch-server.key>>         
>>         >>         >> dh /etc/openvpn/server/dh4096.pem>>         
>>         >>         >> tls-crypt /etc/openvpn/server/static.key>>         
>>         >>         >> tls-version-min 1.2>>         
>>         >>         >> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>       
>>   
>>         >>         >> cipher AES-256-CBC>>         
>>         >>         >> auth SHA512>>         
>>         >>         >> verb 3>>         
>>         >>         >> log-append 
>> /etc/openvpn/server/log/stretch-server.log>>         
>>         >>         >> comp-lzo>>         
>>         >>         >> duplicate-cn>>         
>>         >>         >> ncp-disable>>       >>       
>>       >>       
>>       >>       >> ------>>       
>>       >>       >> For every new connection to the VPN  the client makes, the 
>>        server hands out a new IP address. Is there some way to re-use        
>> IP addresses on the client?>>       
>>       >>       >> I know that it would be possible to reserve an IP for the  
>>       client on the server, but that would make it highly static.>>       
>>     
>     
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to