2017-04-04 19:09 GMT+05:00 <saato...@keemail.me>:
> Hello!
> I'll have to look into the topology topic. But it seems reasonable to me,
> to print a warning about the net30 topology.
>
> The explicit-exit-notify is a very good point! I missed that in my client
> configuration. It appears to be working, if I start one process after the
> other. However, during my tests I start multiple OpenVPN instances on the
> client at the same time.
> I add `nobind` to the client config to make this possible and the IP pool
> exhaustion situation does not change with the explicit-exit-notify.
>
nobind is also an option which should take more attention, I think.
you got it wrong, it will not help to prevent "ip pool exhaution", however
it is usefull from many point of views.
by default, openvpn client binds to 1194, so, you cannot connect to several
openvpn destination.
it is due to dual nature of openvpn, it is client and server at the same
time, even the same code base.
I think, we can consider either warning about binding or add "nobind" when
client profile is used.
it is very common situation to forget add "nobind" to client config. thank
for bringing that to attention!
>
> How else could I tackle this issue?
>
> 4. Apr 2017 12:59 by janj...@nikhef.nl:
>
>
> Hi,
>
> On 04/04/17 11:39, saato...@keemail.me wrote:
>
> I'm performing a number of tests with OpenVPN, where amongst other things,
> I connect and disconnect with the same client certificate and slightly
> different client config settings over and over (>75 times, withing a short
> time).
>
> I realised that I exhaust my servers IP pool pretty quickly. Even waiting
> for >10 minutes before exhausting the IP pool doesn't seem to help.
>
>
> as others have stated, using "topology subnet" would help.
> However, I also noticed that you're using "proto udp" in which case the
> server does not 'realize' that a client has gone until a certain timeout
> has expired. You can add the flag
> explicit-exit-notify 3
> to the client config to ensure that each client "signs out" when the
> connection is terminated. This will most likely solve your exhaustion
> problem.
>
> HTH,
>
> JJK
>
> The goal is to find a way to prevent this from the client side. I do not
> want to amend the server configuration if possible.
>
> The server configuration is pretty simple:
> port 443
>
> proto udp
>
> dev tun
>
> server 172.16.0.0 255.255.255.0
>
> ca /etc/openvpn/server/ca.crt
>
> cert /etc/openvpn/server/stretch-server.crt
>
> key /etc/openvpn/server/stretch-server.key
>
> dh /etc/openvpn/server/dh4096.pem
>
> tls-crypt /etc/openvpn/server/static.key
>
> tls-version-min 1.2
>
> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
>
> cipher AES-256-CBC
>
> auth SHA512
>
> verb 3
>
> log-append /etc/openvpn/server/log/stretch-server.log
>
> comp-lzo
>
> duplicate-cn
>
> ncp-disable
>
>
> ------
>
> For every new connection to the VPN the client makes, the server hands
> out a new IP address. Is there some way to re-use IP addresses on the
> client?
>
> I know that it would be possible to reserve an IP for the client on the
> server, but that would make it highly static.
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
