Hi,
On 04/04/17 16:09, saato...@keemail.me wrote:
Hello!
I'll have to look into the topology topic. But it seems reasonable to
me, to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my
client configuration. It appears to be working, if I start one process
after the other. However, during my tests I start multiple OpenVPN
instances on the client at the same time.
I add `nobind` to the client config to make this possible and the IP
pool exhaustion situation does not change with the explicit-exit-notify.
How else could I tackle this issue?
either switch to 'topology net30' or increase the pool size (both on the
server). you're using
server 172.16.0.0 255.255.255.0
but you could also use
server 172.16.0.0 255.255.254.0
which should give you 128 client IPs with Net30
HTH,
JJK
4. Apr 2017 12:59 by janj...@nikhef.nl <mailto:janj...@nikhef.nl>:
Hi,
On 04/04/17 11:39, saato...@keemail.me wrote:
I'm performing a number of tests with OpenVPN, where amongst
other things, I connect and disconnect with the same client
certificate and slightly different client config settings over
and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly.
Even waiting for >10 minutes before exhausting the IP pool
doesn't seem to help.
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which
case the server does not 'realize' that a client has gone until a
certain timeout has expired. You can add the flag
explicit-exit-notify 3
to the client config to ensure that each client "signs out" when
the connection is terminated. This will most likely solve your
exhaustion problem.
HTH,
JJK
The goal is to find a way to prevent this from the client
side. I do not want to amend the server configuration if possible.
The server configuration is pretty simple:
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the
server hands out a new IP address. Is there some way to re-use
IP addresses on the client?
I know that it would be possible to reserve an IP for the
client on the server, but that would make it highly static.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
