It seems to me that without `nobind`, I obviously re-use the same local port on
the client, which is reassigned the same IP address (if I include the
explicit-exit-notify).This does not work with `nobind` and I believe that has
to do with the random port for each OpenVPN process. Now, my idea was to
"re-use" a fixed number of random ports.
For instance I start OpenVPN with `nobind` and log the random local port. After
I have four random ports, any further instance of OpenVPN is started with one
of these four local ports (--lport).
I hope to avoid the IP pool exhaustion like this, without modifying the server
configuration.
However my problem is, that I can't identify the local port on the client, with
`nobind`. I couldn't identify any environmental variable on `--up`, holding
information about the local port on the client.
How could I identify the random local port when using `nobind`?
Thank you and kind regards,SaAtomic
4. Apr 2017 16:44 by chipits...@gmail.com:
>
>
> 2017-04-04 19:09 GMT+05:00 <> saato...@keemail.me> >:
>
>> >> Hello!>> I'll have to look into the topology topic. But it
>> seems reasonable to me, to print a warning about the net30 topology.
>> The explicit-exit-notify is a very good point! I missed that in my client
>> configuration. It appears to be working, if I start one process after the
>> other. However, during my tests I start multiple OpenVPN instances on the
>> client at the same time.>> I add `nobind` to the client config to make this
>> possible and the IP pool exhaustion situation does not change with the
>> explicit-exit-notify.
>
> nobind is also an option which should take more attention, I think.
> you got it wrong, it will not help to prevent "ip pool exhaution", however it
> is usefull from many point of views.
>
> by default, openvpn client binds to 1194, so, you cannot connect to several
> openvpn destination.
> it is due to dual nature of openvpn, it is client and server at the same
> time, even the same code base.
>
> I think, we can consider either warning about binding or add "nobind" when
> client profile is used.
>
> it is very common situation to forget add "nobind" to client config. thank
> for bringing that to attention!
>
>
>>
>> How else could I tackle this issue?
>>
>> 4. Apr 2017 12:59 by >> janj...@nikhef.nl>> :
>>
>>
>>> >>> Hi,
>>>
>>> On 04/04/17 11:39, >>> saato...@keemail.me>>> wrote:
>>> >>>
>>>> I'm performing a number of tests with OpenVPN, where amongst
>>>> other things, I connect and disconnect with the same client
>>>> certificate and slightly different client config settings over and
>>>> over (>75 times, withing a short time).
>>>> >>>> >>>> I realised that I exhaust my servers IP pool pretty
>>>> quickly. Even waiting for >10 minutes before exhausting the IP pool
>>>> doesn't seem to help.>>>>
>>>> >>>>
>>>
>>> as others have stated, using "topology subnet" would help.
>>> However, I also noticed that you're using "proto udp" in which case
>>> the server does not 'realize' that a client has gone until a certain
>>> timeout has expired. You can add the flag
>>> explicit-exit-notify 3
>>> to the client config to ensure that each client "signs out" when the
>>> connection is terminated. This will most likely solve your exhaustion
>>> problem.
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>>
>>>> >>>> The goal is to find a way to prevent this from the client
>>>> side. I do not want to amend the server configuration if
>>>> possible.>>>>
>>>> >>>> >>>> The server configuration is pretty simple:>>>>
>>>> >>>> >>>> port 443>>>>
>>>> >>>> >>>> proto udp>>>>
>>>> >>>> >>>> dev tun>>>>
>>>> >>>> >>>> server 172.16.0.0 255.255.255.0>>>>
>>>> >>>> >>>> ca /etc/openvpn/server/ca.crt>>>>
>>>> >>>> >>>> cert /etc/openvpn/server/stretch-server.crt>>>>
>>>>
>>>> >>>> >>>> key /etc/openvpn/server/stretch-server.key>>>>
>>>>
>>>> >>>> >>>> dh /etc/openvpn/server/dh4096.pem>>>>
>>>> >>>> >>>> tls-crypt /etc/openvpn/server/static.key>>>>
>>>>
>>>> >>>> >>>> tls-version-min 1.2>>>>
>>>> >>>> >>>> tls-cipher
>>>> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>>>
>>>> >>>> >>>> cipher AES-256-CBC>>>>
>>>> >>>> >>>> auth SHA512>>>>
>>>> >>>> >>>> verb 3>>>>
>>>> >>>> >>>> log-append
>>>> /etc/openvpn/server/log/stretch-server.log>>>>
>>>> >>>> >>>> comp-lzo>>>>
>>>> >>>> >>>> duplicate-cn>>>>
>>>> >>>> >>>> ncp-disable>>>> >>>>
>>>> >>>>
>>>> >>>> >>>> ------>>>>
>>>> >>>> >>>> For every new connection to the VPN the client
>>>> makes, the server hands out a new IP address. Is there some way to
>>>> re-use IP addresses on the client?>>>>
>>>> >>>> >>>> I know that it would be possible to reserve an IP
>>>> for the client on the server, but that would make it highly
>>>> static.>>>>
>>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
