I was able to confirm my suspicion, if I reuse the random ports (which OpenVPN
chose with `nobind`) with `lport`, I'm reassigned the previous IP addresses.
This effectively resolves the IP pool exhaustion.
However, I still haven't found a way to identify the port of the OpenVPN client
process. I want to automate the process and would love to have an environmental
variable with the port, when using `nobind`. Unfortunately the variable
"local_port" is not set with `nobind`.
How can I identify the port OpenVPN is binding to using environmental
variables/scripting?
Kind regards,SaAtomic
5. Apr 2017 10:49 by saato...@keemail.me:
> It seems to me that without `nobind`, I obviously re-use the same local port
> on the client, which is reassigned the same IP address (if I include the
> explicit-exit-notify).> This does not work with `nobind` and I believe that
> has to do with the random port for each OpenVPN process. Now, my idea was to
> "re-use" a fixed number of random ports.
> For instance I start OpenVPN with `nobind` and log the random local port.
> After I have four random ports, any further instance of OpenVPN is started
> with one of these four local ports (--lport).
> I hope to avoid the IP pool exhaustion like this, without modifying the
> server configuration.
> However my problem is, that I can't identify the local port on the client,
> with `nobind`. I couldn't identify any environmental variable on `--up`,
> holding information about the local port on the client.
> How could I identify the random local port when using `nobind`?
> Thank you and kind regards,> SaAtomic
>
>
> 4. Apr 2017 16:44 by > chipits...@gmail.com> :
>
>
>>
>>
>> 2017-04-04 19:09 GMT+05:00 <>> saato...@keemail.me>> >:
>>
>>> >>> Hello!>>> I'll have to look into the topology topic. But it
>>> seems reasonable to me, to print a warning about the net30 topology.
>>> The explicit-exit-notify is a very good point! I missed that in my client
>>> configuration. It appears to be working, if I start one process after the
>>> other. However, during my tests I start multiple OpenVPN instances on the
>>> client at the same time.>>> I add `nobind` to the client config to make
>>> this possible and the IP pool exhaustion situation does not change with the
>>> explicit-exit-notify.
>>
>> nobind is also an option which should take more attention, I think.
>> you got it wrong, it will not help to prevent "ip pool exhaution", however
>> it is usefull from many point of views.
>>
>> by default, openvpn client binds to 1194, so, you cannot connect to several
>> openvpn destination.
>> it is due to dual nature of openvpn, it is client and server at the same
>> time, even the same code base.
>>
>> I think, we can consider either warning about binding or add "nobind" when
>> client profile is used.
>>
>> it is very common situation to forget add "nobind" to client config. thank
>> for bringing that to attention!
>>
>>
>>>
>>> How else could I tackle this issue?
>>>
>>> 4. Apr 2017 12:59 by >>> janj...@nikhef.nl>>> :
>>>
>>>
>>>> >>>> Hi,
>>>>
>>>> On 04/04/17 11:39, >>>> saato...@keemail.me>>>> wrote:
>>>> >>>>
>>>>> I'm performing a number of tests with OpenVPN, where amongst
>>>>> other things, I connect and disconnect with the same client
>>>>> certificate and slightly different client config settings over and
>>>>> over (>75 times, withing a short time).
>>>>> >>>>> >>>>> I realised that I exhaust my servers IP pool
>>>>> pretty quickly. Even waiting for >10 minutes before exhausting the
>>>>> IP pool doesn't seem to help.>>>>>
>>>>> >>>>>
>>>>
>>>> as others have stated, using "topology subnet" would help.
>>>> However, I also noticed that you're using "proto udp" in which case
>>>> the server does not 'realize' that a client has gone until a certain
>>>> timeout has expired. You can add the flag
>>>> explicit-exit-notify 3
>>>> to the client config to ensure that each client "signs out" when the
>>>> connection is terminated. This will most likely solve your exhaustion
>>>> problem.
>>>>
>>>> HTH,
>>>>
>>>> JJK
>>>>
>>>>
>>>>> >>>>> The goal is to find a way to prevent this from the client
>>>>> side. I do not want to amend the server configuration if
>>>>> possible.>>>>>
>>>>> >>>>> >>>>> The server configuration is pretty simple:>>>>>
>>>>> >>>>> >>>>> port 443>>>>>
>>>>> >>>>> >>>>> proto udp>>>>>
>>>>> >>>>> >>>>> dev tun>>>>>
>>>>> >>>>> >>>>> server 172.16.0.0 255.255.255.0>>>>>
>>>>> >>>>> >>>>> ca /etc/openvpn/server/ca.crt>>>>>
>>>>> >>>>> >>>>> cert
>>>>> /etc/openvpn/server/stretch-server.crt>>>>>
>>>>> >>>>> >>>>> key
>>>>> /etc/openvpn/server/stretch-server.key>>>>>
>>>>> >>>>> >>>>> dh /etc/openvpn/server/dh4096.pem>>>>>
>>>>>
>>>>> >>>>> >>>>> tls-crypt /etc/openvpn/server/static.key>>>>>
>>>>>
>>>>> >>>>> >>>>> tls-version-min 1.2>>>>>
>>>>> >>>>> >>>>> tls-cipher
>>>>> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>>>>
>>>>> >>>>> >>>>> cipher AES-256-CBC>>>>>
>>>>> >>>>> >>>>> auth SHA512>>>>>
>>>>> >>>>> >>>>> verb 3>>>>>
>>>>> >>>>> >>>>> log-append
>>>>> /etc/openvpn/server/log/stretch-server.log>>>>>
>>>>> >>>>> >>>>> comp-lzo>>>>>
>>>>> >>>>> >>>>> duplicate-cn>>>>>
>>>>> >>>>> >>>>> ncp-disable>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> >>>>> ------>>>>>
>>>>> >>>>> >>>>> For every new connection to the VPN the client
>>>>> makes, the server hands out a new IP address. Is there some way to
>>>>> re-use IP addresses on the client?>>>>>
>>>>> >>>>> >>>>> I know that it would be possible to reserve an IP
>>>>> for the client on the server, but that would make it highly
>>>>> static.>>>>>
>>>>>
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot
>>> _______________________________________________
>>> Openvpn-users mailing list
>>> Openvpn-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>>
>>>
>>
>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
