Discussion:
[Openvpn-users] ifconfig-pool-persist does not appear to be working in 2.0 rc 11
Jim Drash
2005-02-09 16:22:34 UTC
Permalink
ifconfig-pool-persist does not appear to be working in 2.0 rc 11 The
file is always empty and is owned by root and is chmod 600 (Running on
a Linux 2.6.x machine). This worked at rc 9
Charles Duffy
2005-02-09 16:47:34 UTC
Permalink
Post by Jim Drash
ifconfig-pool-persist does not appear to be working in 2.0 rc 11 The
file is always empty and is owned by root and is chmod 600 (Running on
a Linux 2.6.x machine).
I take it your OpenVPN instance is running as a different user?

What happens if you chown the file to that user?
Jim Drash
2005-02-09 17:32:21 UTC
Permalink
No change
Post by Charles Duffy
Post by Jim Drash
ifconfig-pool-persist does not appear to be working in 2.0 rc 11 The
file is always empty and is owned by root and is chmod 600 (Running on
a Linux 2.6.x machine).
I take it your OpenVPN instance is running as a different user?
What happens if you chown the file to that user?
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Charles Duffy
2005-02-09 20:03:35 UTC
Permalink
Post by Jim Drash
No change
You didn't answer one of my (implied) questions: Is your OpenVPN running
as a different user (using the "user" or "group" directives)?

Mind posting your config file?

Does it start working again if you downgrade to rc9 without changing
anything else?


BTW, please don't top-quote -- and whether you top-quote or not, trim your
posts! There's no excuse for using a 31-line email to send one line of
text.
Charles Duffy
2005-02-09 20:10:33 UTC
Permalink
Post by Charles Duffy
BTW, please don't top-quote
Erm -- I meant top-post, of course.
Jim Drash
2005-02-10 14:15:45 UTC
Permalink
My Server Config file:

dev tun

server 192.168.158.0 255.255.255.0

ifconfig-pool-persist ipp.txt

proto tcp-server

tls-server
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key

comp-lzo

persist-tun
persist-key

push "route 192.168.58.0 255.255.255.0"

client-to-client
duplicate-cn

keepalive 10 120

verb 3
Mathias Sundman
2005-02-10 14:27:32 UTC
Permalink
Post by Jim Drash
dev tun
server 192.168.158.0 255.255.255.0
ifconfig-pool-persist ipp.txt
...
You are not specifying how often the file should be updating, meaning the
file will only be updated every 10 minutes, or if openvpn is closed
cleanly. What if you specify a low value like:

ifconfig-pool-persist ipp.txt 10
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://openvpn.se / \ NO Word docs in e-mail
Jim Drash
2005-02-10 14:36:42 UTC
Permalink
I set it to 10 seconds and still it is a zer-length byte file
James Yonan
2005-02-10 17:14:02 UTC
Permalink
Post by Jim Drash
dev tun
server 192.168.158.0 255.255.255.0
ifconfig-pool-persist ipp.txt
proto tcp-server
tls-server
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
comp-lzo
persist-tun
persist-key
push "route 192.168.58.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
verb 3
I think I see the problem here. You are using duplicate-cn with
ifconfig-pool-persist. These options don't really make sense when used
together because:

(a) duplicate-cn tells OpenVPN to ignore client common names for client
indexing purposes, and

(b) ifconfig-pool-persist tells OpenVPN to remember IP addresses
distributed to clients according to their common name.

So the net effect of combining these options is that the code which writes
out the ifconfig-pool-persist file sees a table of allocated IP
addresses but null common names. Because the common names are null, no
lines are written to the file.

The solution is to give each client its own cert/key and common name, and
then drop the duplicate-cn directive.

I'll also add a note to myself to throw an error if duplicate-cn and
ifconfig-pool-persist are used together, since I can't see any way that
their combined usage makes sense.

James
Jim Drash
2005-02-10 17:59:03 UTC
Permalink
Post by James Yonan
(b) ifconfig-pool-persist tells OpenVPN to remember IP addresses
distributed to clients according to their common name.
The solution is to give each client its own cert/key and common name, and
then drop the duplicate-cn directive.
That was it. Here's a thought might it make sense to include the
"real" ip address of the remote box in the ipp file. The duplicate-cn
could work:

remote.mydomain.com, 1.2.3.4, 10.0.1.4
remote.mydomain.com, 5.6.7.8, 10.0.1.8

Just a thought
Mathias Sundman
2005-02-10 19:11:29 UTC
Permalink
Post by Jim Drash
Post by James Yonan
(b) ifconfig-pool-persist tells OpenVPN to remember IP addresses
distributed to clients according to their common name.
The solution is to give each client its own cert/key and common name, and
then drop the duplicate-cn directive.
That was it. Here's a thought might it make sense to include the
"real" ip address of the remote box in the ipp file. The duplicate-cn
remote.mydomain.com, 1.2.3.4, 10.0.1.4
remote.mydomain.com, 5.6.7.8, 10.0.1.8
No, multiple clients could be connecting from behind the same NAT device.
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://openvpn.se / \ NO Word docs in e-mail
James Yonan
2005-02-10 04:29:01 UTC
Permalink
Post by Jim Drash
ifconfig-pool-persist does not appear to be working in 2.0 rc 11 The
file is always empty and is owned by root and is chmod 600 (Running on
a Linux 2.6.x machine). This worked at rc 9
I just tested on rc12 and it seems to be working fine. I started out with
no ifconfig-pool-persist file, added "ifconfig-pool-persist ipp.txt" to
config file, ran openvpn in server mode, connected with a client, exited
the server, and found this file:

ai:~/openvpn/20/openvpn # cat ipp.txt
Test-Client,10.8.0.4

Could you be more specific as to how it is failing?

James
Jim Drash
2005-02-10 11:39:01 UTC
Permalink
The file exists but is a zero-byte length file.
Loading...