Discussion:
[Openvpn-users] IP pool exhaustion issue
s***@keemail.me
2017-04-04 09:39:37 UTC
Permalink
I'm performing a number of tests with OpenVPN, where amongst other things, I connect and disconnect with the same client certificate and slightly different client config settings over and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting for >10 minutes before exhausting the IP pool doesn't seem to help.
The goal is to find a way to prevent this from the client side. I do not want to amend the server configuration if possible.
The server configuration is pretty simple:port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable

------
For every new connection to the VPN  the client makes, the server hands out a new IP address. Is there some way to re-use IP addresses on the client?
I know that it would be possible to reserve an IP for the client on the server, but that would make it highly static.
Илья Шипицин
2017-04-04 09:50:34 UTC
Permalink
hello,

you did not use "topology", so, I guess "net30" is used by default.
if so, you spent 4 addresses per connection.

if you are not using too old clients (I guess, released 10 years ago), you
can switch to "topology subnet"
Post by s***@keemail.me
I'm performing a number of tests with OpenVPN, where amongst other things,
I connect and disconnect with the same client certificate and slightly
different client config settings over and over (>75 times, withing a short
time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting
for >10 minutes before exhausting the IP pool doesn't seem to help.
The goal is to find a way to prevent this from the client side. I do not
want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the server hands
out a new IP address. Is there some way to re-use IP addresses on the
client?
I know that it would be possible to reserve an IP for the client on the
server, but that would make it highly static.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
David Sommerseth
2017-04-04 10:34:17 UTC
Permalink
Post by Илья Шипицин
hello,
you did not use "topology", so, I guess "net30" is used by default.
if so, you spent 4 addresses per connection.
Yes --topology net30 is the default. Unfortunately, we cannot easily
change that without breaking many setups.
Post by Илья Шипицин
if you are not using too old clients (I guess, released 10 years ago),
you can switch to "topology subnet"
Any OpenVPN version as of 2.1 and newer supports --topology subnet. And
if you are using anything older than v2.3, you should upgrade ASAP
regardless.


--
kind regards,

David Sommerseth
Post by Илья Шипицин
I'm performing a number of tests with OpenVPN, where amongst other
things, I connect and disconnect with the same client certificate
and slightly different client config settings over and over (>75
times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even
waiting for >10 minutes before exhausting the IP pool doesn't seem
to help.
The goal is to find a way to prevent this from the client side. I do
not want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the server
hands out a new IP address. Is there some way to re-use IP addresses
on the client?
I know that it would be possible to reserve an IP for the client on
the server, but that would make it highly static.
Илья Шипицин
2017-04-04 10:41:44 UTC
Permalink
2017-04-04 15:34 GMT+05:00 David Sommerseth <
Post by David Sommerseth
Post by Илья Шипицин
hello,
you did not use "topology", so, I guess "net30" is used by default.
if so, you spent 4 addresses per connection.
Yes --topology net30 is the default. Unfortunately, we cannot easily
change that without breaking many setups.
unfortunately, there's a caveat, people use default setting and they get
only 25% of expected pool size.
maybe we should mark "net30" as deprecated and give a warning.
Post by David Sommerseth
Post by Илья Шипицин
if you are not using too old clients (I guess, released 10 years ago),
you can switch to "topology subnet"
Any OpenVPN version as of 2.1 and newer supports --topology subnet. And
if you are using anything older than v2.3, you should upgrade ASAP
regardless.
--
kind regards,
David Sommerseth
Post by Илья Шипицин
I'm performing a number of tests with OpenVPN, where amongst other
things, I connect and disconnect with the same client certificate
and slightly different client config settings over and over (>75
times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even
waiting for >10 minutes before exhausting the IP pool doesn't seem
to help.
The goal is to find a way to prevent this from the client side. I do
not want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the server
hands out a new IP address. Is there some way to re-use IP addresses
on the client?
I know that it would be possible to reserve an IP for the client on
the server, but that would make it highly static.
Kapetanakis Giannis
2017-04-06 13:28:10 UTC
Permalink
Post by David Sommerseth
Post by Илья Шипицин
hello,
you did not use "topology", so, I guess "net30" is used by default.
if so, you spent 4 addresses per connection.
Yes --topology net30 is the default. Unfortunately, we cannot easily
change that without breaking many setups.
Post by Илья Шипицин
if you are not using too old clients (I guess, released 10 years ago),
you can switch to "topology subnet"
Without wanting to hijack this thread,

If someone uses the default net30 and wants to migrate to subnet topology
would there be conflicts with the following setup:

server 10.0.0.0 255.255.255.0 (dynamic assignments)
and ccds like:
ifconfig-push 10.0.10.1 255.255.255.0 (static assignments)

This kind of "different subnetting" works ok with net30. Will it still work with subnet?
How would clients reach server, since now you don't have local remote in --ifconfig-push

thanks

G
Jan Just Keijser
2017-04-06 13:59:27 UTC
Permalink
Post by Kapetanakis Giannis
Without wanting to hijack this thread,
well, you are... hence I've changed the subject
Post by Kapetanakis Giannis
If someone uses the default net30 and wants to migrate to subnet topology
server 10.0.0.0 255.255.255.0 (dynamic assignments)
ifconfig-push 10.0.10.1 255.255.255.0 (static assignments)
This kind of "different subnetting" works ok with net30. Will it still work with subnet?
How would clients reach server, since now you don't have local remote in --ifconfig-push
you can make this kind of networking work in 'topology subnet' also, but
there might be some caveats.
According to the OpenVPN man page, the statement
server 10.0.0.0 255.255.255.0
is expanded to
mode server
tls-server
ifconfig 10.0.0.1 255.255.255.0
ifconfig-pool 10.0.0.2 10.0.0.254 255.255.255.0
push "route-gateway 10.0.0.1"

so each client will be told that the gateway to send packets to is
10.0.0.1; now you're adding a client outside of the regular
ifconfig-pool: that is perfectly OK, but you then need to tell the
*SERVER* that packets coming from 10.0.10.1/24 are OK: it might actually
be quicker to widen the subnet mask on the server tun adapter to
something that includes 10.0.10 also - but this applies in both net30
and subnet mode, so how are you covering this now?

Of course, an example like this is covered in my OpenVPN cookbook ;)

HTH,

JJK
Kapetanakis Giannis
2017-04-06 16:05:11 UTC
Permalink
Post by Jan Just Keijser
Post by Kapetanakis Giannis
Without wanting to hijack this thread,
well, you are... hence I've changed the subject
Post by Kapetanakis Giannis
If someone uses the default net30 and wants to migrate to subnet topology
server 10.0.0.0 255.255.255.0 (dynamic assignments)
ifconfig-push 10.0.10.1 255.255.255.0 (static assignments)
This kind of "different subnetting" works ok with net30. Will it still work with subnet?
How would clients reach server, since now you don't have local remote in --ifconfig-push
you can make this kind of networking work in 'topology subnet' also,
but there might be some caveats.
According to the OpenVPN man page, the statement
server 10.0.0.0 255.255.255.0
is expanded to
mode server
tls-server
ifconfig 10.0.0.1 255.255.255.0
ifconfig-pool 10.0.0.2 10.0.0.254 255.255.255.0
push "route-gateway 10.0.0.1"
so each client will be told that the gateway to send packets to is
10.0.0.1; now you're adding a client outside of the regular
ifconfig-pool: that is perfectly OK, but you then need to tell the
*SERVER* that packets coming from 10.0.10.1/24 are OK: it might
actually be quicker to widen the subnet mask on the server tun adapter
to something that includes 10.0.10 also - but this applies in both
net30 and subnet mode, so how are you covering this now?
Of course, an example like this is covered in my OpenVPN cookbook ;)
HTH,
JJK
I don't want to widen the /24 base network because like this dynamic
clients might get IPs from my static net blocks.

In net30 now I also have
route 10.0.0.0 255.255.0.0

which does the job

G
Kapetanakis Giannis
2017-04-07 10:22:07 UTC
Permalink
Post by Jan Just Keijser
so each client will be told that the gateway to send packets to is
10.0.0.1; now you're adding a client outside of the regular
ifconfig-pool: that is perfectly OK, but you then need to tell the
*SERVER* that packets coming from 10.0.10.1/24 are OK: it might
actually be quicker to widen the subnet mask on the server tun adapter
to something that includes 10.0.10 also - but this applies in both
net30 and subnet mode, so how are you covering this now?
Of course, an example like this is covered in my OpenVPN cookbook ;)
HTH,
JJK
I've tried your cookbook example "Using an ifconfig-pool block"
but it didn't work

However, just for the record, the following did work

topology subnet
server 10.0.0.0 255.255.0.0 'nopool'
ifconfig-pool 10.0.0.10 10.0.0.250

The above also works with ipv6 otherwise I had trouble...

ifconfig-ipv6 2001:xxxx:xxxx:xxxA::1/64 2001:xxxx:xxxx:xxxA::1
ifconfig-ipv6-pool 2001:xxxx:xxxx:xxxA::A/64
tun-ipv6
push "tun-ipv6"

client also gets the following
push "redirect-gateway def1"
push "route-ipv6 2000::/3"

G

Jan Just Keijser
2017-04-04 10:59:08 UTC
Permalink
Hi,
Post by s***@keemail.me
I'm performing a number of tests with OpenVPN, where amongst other
things, I connect and disconnect with the same client certificate and
slightly different client config settings over and over (>75 times,
withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even
waiting for >10 minutes before exhausting the IP pool doesn't seem to
help.
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which case the
server does not 'realize' that a client has gone until a certain timeout
has expired. You can add the flag
explicit-exit-notify 3
to the client config to ensure that each client "signs out" when the
connection is terminated. This will most likely solve your exhaustion
problem.

HTH,

JJK
Post by s***@keemail.me
The goal is to find a way to prevent this from the client side. I do
not want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the server
hands out a new IP address. Is there some way to re-use IP addresses
on the client?
I know that it would be possible to reserve an IP for the client on
the server, but that would make it highly static.
s***@keemail.me
2017-04-04 14:09:32 UTC
Permalink
Hello!I'll have to look into the topology topic. But it seems reasonable to me, to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client configuration. It appears to be working, if I start one process after the other. However, during my tests I start multiple OpenVPN instances on the client at the same time.I add `nobind` to the client config to make this possible and the IP pool exhaustion situation does not change with the explicit-exit-notify. 
How else could I tackle this issue?
Post by Jan Just Keijser
Hi,
I'm performing a number of tests with OpenVPN, where amongst other things, I connect and disconnect with the same client certificate and slightly different client config settings over and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting for >10 minutes before exhausting the IP pool doesn't seem to help.>>
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which case the server does not 'realize' that a client has gone until a certain timeout has expired. You can add the flag
  explicit-exit-notify 3
to the client config to ensure that each client "signs out" when the connection is terminated. This will most likely solve your exhaustion problem.
HTH,
JJK
The goal is to find a way to prevent this from the client side. I do not want to amend the server configuration if possible.>>
The server configuration is pretty simple:>> >> >> port 443>>
proto udp>>
dev tun>>
server 172.16.0.0 255.255.255.0>>
ca /etc/openvpn/server/ca.crt>>
cert /etc/openvpn/server/stretch-server.crt>>
key /etc/openvpn/server/stretch-server.key>>
dh /etc/openvpn/server/dh4096.pem>>
tls-crypt /etc/openvpn/server/static.key>>
tls-version-min 1.2>>
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>
cipher AES-256-CBC>>
auth SHA512>>
verb 3>>
log-append /etc/openvpn/server/log/stretch-server.log>>
comp-lzo>>
duplicate-cn>>
ncp-disable>> >>
------>>
For every new connection to the VPN  the client makes, the server hands out a new IP address. Is there some way to re-use IP addresses on the client?>>
I know that it would be possible to reserve an IP for the client on the server, but that would make it highly static.>>
Selva Nair
2017-04-04 14:26:30 UTC
Permalink
Post by s***@keemail.me
Hello!
I'll have to look into the topology topic. But it seems reasonable to me,
to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client
configuration. It appears to be working, if I start one process after the
other. However, during my tests I start multiple OpenVPN instances on the
client at the same time.
I add `nobind` to the client config to make this possible and the IP pool
exhaustion situation does not change with the explicit-exit-notify.
How else could I tackle this issue?
If you can edit server config you could use "--ifconfig-pool-persist file"
to assign the same IP to the same client (common name).

Selva
Илья Шипицин
2017-04-04 14:44:08 UTC
Permalink
Post by s***@keemail.me
Hello!
I'll have to look into the topology topic. But it seems reasonable to me,
to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client
configuration. It appears to be working, if I start one process after the
other. However, during my tests I start multiple OpenVPN instances on the
client at the same time.
I add `nobind` to the client config to make this possible and the IP pool
exhaustion situation does not change with the explicit-exit-notify.
nobind is also an option which should take more attention, I think.
you got it wrong, it will not help to prevent "ip pool exhaution", however
it is usefull from many point of views.

by default, openvpn client binds to 1194, so, you cannot connect to several
openvpn destination.
it is due to dual nature of openvpn, it is client and server at the same
time, even the same code base.

I think, we can consider either warning about binding or add "nobind" when
client profile is used.

it is very common situation to forget add "nobind" to client config. thank
for bringing that to attention!
Post by s***@keemail.me
How else could I tackle this issue?
Hi,
I'm performing a number of tests with OpenVPN, where amongst other things,
I connect and disconnect with the same client certificate and slightly
different client config settings over and over (>75 times, withing a short
time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting
for >10 minutes before exhausting the IP pool doesn't seem to help.
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which case the
server does not 'realize' that a client has gone until a certain timeout
has expired. You can add the flag
explicit-exit-notify 3
to the client config to ensure that each client "signs out" when the
connection is terminated. This will most likely solve your exhaustion
problem.
HTH,
JJK
The goal is to find a way to prevent this from the client side. I do not
want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the server hands
out a new IP address. Is there some way to re-use IP addresses on the
client?
I know that it would be possible to reserve an IP for the client on the
server, but that would make it highly static.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
s***@keemail.me
2017-04-05 08:49:46 UTC
Permalink
It seems to me that without `nobind`, I obviously re-use the same local port on the client, which is reassigned the same IP address (if I include the explicit-exit-notify).This does not work with `nobind` and I believe that has to do with the random port for each OpenVPN process. Now, my idea was to "re-use" a fixed number of random ports.
For instance I start OpenVPN with `nobind` and log the random local port. After I have four random ports, any further instance of OpenVPN is started with one of these four local ports (--lport).
I hope to avoid the IP pool exhaustion like this, without modifying the server configuration.
However my problem is, that I can't identify the local port on the client, with `nobind`. I couldn't identify any environmental variable on `--up`, holding information about the local port on the client.
How could I identify the random local port when using `nobind`?
Thank you and kind regards,SaAtomic
Post by Илья Шипицин
Post by Jan Just Keijser
Hello!>> I'll have to look into the topology topic. But it seems reasonable to me, to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client configuration. It appears to be working, if I start one process after the other. However, during my tests I start multiple OpenVPN instances on the client at the same time.>> I add `nobind` to the client config to make this possible and the IP pool exhaustion situation does not change with the explicit-exit-notify. 
nobind is also an option which should take more attention, I think.
you got it wrong, it will not help to prevent "ip pool exhaution", however it is usefull from many point of views.
by default, openvpn client binds to 1194, so, you cannot connect to several openvpn destination.
it is due to dual nature of openvpn, it is client and server at the same time, even the same code base.
I think, we can consider either warning about binding or add "nobind" when client profile is used.
it is very common situation to forget add "nobind" to client config. thank for bringing that to attention!
 
How else could I tackle this issue?
Post by Jan Just Keijser
Hi,
I'm performing a number of tests with OpenVPN, where amongst other things, I connect and disconnect with the same client certificate and slightly different client config settings over and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting for >10 minutes before exhausting the IP pool doesn't seem to help.>>>>
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which case the server does not 'realize' that a client has gone until a certain timeout has expired. You can add the flag
  explicit-exit-notify 3
to the client config to ensure that each client "signs out" when the connection is terminated. This will most likely solve your exhaustion problem.
HTH,
JJK
The goal is to find a way to prevent this from the client side. I do not want to amend the server configuration if possible.>>>>
The server configuration is pretty simple:>>>> >>>> >>>> port 443>>>>
proto udp>>>>
dev tun>>>>
server 172.16.0.0 255.255.255.0>>>>
ca /etc/openvpn/server/ca.crt>>>>
cert /etc/openvpn/server/stretch-server.crt>>>>
key /etc/openvpn/server/stretch-server.key>>>>
dh /etc/openvpn/server/dh4096.pem>>>>
tls-crypt /etc/openvpn/server/static.key>>>>
tls-version-min 1.2>>>>
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>>>
cipher AES-256-CBC>>>>
auth SHA512>>>>
verb 3>>>>
log-append /etc/openvpn/server/log/stretch-server.log>>>>
comp-lzo>>>>
duplicate-cn>>>>
ncp-disable>>>> >>>>
------>>>>
For every new connection to the VPN  the client makes, the server hands out a new IP address. Is there some way to re-use IP addresses on the client?>>>>
I know that it would be possible to reserve an IP for the client on the server, but that would make it highly static.>>>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
s***@keemail.me
2017-04-06 06:28:17 UTC
Permalink
I was able to confirm my suspicion, if I reuse the random ports (which OpenVPN chose with `nobind`) with `lport`, I'm reassigned the previous IP addresses. This effectively resolves the IP pool exhaustion.
However, I still haven't found a way to identify the port of the OpenVPN client process. I want to automate the process and would love to have an environmental variable with the port, when using `nobind`. Unfortunately the variable "local_port" is not set with `nobind`.
How can I identify the port OpenVPN is binding to using environmental variables/scripting?
Kind regards,SaAtomic
It seems to me that without `nobind`, I obviously re-use the same local port on the client, which is reassigned the same IP address (if I include the explicit-exit-notify).> This does not work with `nobind` and I believe that has to do with the random port for each OpenVPN process. Now, my idea was to "re-use" a fixed number of random ports.
For instance I start OpenVPN with `nobind` and log the random local port. After I have four random ports, any further instance of OpenVPN is started with one of these four local ports (--lport).
I hope to avoid the IP pool exhaustion like this, without modifying the server configuration.
However my problem is, that I can't identify the local port on the client, with `nobind`. I couldn't identify any environmental variable on `--up`, holding information about the local port on the client.
How could I identify the random local port when using `nobind`?
Thank you and kind regards,> SaAtomic
Post by Илья Шипицин
Post by Jan Just Keijser
Hello!>>> I'll have to look into the topology topic. But it seems reasonable to me, to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my client configuration. It appears to be working, if I start one process after the other. However, during my tests I start multiple OpenVPN instances on the client at the same time.>>> I add `nobind` to the client config to make this possible and the IP pool exhaustion situation does not change with the explicit-exit-notify. 
nobind is also an option which should take more attention, I think.
you got it wrong, it will not help to prevent "ip pool exhaution", however it is usefull from many point of views.
by default, openvpn client binds to 1194, so, you cannot connect to several openvpn destination.
it is due to dual nature of openvpn, it is client and server at the same time, even the same code base.
I think, we can consider either warning about binding or add "nobind" when client profile is used.
it is very common situation to forget add "nobind" to client config. thank for bringing that to attention!
 
How else could I tackle this issue?
Post by Jan Just Keijser
Hi,
I'm performing a number of tests with OpenVPN, where amongst other things, I connect and disconnect with the same client certificate and slightly different client config settings over and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly. Even waiting for >10 minutes before exhausting the IP pool doesn't seem to help.>>>>>
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which case the server does not 'realize' that a client has gone until a certain timeout has expired. You can add the flag
  explicit-exit-notify 3
to the client config to ensure that each client "signs out" when the connection is terminated. This will most likely solve your exhaustion problem.
HTH,
JJK
The goal is to find a way to prevent this from the client side. I do not want to amend the server configuration if possible.>>>>>
The server configuration is pretty simple:>>>>> >>>>> >>>>> port 443>>>>>
proto udp>>>>>
dev tun>>>>>
server 172.16.0.0 255.255.255.0>>>>>
ca /etc/openvpn/server/ca.crt>>>>>
cert /etc/openvpn/server/stretch-server.crt>>>>>
key /etc/openvpn/server/stretch-server.key>>>>>
dh /etc/openvpn/server/dh4096.pem>>>>>
tls-crypt /etc/openvpn/server/static.key>>>>>
tls-version-min 1.2>>>>>
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384>>>>>
cipher AES-256-CBC>>>>>
auth SHA512>>>>>
verb 3>>>>>
log-append /etc/openvpn/server/log/stretch-server.log>>>>>
comp-lzo>>>>>
duplicate-cn>>>>>
ncp-disable>>>>> >>>>>
------>>>>>
For every new connection to the VPN  the client makes, the server hands out a new IP address. Is there some way to re-use IP addresses on the client?>>>>>
I know that it would be possible to reserve an IP for the client on the server, but that would make it highly static.>>>>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! >>> http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Jan Just Keijser
2017-04-06 13:09:51 UTC
Permalink
Post by s***@keemail.me
I was able to confirm my suspicion, if I reuse the random ports (which
OpenVPN chose with `nobind`) with `lport`, I'm reassigned the previous
IP addresses. This effectively resolves the IP pool exhaustion.
However, I still haven't found a way to identify the port of the
OpenVPN client process. I want to automate the process and would love
to have an environmental variable with the port, when using `nobind`.
Unfortunately the variable "local_port" is not set with `nobind`.
How can I identify the port OpenVPN is binding to using environmental variables/scripting?
you can't : when using "nobind" openvpn does not provide any info on
which local port is used for a connection. It might be trivial to add
this , but right now it's not in there at all.

HTH,

JJK
David Sommerseth
2017-04-06 13:20:35 UTC
Permalink
Post by Jan Just Keijser
Post by s***@keemail.me
I was able to confirm my suspicion, if I reuse the random ports (which
OpenVPN chose with `nobind`) with `lport`, I'm reassigned the previous
IP addresses. This effectively resolves the IP pool exhaustion.
However, I still haven't found a way to identify the port of the
OpenVPN client process. I want to automate the process and would love
to have an environmental variable with the port, when using `nobind`.
Unfortunately the variable "local_port" is not set with `nobind`.
How can I identify the port OpenVPN is binding to using environmental
variables/scripting?
you can't : when using "nobind" openvpn does not provide any info on
which local port is used for a connection. It might be trivial to add
this , but right now it's not in there at all.
In --nobind mode ... isn't it the OS which assigns the local port number
and just provides that back to the application together with the "socket
descriptor"?

IIRC, when using --nobind, it makes openvpn _not_ call bind() which ties
it to a particular preconfigured port number.


--
kind regards,

David Sommerseth
Jan Just Keijser
2017-04-06 13:49:28 UTC
Permalink
Post by David Sommerseth
Post by Jan Just Keijser
Post by s***@keemail.me
I was able to confirm my suspicion, if I reuse the random ports (which
OpenVPN chose with `nobind`) with `lport`, I'm reassigned the previous
IP addresses. This effectively resolves the IP pool exhaustion.
However, I still haven't found a way to identify the port of the
OpenVPN client process. I want to automate the process and would love
to have an environmental variable with the port, when using `nobind`.
Unfortunately the variable "local_port" is not set with `nobind`.
How can I identify the port OpenVPN is binding to using environmental
variables/scripting?
you can't : when using "nobind" openvpn does not provide any info on
which local port is used for a connection. It might be trivial to add
this , but right now it's not in there at all.
In --nobind mode ... isn't it the OS which assigns the local port number
and just provides that back to the application together with the "socket
descriptor"?
IIRC, when using --nobind, it makes openvpn _not_ call bind() which ties
it to a particular preconfigured port number.
correct - and it looks like the OS does not fill in the local port
number when the socket is created (with --nobind); hence it becomes
quite difficult to determine whether *at some point* the application
would know which local port was assigned by the OS...

JJK
Jan Just Keijser
2017-04-04 15:07:49 UTC
Permalink
Hi,
Post by s***@keemail.me
Hello!
I'll have to look into the topology topic. But it seems reasonable to
me, to print a warning about the net30 topology.
The explicit-exit-notify is a very good point! I missed that in my
client configuration. It appears to be working, if I start one process
after the other. However, during my tests I start multiple OpenVPN
instances on the client at the same time.
I add `nobind` to the client config to make this possible and the IP
pool exhaustion situation does not change with the explicit-exit-notify.
How else could I tackle this issue?
either switch to 'topology net30' or increase the pool size (both on the
server). you're using
server 172.16.0.0 255.255.255.0
but you could also use
server 172.16.0.0 255.255.254.0

which should give you 128 client IPs with Net30

HTH,

JJK
Post by s***@keemail.me
Hi,
I'm performing a number of tests with OpenVPN, where amongst
other things, I connect and disconnect with the same client
certificate and slightly different client config settings over
and over (>75 times, withing a short time).
I realised that I exhaust my servers IP pool pretty quickly.
Even waiting for >10 minutes before exhausting the IP pool
doesn't seem to help.
as others have stated, using "topology subnet" would help.
However, I also noticed that you're using "proto udp" in which
case the server does not 'realize' that a client has gone until a
certain timeout has expired. You can add the flag
explicit-exit-notify 3
to the client config to ensure that each client "signs out" when
the connection is terminated. This will most likely solve your
exhaustion problem.
HTH,
JJK
The goal is to find a way to prevent this from the client
side. I do not want to amend the server configuration if possible.
port 443
proto udp
dev tun
server 172.16.0.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/stretch-server.crt
key /etc/openvpn/server/stretch-server.key
dh /etc/openvpn/server/dh4096.pem
tls-crypt /etc/openvpn/server/static.key
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
verb 3
log-append /etc/openvpn/server/log/stretch-server.log
comp-lzo
duplicate-cn
ncp-disable
------
For every new connection to the VPN the client makes, the
server hands out a new IP address. Is there some way to re-use
IP addresses on the client?
I know that it would be possible to reserve an IP for the
client on the server, but that would make it highly static.
Loading...