Discussion:
[Openvpn-users] Problems with ifconfig-pool-persist
Michael Scheidell
2006-07-03 16:59:53 UTC
Permalink
I don't seem to be able to have openvpn 2.04 write to the
ifconfig-pool-persist file.

When it starts, it creates (a blank) one, but never writes to it, ever.

.conf file:
(it originally created the file rw------ owned as root.
I chown[ed] it openvpn:openvpn and chmod[ed] it g+rw and restarted
openvpn.
Still won't write to file.
Syslog shows it ok:
Jul 3 12:53:54 link openvpn[57009]: ifconfig_pool_persist_filename =
'./client2ip.txt'

Tried client2ip.txt ./client2ip.txt,
/usr/local/etc/openvpn/client2ip.txt, no good
(it just creates a 0 byte file, that's it)

Tried with and without ccd dir directives.

--- .conf file:
server 192.168.0.0 255.255.0.0
proto udp
float
dev tun0
persist-tun
persist-key
persist-local-ip
persist-remote-ip
ifconfig-pool-persist ./client2ip.txt 60
reneg-sec 28800
passtos
client-to-client

# fast-io, udp only, not windows, when shape not used.
fast-io
mtu-test

user openvpn
group openvpn
keepalive 10 60
comp-lzo

# Encryption Settings
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
crl-verify crl.pem
#tried with and without ccd directives, no change
client-config-dir ccd
ccd-exclusive

verb 4
ifconfig-nowarn
status ./openvpn-status.log
--
Michael Scheidell, CTO
SECNAP Network Security
561-999-5000 x 1131
www.secnap.com
Giancarlo Razzolini
2006-07-03 20:36:18 UTC
Permalink
Post by Michael Scheidell
I don't seem to be able to have openvpn 2.04 write to the
ifconfig-pool-persist file.
When it starts, it creates (a blank) one, but never writes to it, ever.
(it originally created the file rw------ owned as root.
I chown[ed] it openvpn:openvpn and chmod[ed] it g+rw and restarted
openvpn.
Still won't write to file.
Jul 3 12:53:54 link openvpn[57009]: ifconfig_pool_persist_filename =
'./client2ip.txt'
Tried client2ip.txt ./client2ip.txt,
/usr/local/etc/openvpn/client2ip.txt, no good
(it just creates a 0 byte file, that's it)
Tried with and without ccd dir directives.
server 192.168.0.0 255.255.0.0
proto udp
float
dev tun0
persist-tun
persist-key
persist-local-ip
persist-remote-ip
ifconfig-pool-persist ./client2ip.txt 60
try to give a full path to the file. I generally use
/etc/openvpn/ifconfig-pool.txt
Post by Michael Scheidell
reneg-sec 28800
passtos
client-to-client
# fast-io, udp only, not windows, when shape not used.
fast-io
mtu-test
user openvpn
group openvpn
keepalive 10 60
comp-lzo
# Encryption Settings
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
crl-verify crl.pem
#tried with and without ccd directives, no change
client-config-dir ccd
ccd-exclusive
never mix ccd with ifconfig-pool-persist. Weird things can happen. I
actually prefer ccd, because i can assign specific ip's and routes to my
clients. Always give full paths when specifying directories and/or
files. This will surely help you. Even when using a chroot.
Post by Michael Scheidell
verb 4
ifconfig-nowarn
status ./openvpn-status.log
My 2 cents,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Giancarlo Razzolini
2006-07-04 00:19:51 UTC
Permalink
No matter what I do, I have a 0 byte file created and timestamped when
openvpn starts.
This is the normal behavior. Only when a client actually connects to the
server, that your ifconfig-pool will be initialized. The common name of
the clients certificate and the ip it got from the pool will be written
to the file so the next time it connect, it will get the same ip. But i
strong recommend you to use ccd, if you have only some clients. If you
have many clients then, some clever bash scripts might help the job of
administrating the ccd dir.

My regards,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Michael Scheidell
2006-07-04 00:39:31 UTC
Permalink
Post by Giancarlo Razzolini
No matter what I do, I have a 0 byte file created and timestamped when
openvpn starts.
This is the normal behavior. Only when a client actually connects to the
server, that your ifconfig-pool will be initialized. The common name of
the clients certificate and the ip it got from the pool will be written
to the file so the next time it connect, it will get the same ip. But i
strong recommend you to use ccd, if you have only some clients. If you
have many clients then, some clever bash scripts might help the job of
administrating the ccd dir.
My regards,
I had 35 clients connect to it, and it never did anything but create the
0 byte file.

I waited 1200 seconds (twice the 600)

I set time to 60 and waited 120 seconds.

It never did anything.

(yes, I know about ccd, but have a specific need to do this)
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
***@secnap.net / 1+561-999-5000, x 1131
Giancarlo Razzolini
2006-07-04 00:48:17 UTC
Permalink
Post by Michael Scheidell
I had 35 clients connect to it, and it never did anything but create the
0 byte file.
I waited 1200 seconds (twice the 600)
I set time to 60 and waited 120 seconds.
It never did anything.
(yes, I know about ccd, but have a specific need to do this)
You increased the verbosity level of openvpn? Try 7 or more, and then
watch the log. It will provide useful hints about your problem.

My regards,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Michael Scheidell
2006-07-04 00:14:24 UTC
Permalink
Post by Michael Scheidell
Tried client2ip.txt ./client2ip.txt,
/usr/local/etc/openvpn/client2ip.txt, no good (it just creates a 0
byte file, that's it)
Already gave full path, didn't help.
Post by Michael Scheidell
Tried with and without ccd dir directives.
Tried with and without ccd directory directives, didn't help.

No matter what I do, I have a 0 byte file created and timestamped when
openvpn starts.
Michael Scheidell
2006-07-04 14:13:06 UTC
Permalink
-----Original Message-----
Behalf Of Giancarlo Razzolini
Sent: Monday, July 03, 2006 8:48 PM
Subject: Re: [Openvpn-users] Problems with ifconfig-pool-persist
You increased the verbosity level of openvpn? Try 7 or more,
and then watch the log. It will provide useful hints about
your problem.
Thanks for the suggestion.

It got VERY verbose, (one line per packet it looks like)


grep client2ip /var/log/openvpn
Jul 4 10:09:24 link openvpn[65028]: ifconfig_pool_persist_filename =
'/usr/local/etc/openvpn/ccd/client2ip.txt'

BUT, now have ip addressed in client2ip.txt file.

Will toy with verb values to see if maybe they have something to do with
it, or with permissions on file.
Michael Scheidell
2006-07-04 16:10:43 UTC
Permalink
If I openvpn I running as non root, and I don't create the file ahead of
time and chown,chgrp and chmod it, it doesn't work.

Step to recreate:

rm ip file.
Options:
persist-tun
persist-key
persist-local-ip
persist-remote-ip
ifconfig-pool-persist /usr/local/etc/openvpn/client2ip.txt 60
client-config-dir ccd
ccd-exclusive
Start openvpn.

Notice file is created 0:0, 0 bytes, rx----- permissions.

-rw------- 1 root wheel 0 Jul 4 12:01 client2ip.txt

wait 180 seconds:
Nothing written to client2ip.txt even after multiple clients connect.

Options:
persist-tun
persist-key
persist-local-ip
persist-remote-ip
ifconfig-pool-persist /usr/local/etc/openvpn/client2ip.txt 60
client-config-dir ccd
#ccd-exclusive

Still nothing.

Options:
persist-tun
persist-key
persist-local-ip
persist-remote-ip
ifconfig-pool-persist /usr/local/etc/openvpn/client2ip.txt 60
#client-config-dir ccd
#ccd-exclusive

So, it's the client-config-dir ccd that does it.

I was hoping to use ccd to populate the client2ip.txt file, guess I will
have to do it by hand.

Thanks.

Loading...