|
|
Hi everyone,
I'm terribly sorry to resurrect this thread but I have a related question. This is for openvpn 2.0 Beta 11.
> > All users of course have unique common names and a separate
> certs. I assume
> > you mean the same ip will be assigned if no other person
> has it... If it's
> > released, isn't it free to use for others?
>
> When an IP is released, OpenVPN still remembers the common-name
> association, just as a DHCP server will do. OpenVPN will try
> to keep the
> address free in case the client connects again, but will not
> hard-lock the
> address against other clients using it.
I saw the discussion in which it was suggested that this issue would go away if we don't use duplicate-cn.
We have a business reason to use duplicate-cn (all computer equipment must be interchangeable and field-replaceable by busy field technicians, including removable hard drives) so every OpenVPN client has the same certificate. The VPN access control is certificate based and we've thought through the security issues with using duplicate-cn.
Anyway we could have a few thousand systems connecting and disconnecting at random, all to one openvpn server. I can use the 172.30.0.0/255.254.0.0 subnet, but I have the server's config file set to 172.30.0.0/16 right now which still gives thousands of available IP addresses.
However if the server never re-uses a client's IP address for another client, it will run out of addresses and the VPN will mostly stop working. Yes I know we could do 'service openvpn restart' every week.
So what can I do to make the openvpn --server reuse client IP addresses in spite of duplicate-cn? I've tried a few code modifications and nothing seems to help, presumably because I don't understand the ifconfig_pool_find() function in pool.c.
Here's my most recent attempt.
--- pool.c.orig 2004-08-15 06:28:35.000000000 -0600
+++ pool.c 2005-06-02 18:13:15.000000000 -0600
@@ -78,25 +78,15 @@
{
earliest_release = ipe->last_release;
new_usage = i;
+ break;
}
- /*
- * Keep track of a possible allocation to us
- * from an earlier session.
- */
- if (previous_usage < 0
- && common_name
- && ipe->common_name
- && !strcmp (common_name, ipe->common_name))
- previous_usage = i;
+ previous_usage = -1;
++n;
}
}
- if (previous_usage >= 0)
- return previous_usage;
-
if (new_usage >= 0)
return new_usage;
I was trying to make ifconfig_pool_find() return the ifconfig pool list entry [i] corresponding to the first free (not in use) ifconfig pool entry.
The openvpn --server still gives out consecutive IP addresses and never reuses the old ones.
Thanks in advance for any help or advice.
Regards,
Jim
--
Jim Ockers, P.Eng. (jim.ockers@xxxxxxxxx)
Contact info: http://www.ockers.ca/pason.html
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00039.html on line 239
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00039.html on line 239
|