|
|
On Thu, 2 Jun 2005, Jim Ockers wrote:
> Hi everyone,
>
> I'm terribly sorry to resurrect this thread but I have a related question. This is for openvpn 2.0 Beta 11.
>
> > > All users of course have unique common names and a separate
> > certs. I assume
> > > you mean the same ip will be assigned if no other person
> > has it... If it's
> > > released, isn't it free to use for others?
> >
> > When an IP is released, OpenVPN still remembers the common-name
> > association, just as a DHCP server will do. OpenVPN will try
> > to keep the
> > address free in case the client connects again, but will not
> > hard-lock the
> > address against other clients using it.
>
> I saw the discussion in which it was suggested that this issue would go away if we don't use duplicate-cn.
>
> We have a business reason to use duplicate-cn (all computer equipment must be interchangeable and field-replaceable by busy field technicians, including removable hard drives) so every OpenVPN client has the same certificate. The VPN access control is certificate based and we've thought through the security issues with using duplicate-cn.
>
> Anyway we could have a few thousand systems connecting and disconnecting at random, all to one openvpn server. I can use the 172.30.0.0/255.254.0.0 subnet, but I have the server's config file set to 172.30.0.0/16 right now which still gives thousands of available IP addresses.
>
> However if the server never re-uses a client's IP address for another client, it will run out of addresses and the VPN will mostly stop working. Yes I know we could do 'service openvpn restart' every week.
>
> So what can I do to make the openvpn --server reuse client IP addresses in spite of duplicate-cn? I've tried a few code modifications and nothing seems to help, presumably because I don't understand the ifconfig_pool_find() function in pool.c.
>
> Here's my most recent attempt.
>
> --- pool.c.orig 2004-08-15 06:28:35.000000000 -0600
> +++ pool.c 2005-06-02 18:13:15.000000000 -0600
> @@ -78,25 +78,15 @@
> {
> earliest_release = ipe->last_release;
> new_usage = i;
> + break;
> }
>
> - /*
> - * Keep track of a possible allocation to us
> - * from an earlier session.
> - */
> - if (previous_usage < 0
> - && common_name
> - && ipe->common_name
> - && !strcmp (common_name, ipe->common_name))
> - previous_usage = i;
> + previous_usage = -1;
>
> ++n;
> }
> }
>
> - if (previous_usage >= 0)
> - return previous_usage;
> -
> if (new_usage >= 0)
> return new_usage;
>
> I was trying to make ifconfig_pool_find() return the ifconfig pool list entry [i] corresponding to the first free (not in use) ifconfig pool entry.
>
> The openvpn --server still gives out consecutive IP addresses and never reuses the old ones.
It would wrap around to the beginning of the range after it hits the end.
> Thanks in advance for any help or advice.
This is a wishlist item -- right now the algorithm tries hard to keep a
stable mapping between common names and IP addresses, even as clients are
connecting and disconnecting. What needs to happen is the algorithm
should lose some of its smarts when duplicate-cn is used, and just take
the first unused address when a new client connects.
James
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00045.html on line 251
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00045.html on line 251
|