[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] Windows clients "eat" IP adresses in routed environment.

  • Subject: RE: [Openvpn-users] Windows clients "eat" IP adresses in routed environment.
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 3 Jun 2005 14:17:11 -0600 (MDT)
> > We have a business reason to use duplicate-cn (all computer equipment
> > must be interchangeable and field-replaceable by busy field
> > technicians, including removable hard drives) so every OpenVPN client
> > has the same certificate.  The VPN access control is certificate based
> > and we've thought through the security issues with using duplicate-cn.
> > 
> > Anyway we could have a few thousand systems connecting and
> > disconnecting at random, all to one openvpn server.  I can use the
> > 172.30.0.0/255.254.0.0 subnet, but I have the server's config file set
> > to 172.30.0.0/16 right now which still gives thousands of available IP
> > addresses.
> > 
> > However if the server never re-uses a client's IP address for another
> > client, it will run out of addresses and the VPN will mostly stop
> > working.  Yes I know we could do 'service openvpn restart' every week.
> > 
> > So what can I do to make the openvpn --server reuse client IP
> > addresses in spite of duplicate-cn?  I've tried a few code
> > modifications and nothing seems to help, presumably because I don't
> > understand the ifconfig_pool_find() function in pool.c.

> This is a wishlist item -- right now the algorithm tries hard to keep a
> stable mapping between common names and IP addresses, even as clients are
> connecting and disconnecting.  What needs to happen is the algorithm
> should lose some of its smarts when duplicate-cn is used, and just take
> the first unused address when a new client connects.

Here's a patch against 2.0 that should fix this (attached).  It changes 
the pool IP allocation algorithm to take the first available address when 
duplicate-cn is set.

Please test and let me know if it solves your problem.  It's a simple
patch and I'd like to include it in 2.0.1 if I can get some testing 
feedback.

James
diff -ur openvpn-2.0.1_rc3/multi.c openvpn-2.0.1_rc3-dupcnpool/multi.c
--- openvpn-2.0.1_rc3/multi.c	2005-05-15 02:56:30.000000000 -0600
+++ openvpn-2.0.1_rc3-dupcnpool/multi.c	2005-06-03 13:33:43.535827616 -0600
@@ -282,13 +282,15 @@
 	{
 	  m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_INDIV,
 						 t->options.ifconfig_pool_start,
-						 t->options.ifconfig_pool_end);
+						 t->options.ifconfig_pool_end,
+						 t->options.duplicate_cn);
 	}
       else if (dev == DEV_TYPE_TUN)
 	{
 	  m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_30NET,
 						 t->options.ifconfig_pool_start,
-						 t->options.ifconfig_pool_end);
+						 t->options.ifconfig_pool_end,
+						 t->options.duplicate_cn);
 	}
       else
 	{
diff -ur openvpn-2.0.1_rc3/pool.c openvpn-2.0.1_rc3-dupcnpool/pool.c
--- openvpn-2.0.1_rc3/pool.c	2005-04-10 21:43:57.000000000 -0600
+++ openvpn-2.0.1_rc3-dupcnpool/pool.c	2005-06-03 13:33:06.361478976 -0600
@@ -59,7 +59,6 @@
 ifconfig_pool_find (struct ifconfig_pool *pool, const char *common_name)
 {
   int i;
-  int n = 0;
   time_t earliest_release = 0;
   int previous_usage = -1;
   int new_usage = -1;
@@ -70,6 +69,15 @@
       if (!ipe->in_use)
 	{
 	  /*
+	   * If duplicate_cn mode, take first available IP address
+	   */
+	  if (pool->duplicate_cn)
+	    {
+	      new_usage = i;
+	      break;
+	    }
+
+	  /*
 	   * Keep track of the unused IP address entry which
 	   * was released earliest.
 	   */
@@ -89,7 +97,6 @@
 	      && !strcmp (common_name, ipe->common_name))
 	    previous_usage = i;
 
-	  ++n;
 	}
     }
 
@@ -104,15 +111,16 @@
 
 
 struct ifconfig_pool *
-ifconfig_pool_init (int type, in_addr_t start, in_addr_t end)
+ifconfig_pool_init (int type, in_addr_t start, in_addr_t end, const bool duplicate_cn)
 {
   struct gc_arena gc = gc_new ();
   struct ifconfig_pool *pool = NULL;
 
   ASSERT (start <= end && end - start < IFCONFIG_POOL_MAX);
-  ALLOC_OBJ (pool, struct ifconfig_pool);
+  ALLOC_OBJ_CLEAR (pool, struct ifconfig_pool);
 
   pool->type = type;
+  pool->duplicate_cn = duplicate_cn;
 
   switch (type)
     {
diff -ur openvpn-2.0.1_rc3/pool.h openvpn-2.0.1_rc3-dupcnpool/pool.h
--- openvpn-2.0.1_rc3/pool.h	2005-04-10 21:43:57.000000000 -0600
+++ openvpn-2.0.1_rc3-dupcnpool/pool.h	2005-06-03 13:33:14.335266776 -0600
@@ -52,6 +52,7 @@
   in_addr_t base;
   int size;
   int type;
+  bool duplicate_cn;
   struct ifconfig_pool_entry *list;
 };
 
@@ -63,7 +64,7 @@
 
 typedef int ifconfig_pool_handle;
 
-struct ifconfig_pool *ifconfig_pool_init (int type, in_addr_t start, in_addr_t end);
+struct ifconfig_pool *ifconfig_pool_init (int type, in_addr_t start, in_addr_t end, const bool duplicate_cn);
 
 void ifconfig_pool_free (struct ifconfig_pool *pool);

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00066.html on line 299

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00066.html on line 299