IPs from pool never become available after disconnect

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

IPs from pool never become available after disconnect

Post by Letalis » Tue Oct 26, 2021 6:37 pm

Hi, I've noticed that when connecting and disconnecting to my server from the same client device, I get allocated a new IP address from the pool in my server config each time (eg: 10.8.0.2, then 10.8.0.3 next time I connect, etc). So potentially I could run out of IPs if I leave my server on long enough. Ideally I don't want IPs being reserved for specific devices, especially not IPs becoming unusable when I disconnect. I realised I had 'iconfig-pool-persist in my server configuration so have now took that out although it still yields the same result.

This is my server config:

Code: Select all

local XXX.XXX.X.XXX
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
compress lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
explicit-exit-notify
management localhost 7505
script-security 3
learn-address "/etc/openvpn/server/learn-address.sh"
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert none
client-cert-not-required
My client config:

Code: Select all

client
dev tun
proto udp
remote XXX.XXX.X.XXX 69
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 4
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>
Could this be anything to do with the learn-address.sh script? If so I can post that too, although all it is is a modified script to limit up and down speeds.
If anyone could point me in the right direction it would be greatly appreciated. Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: ifconfig-pool-persist seemingly having no effect on server

Post by TinCanTech » Tue Oct 26, 2021 6:54 pm

Letalis wrote:
Tue Oct 26, 2021 6:37 pm
If anyone could point me in the right direction
Quoth The Manual wrote:--ifconfig-pool-persist file [seconds]
  • Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown.

    The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool. Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option.

    file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.

    If seconds = 0, file will be treated as read-only. This is useful if you would like to treat file as a configuration file.

    Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push
Quoth extract one record from the manual in 27ms
https://community.openvpn.net/openvpn/w ... n24ManPage

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Tue Oct 26, 2021 7:00 pm

Thanks for the response, I've took ifconfig-pool-persist out of my configuration because this isn't the behaviour I want. I don't want long-term association for clients and I'd rather the IPs become free again upon disconnect. The trouble is this always seems to happen even when I don't have the ifconfig-pool-persist there. Just connecting and disconnecting on my phone repeatedly keeps using up IPs that then can't be used until a server restart.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Tue Oct 26, 2021 7:47 pm

Letalis wrote:
Tue Oct 26, 2021 7:00 pm
Just connecting and disconnecting on my phone repeatedly keeps using up IPs that then can't be used until a server restart
Are you saying that openvpn does not do as the manual claims it should ?

Are you saying that with your one client (phone) you are attempting to connect 240+ times per 120 second period ?

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Tue Oct 26, 2021 7:57 pm

I’m not claiming that at all I was just trying to figure out why I’m seeing the IPs like I am doing. In that case is the keepalive line holding onto that IP for the 120 seconds after disconnection? In that case there shouldn’t be a problem and I wasn’t waiting long enough forgetting that line was there, so sorry about that.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Tue Oct 26, 2021 8:01 pm

OK - I see the problem.

Add explicit-exit-notify 2 to your client config as well.

See the man for details.

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Wed Oct 27, 2021 3:04 pm

Okay, I've tried adding that and for some reason I am still getting the same result. It's not a matter of me waiting the 120s, I can wait for 10 minutes and still get the next IP in the pool. I've even tried completely removing the keepalive line in the server config and it doesn't change anything. Will this be a problem unrelated to OpenVPN then?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Wed Oct 27, 2021 3:12 pm

Letalis wrote:
Tue Oct 26, 2021 7:00 pm
Just connecting and disconnecting on my phone repeatedly keeps using up IPs that then can't be used until a server restart.
This behaviour is not expected and I do not know how you can make Openvpn do that.

:shrug:

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Wed Oct 27, 2021 3:14 pm

Okay no worries, I'll have to look elsewhere. Thanks for your help :)

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Fri Oct 29, 2021 6:18 pm

Okay I've got an update, after some more testing I've found the reason behind this. Whenever I add a script to check a username and password in script, the IPs then never get released. If I don't use a script and use certificates, there isn't a problem. These are the lines I add:

Code: Select all

auth-user-pass-verify /etc/openvpn/server/clientCheckTest.sh via-env
verify-client-cert none
At first I thought I must do something weird in the script that OpenVPN doesn't like, but it doesn't matter what is in the script though. I made this script which always returns success (just for testing obviously):

Code: Select all

#!/bin/bash
exit 0
So this script runs successfully and lets me connect as any username and password. As simple as the script is though it has this same issue and my the last digit of my IP keeps increasing.

Is the lack of certificate not allowing OpenVPN to identify the connections as it usually would to release these IPs?
Is there something I should be adding to the script so that OpenVPN can release them?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Fri Oct 29, 2021 7:45 pm

Are you able to exhaust the server pool IPs from the single client repeatedly connecting ?

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Fri Oct 29, 2021 7:52 pm

Probably not, but I plan on letting a few friends use the server too and would rather not have to restart the server when it runs out if it can be avoided. Or do you mean you want me to try exhausting them to see what happens?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Fri Oct 29, 2021 8:07 pm

Have your friends do the test. See if you, all put together, can exhaust the server pool.

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Sun Oct 31, 2021 3:25 pm

Yeah we can, it seems that when it exhausts it loops back and starts at 10.8.0.2 again. Once it loops however there's a chance I get this error message saying "AUTH_FAILED" when connecting so it can take multiple attempts:

Image

I know it could be just suggested to change the pool size but I'd ideally want a more concrete solution considering this shouldn't really be happening.

Any ideas? I'm thinking of asking on SuperUser as well since this seems to be quite strange.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Sun Oct 31, 2021 3:30 pm

IP Pool exhaustion does not cause AUTH_FAILED, you just get a VPN session with no IP address.

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Tue Nov 02, 2021 11:53 am

Ok, maybe that was just an unrelated problem when trying to contact my auth endpoint as I'm not having the same issue now. Testing again and with different sized pools too has resulted in the same looping back to the start but without any AUTH_FAILED, if the pool is simply able to start at the beginning again would that be considered a viable solution or is it bad practice?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Tue Nov 02, 2021 1:00 pm

Looping is expected.

Letalis
OpenVPN User
Posts: 47
Joined: Mon Sep 14, 2020 11:46 am

Re: IPs from pool never become available after disconnect

Post by Letalis » Tue Nov 02, 2021 4:42 pm

Okay. So provided it's looping, incrementing the IP each time and not being released like when using a certificate should be fine?
If so I think that answers my question so thanks!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IPs from pool never become available after disconnect

Post by TinCanTech » Wed Nov 03, 2021 2:04 am

If you can break it then let me know, otherwise enjoy.

Post Reply