Sporadic OpenVPN node IP address changes

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
samco82
OpenVpn Newbie
Posts: 1
Joined: Fri Nov 18, 2022 12:49 pm

Sporadic OpenVPN node IP address changes

Post by samco82 » Fri Nov 18, 2022 1:09 pm

I've been having these very sporadic episodes of random IP changes with my OpenVPN nodes. It rarely happens, but when it does, it affects the monitoring tools that are pointing to those IPs. This issue usually affects 1 or 2 nodes out of 42.

I don't have any static IP set up or anything special on my config, when a node first joins, a random IP is assigned but these are very persistent so I have no idea what's going on here.

Server Config

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3


Node Config

client
dev tun1
proto udp
remote foobarbaz.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/node.crt
key keys/node.key
ns-cert-type server
compress lz4-v2
verb 3

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Sporadic OpenVPN node IP address changes

Post by ordex » Fri Nov 18, 2022 1:46 pm

I presume using 'ifconfig-pool-persist' has exactly the goal to keep assignments static. However, the manpage says:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push
So there might be some reason why the assignment cannot be kept. Maybe the server log will say something (I'd suggest to use verb 4 to get extra info)

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Sporadic OpenVPN node IP address changes

Post by Pippin » Fri Nov 18, 2022 2:27 pm

Hi,
ordex wrote:
Fri Nov 18, 2022 1:46 pm
So there might be some reason why the assignment cannot be kept. Maybe the server log will say something (I'd suggest to use verb 4 to get extra info)
Probably the keepalive mechanism?

.
See the manual for the directives: https://build.openvpn.net/man/openvpn-2 ... vpn.8.html
And wiki: https://community.openvpn.net/openvpn/w ... rversubnet

Possibly a "better" way is to assign static tunnel IPs to clients via ccd.
This can be for all or not all clients.
Clients need a unique certificate.

Code: Select all

client-config-dir /etc/openvpn/ccd
If for all clients one can add:

Code: Select all

ccd-exclusive
Then use:

Code: Select all

topology subnet
server 10.8.0.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.0.16 10.8.0.254
In this case .16 till .254 are dynamically allocated and .2 till .15 can be used for static assignment.
Adjust as needed.
.0, .1 and .255 cannot be assigned to clients in this case (for recent OpenVPN version, if older .254 also cannot be assigned).

I would also look into --explicit-exit-notify.

For the above one needs to remove:

Code: Select all

ifconfig-pool-persist ipp.txt
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Sporadic OpenVPN node IP address changes

Post by ordex » Fri Nov 18, 2022 2:37 pm

Pippin wrote:
Fri Nov 18, 2022 2:27 pm
Hi,
ordex wrote:
Fri Nov 18, 2022 1:46 pm
So there might be some reason why the assignment cannot be kept. Maybe the server log will say something (I'd suggest to use verb 4 to get extra info)
Keep alive should not matter because when reconnecting with the same CN the client should take over the old instance entirely - but can't be sure 100% :D

Post Reply