OpenVpn changes ipp.txt

Trifon · 2015-02-21 08:49:27

Hello, everyone!
My trouble is that OpenVPN makes randomly changes in file, where placed permanently ip addresses, e.g client foo has address 192.168.0.1, but after random time address changes to 192.168.0.2

Initial file
foo,192.168.0.1

Changed file

foo,192.168.0.2
foo,192.168.0.1

I tried chattr +i, but this doesn't help

if i edit this file when OpenVPN is running, then I stop it, file became modified.

This happens only when i use udp protocol, when i use tcp all was ok, but i think, tcp over tcp have large overhead, so i use udp.

Does not matter wired client or wireless, quality does not matter too, all machines affected by this.

Last edited by Trifon (2015-02-21 09:00:22)

Spider.007 · 2015-02-21 11:20:03

I'm not sure if you're supposed to use ipp.txt as some sort of editable configuration-file; it seems more like an internal state-file to me. How are the permissions on this file; and as what user is openVPN running?

Trifon · 2015-02-21 14:48:35

yes, i suppose to use ipp.txt for ip address assignment.
there are answers to your questions:

user@foo:~$ ps aux | grep vpn
user 5741 0.0 0.1 8984 856 pts/0 S+ 17:42 0:00 grep --color=auto vpn
root 14009 0.3 1.2 25944 6132 ? Ss Feb20 4:28 /usr/sbin/openvpn --writepid /var/run/openvpn.openvpn.pid --daemon ovpn-openvpn --cd /etc/openvpn --config /etc/openvpn/openvpn.conf
user@foo:~$ ls -lah /etc/openvpn/ipp.txt
-rw-r--r-- 1 root root 101 Feb 21 17:33 /etc/openvpn/ipp.txt

if i apply chattr +i command to ipp.txt, as expected nobody able to modify that file, even root, i checked this. But when attribute is applied, new connections receives addresses from begin, e.g .1.2, .1.3 e.t.c.
how can i make connection key<->address permanently? except switching to tcp?
As can i see it happens when connection is open, but physical link is terminated, then appears again, machine starts new connection, but server thinks that first connection is still open and assign new address to machine. is it really possible that OpenVPN assign multiple addresses to one key?

Last edited by Trifon (2015-02-21 15:00:44)

Spider.007 · 2015-02-21 17:25:07

So did you pass 0 as 'seconds' to ifconfig-pool-persist as suggested in the man-page?

--ifconfig-pool-persist file [seconds]
Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as well as on program startup and shutdown.
The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool. Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option.
file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.
If seconds = 0, file will be treated as read-only. This is useful if you would like to treat file as a configuration file.
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push

Trifon · 2015-02-21 19:49:54

no, i didn't
I did it now, so i'll wait some time, hope all will be ok

Spider.007 · 2015-02-22 09:58:07

Let us know and mark this thread as solved if it does, it could help other people!

Trifon · 2015-02-27 10:42:12

Unfortunately, the problem remains unsolved
Today i tried to connect to one of my machines, and i failed. i checked ipp.txt on server and saw that it remains unchanged.
checking addresses of machines in my VPN network i saw that addresses changed.
restarting server's and client's openvpn daemons solved the problem, of course temporarily
Have you any more ideas?

R00KIE · 2015-02-27 13:48:52

I don't know which kind of device you have configured in openvpn.conf (tun or tap), but if you are using tun those IP's will never fly, google it to see which IPs are available for each mode. Also the server takes x.y.z.1 for itself so configuring your client to use it is probably a bad idea.

You should start with an empty ipp.txt and let openvpn assign the ips as clients connect, the ips should remain stable for those clients as long as you don't do invalid changes to ipp.txt yourself.

Trifon · 2015-02-27 14:09:54

i use tap, because there are windows, linux, and android clients with different network providers, and uses different protocols (ftp, ssh, vnc, X11, etc).
My server has x.y.z.1 address, i know that configuring it for client is bad idea.
i'll try your advice with empty ipp.txt in monday, but it's interesting to me - why it happens?

Arch Linux

#1 2015-02-21 08:49:27

OpenVpn changes ipp.txt

#2 2015-02-21 11:20:03

Re: OpenVpn changes ipp.txt

#3 2015-02-21 14:48:35

Re: OpenVpn changes ipp.txt

#4 2015-02-21 17:25:07

Re: OpenVpn changes ipp.txt

#5 2015-02-21 19:49:54

Re: OpenVpn changes ipp.txt

#6 2015-02-22 09:58:07

Re: OpenVpn changes ipp.txt

#7 2015-02-27 10:42:12

Re: OpenVpn changes ipp.txt

#8 2015-02-27 13:48:52

Re: OpenVpn changes ipp.txt

#9 2015-02-27 14:09:54

Re: OpenVpn changes ipp.txt

Board footer