Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Michael K. <mic...@ip...> - 2017-09-21 23:21:12
|
Thanks Lonnie. Yes a great skill to have. Maybe I will get my developer to help me with it ( Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Thursday, 21 September 2017 at 10:11 pm To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] Asterisk Segfault in app_queue.so Hi Michael, I took a look at the Asterisk source and the last "segfault" fix to apps/app_queue.c was back in 2016-04-18, which is included in Asterisk 11.23.0. (AstLinux 1.2.8) Asterisk Git Repo: http://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=summary Scroll to bottom under "heads", you can compare different versions there, or browse the very latest under "master" -- 7 weeks ago master shortlog | log | tree -- Click "tree" on the master head line. In this case click "apps" -- -rw-r--r-- 376684 app_queue.c blob | history | raw -- Click "history" on the app_queue.c line. Typically a "segfault" fix will be in the commit message, so search in your browser. This exercise implies there are no upstream app_queue segfault fixes. This is a handy skill to have, particularly when an Asterisk issue is fixed in one version and not another. Lonnie PS, Armin's note of ASTERISK-25975 appears to be duplicate of ASTERISK-25888 which was fixed as noted above. On Sep 21, 2017, at 2:22 AM, Michael Knill <mic...@ip...> wrote: > Oh dear. My busiest system too. Thanks goodness for safe_asterisk > > Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in app_queue.so[2b1ed1d34000+35000] > Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk exited on signal 11. > > Any ideas? > Can I get a backtrace from Astlinux? > > Regards > Michael Knill > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2017-09-21 23:04:35
|
Thanks Michael. Unfortunately this is Asterisk 13 which I am regretting moving to, but 11 LTS has ended so I should be making the move. This is currently the only site that I am using Queues and I have not got ant segfaults on any of my other Asterisk 13 boxes (yet!). Regards Michael Knill -----Original Message----- From: Michael Keuter <li...@mk...> Reply-To: AstLinux List <ast...@li...> Date: Thursday, 21 September 2017 at 7:36 pm To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] Asterisk Segfault in app_queue.so > Am 21.09.2017 um 09:22 schrieb Michael Knill <mic...@ip...>: > > Oh dear. My busiest system too. Thanks goodness for safe_asterisk > > Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in app_queue.so[2b1ed1d34000+35000] > Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk exited on signal 11. > > Any ideas? > Can I get a backtrace from Astlinux? > > Regards > Michael Knill Hi Michael, no, you can't get a backtrace directly within AstLinux. Therefor Asterisk would have been compiled with "asterisk-makeopts: MENUSELECT_CFLAGS=DONT_OPTIMIZE BETTER_BACKTRACES". And Asterisk would needed to be started with the "-g" option. A debugger and a lot of free disk space is needed as well :-(. More information: https://wiki.asterisk.org/wiki/display/AST/Getting+a+Backtrace Try to figure out if something special has happened at that time (or shortly before). Which Asterisk version, how many concurrent calls? In Asterisk 11 I rarely have seen segfaults of Asterisk. Michael http://www.mksolutions.info ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-21 12:10:43
|
Hi Michael, I took a look at the Asterisk source and the last "segfault" fix to apps/app_queue.c was back in 2016-04-18, which is included in Asterisk 11.23.0. (AstLinux 1.2.8) Asterisk Git Repo: http://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=summary Scroll to bottom under "heads", you can compare different versions there, or browse the very latest under "master" -- 7 weeks ago master shortlog | log | tree -- Click "tree" on the master head line. In this case click "apps" -- -rw-r--r-- 376684 app_queue.c blob | history | raw -- Click "history" on the app_queue.c line. Typically a "segfault" fix will be in the commit message, so search in your browser. This exercise implies there are no upstream app_queue segfault fixes. This is a handy skill to have, particularly when an Asterisk issue is fixed in one version and not another. Lonnie PS, Armin's note of ASTERISK-25975 appears to be duplicate of ASTERISK-25888 which was fixed as noted above. On Sep 21, 2017, at 2:22 AM, Michael Knill <mic...@ip...> wrote: > Oh dear. My busiest system too. Thanks goodness for safe_asterisk > > Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in app_queue.so[2b1ed1d34000+35000] > Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk exited on signal 11. > > Any ideas? > Can I get a backtrace from Astlinux? > > Regards > Michael Knill > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Armin T. <arm...@tu...> - 2017-09-21 11:55:37
|
On Thu, 2017-09-21 at 07:22 +0000, Michael Knill wrote: > Oh dear. My busiest system too. Thanks goodness for safe_asterisk > > Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: > segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in > app_queue.so[2b1ed1d34000+35000] > Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk > exited on signal 11. > > Any ideas? There's a ticket open with no progress I'm afraid - https://issues.aste risk.org/jira/browse/ASTERISK-25975 Maybe related? > Can I get a backtrace from Astlinux? > > Regards > Michael Knill Regards, Armin. |
|
From: Michael K. <li...@mk...> - 2017-09-21 09:36:02
|
> Am 21.09.2017 um 09:22 schrieb Michael Knill <mic...@ip...>: > > Oh dear. My busiest system too. Thanks goodness for safe_asterisk > > Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in app_queue.so[2b1ed1d34000+35000] > Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk exited on signal 11. > > Any ideas? > Can I get a backtrace from Astlinux? > > Regards > Michael Knill Hi Michael, no, you can't get a backtrace directly within AstLinux. Therefor Asterisk would have been compiled with "asterisk-makeopts: MENUSELECT_CFLAGS=DONT_OPTIMIZE BETTER_BACKTRACES". And Asterisk would needed to be started with the "-g" option. A debugger and a lot of free disk space is needed as well :-(. More information: https://wiki.asterisk.org/wiki/display/AST/Getting+a+Backtrace Try to figure out if something special has happened at that time (or shortly before). Which Asterisk version, how many concurrent calls? In Asterisk 11 I rarely have seen segfaults of Asterisk. Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2017-09-21 07:22:40
|
Oh dear. My busiest system too. Thanks goodness for safe_asterisk Sep 21 14:07:44 3037-QGPSC-CM1 user.info kernel: asterisk[1110]: segfault at 10 ip 00002b1ed1d4882c sp 00002b1ed728fcd0 error 4 in app_queue.so[2b1ed1d34000+35000] Sep 21 14:07:45 3037-QGPSC-CM1 user.info safe_asterisk: Asterisk exited on signal 11. Any ideas? Can I get a backtrace from Astlinux? Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2017-09-19 04:16:50
|
Cool I love it! Instead of a WAN Delay which is very changeable, it waits until connectivity is established with a max delay of 2 minutes. Looks like the wonderful ping responder of 8.8.8.8 will be the test IP (. If this is indeed the problem then I think this may just be the fix. Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 19 September 2017 at 11:02 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] Power outages and SIP Trunks Hi Michael, I'm not sure if this will help, but here is a rc.elocal script that waits until a target host can be pinged ... Startup delay using /mnt/kd/rc.elocal https://gist.github.com/abelbeck/5f2b6e0c23ffc0394826cd4681a35879 Make the file executable, test in your lab, ideally change the IPv4 address to your SIP provider or such. Note you can't use DNS names since the resolver is not configured at this point. Probably disable WANDELAY when using this. Lonnie On Sep 17, 2017, at 5:55 PM, Michael Knill <mic...@ip...> wrote: > Hi All > > Im starting to see a number of issues on my SIP Trunks when there is a power outage at the site. I assume the issues is when both the modem and Astlinux appliance are power reset, if the modem does not come up as fast as Astlinux, the PPPoE interface will not be available for Asterisk and for some reason the SIP Trunk stays down until you do a reload. > > Yes there is a WAN delay parameter for this but is there something else I can do to make this a bit more robust? > Does anyone know what actually causes this? Why does it not keep trying? Does it just give up when there is no route? > Should I maybe have a static default route with a high metric pointing to null or something else? > > Regards > Michael Knill ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-19 01:02:05
|
Hi Michael, I'm not sure if this will help, but here is a rc.elocal script that waits until a target host can be pinged ... Startup delay using /mnt/kd/rc.elocal https://gist.github.com/abelbeck/5f2b6e0c23ffc0394826cd4681a35879 Make the file executable, test in your lab, ideally change the IPv4 address to your SIP provider or such. Note you can't use DNS names since the resolver is not configured at this point. Probably disable WANDELAY when using this. Lonnie On Sep 17, 2017, at 5:55 PM, Michael Knill <mic...@ip...> wrote: > Hi All > > Im starting to see a number of issues on my SIP Trunks when there is a power outage at the site. I assume the issues is when both the modem and Astlinux appliance are power reset, if the modem does not come up as fast as Astlinux, the PPPoE interface will not be available for Asterisk and for some reason the SIP Trunk stays down until you do a reload. > > Yes there is a WAN delay parameter for this but is there something else I can do to make this a bit more robust? > Does anyone know what actually causes this? Why does it not keep trying? Does it just give up when there is no route? > Should I maybe have a static default route with a high metric pointing to null or something else? > > Regards > Michael Knill |
|
From: Michael K. <mic...@ip...> - 2017-09-17 22:56:20
|
Hi All Im starting to see a number of issues on my SIP Trunks when there is a power outage at the site. I assume the issues is when both the modem and Astlinux appliance are power reset, if the modem does not come up as fast as Astlinux, the PPPoE interface will not be available for Asterisk and for some reason the SIP Trunk stays down until you do a reload. Yes there is a WAN delay parameter for this but is there something else I can do to make this a bit more robust? Does anyone know what actually causes this? Why does it not keep trying? Does it just give up when there is no route? Should I maybe have a static default route with a high metric pointing to null or something else? Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2017-09-16 13:59:02
|
Important: Any user that calls reload-blocklist-netset via cron and has any of the "firehol" blocklists enabled, you must take action to keep the blocklists updated. For reference, here is our documentation for the "reload-blocklist-netset" feature: Firewall External Block List https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list The author and maintainer of FireHOL IP Lists is "Costa Tsaousis", who lives in Greece, has done an excellent job with this project, aggregating threats by IP address, that are freely available. Costa has 405 IP Lists (many of which are contained in the firehol_level1 and firehol_webclient lists), which for regular changes he committed to GitHub: https://github.com/firehol/blocklist-ipsets On Thu Sep 14, 2017, the GitHub folks temporarily disabled the blocklist-ipsets repository, no doubt to get Costa's attention, stating that he was using too much of their resources. Promptly later that day Costa switched from committing to GitHub to updating his own server, surround by Cloudflare's CDN proxy. Costa communicated these new local links are for the long term. Bottom Line... Old FireHOL URL prefix: https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ New FireHOL URL prefix: https://iplists.firehol.org/files/ While the GitHub URL's still work (repository back online), they are stale as of Thu Sep 14, 2017. User Action Required: Choose either 1, 2 or 3 ... 1) New Pre-Release Version: astlinux-1.3-3433-7c9504 referenced at http://www.astlinux-project.org/dev.html is the easiest to upgrade, for ast11-firmware-1.x and ast13-firmware-1.x . 2) If you want to continue using your current AstLinux version, you can create the new script at /mnt/kd/bin/reload-blocklist-netset and edit your cron entry to use it instead of the system's reload-blocklist-netset -- I created a GitHub Gist that you can use as a script, but manual cron editing is still required. https://gist.github.com/abelbeck/981bcd0b50aa8de6eed623de19f401b1 Click on "Raw" to view a shell script you can execute to create /mnt/kd/bin/reload-blocklist-netset -- 3) Those of you that do custom builds of AstLinux, now is a good time to either "svn up" or "git pull" and create a fresh build containing the new system reload-blocklist-netset script. Note: a few new packages have been added, you will want to update your custom .config file, say "Yes" to BR2_PACKAGE_TARSNAP=y and the default "No" to the rest of the new packages. See the default astlinux-ast1[13].config config's for reference. For the future, the new reload-blocklist-netset script supports rc.conf variables to override the root URL's for the blocklists. Lonnie |
|
From: Michael K. <mic...@ip...> - 2017-09-15 01:41:16
|
Thanks Christopher. Good to know. I understand the APU2's run a bit cooler. Yes its actually hard to get mSATA now. I was concerned about the PC Engines card but sounds like it may be the go! Interestingly the outage that generated this email was not the ALIX after all. Coincidence only. Regards Michael Knill From: AstLinux List <ast...@li...> Reply-To: The Cadillac Kid <eld...@ya...>, AstLinux List <ast...@li...> Date: Friday, 15 September 2017 at 10:21 am To: AstLinux List <ast...@li...> Cc: The Cadillac Kid <eld...@ya...> Subject: Re: [Astlinux-users] Goodbye ALIX ive got about 150 APU1's and about 20 APU2's in the field... not on astlinux but on centos 6.X and asterisk 11 or 13 depending on version and so far all are solid.. for some reason the kernel takes a long time to boot on my APU2's I think I need a kernel bump and that will fix it.. but once up they dont crash.. im usingthe 4 gig ones and the mSata 16 card which seems to be solid as well.. they do get warm.. i have mine mounted to vented 1u Rack shelves. -Christopher ________________________________ From: Michael Knill <mic...@ip...> To: AstLinux List <ast...@li...> Sent: Thursday, September 14, 2017 8:03 PM Subject: [Astlinux-users] Goodbye ALIX Hi all I have decided that my ALIX boxes will need to go except for the very small systems. 1.2.10 with Asterisk 13 is just too much for these boxes and I am having to turn off stuff that I don't really want to. It's a bit sad that I cant turn on Monit to tell me that my box is struggling because it makes the box struggle more ☹ Thankyou ALIX. You have done me well. PS. Is anyone using the APU2? APU1's seem to be going ok for me but superseded I believe by APU2. Regards Michael Knill ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ Astlinux-users mailing list Ast...@li...<mailto:Ast...@li...> https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....<mailto:pa...@kr....> |
|
From: The C. K. <eld...@ya...> - 2017-09-15 00:21:25
|
ive got about 150 APU1's and about 20 APU2's in the field... not on astlinux but on centos 6.X and asterisk 11 or 13 depending on version and so far all are solid.. for some reason the kernel takes a long time to boot on my APU2's I think I need a kernel bump and that will fix it.. but once up they dont crash..
im usingthe 4 gig ones and the mSata 16 card which seems to be solid as well..
they do get warm.. i have mine mounted to vented 1u Rack shelves.
-Christopher
From: Michael Knill <mic...@ip...>
To: AstLinux List <ast...@li...>
Sent: Thursday, September 14, 2017 8:03 PM
Subject: [Astlinux-users] Goodbye ALIX
<!--#yiv4761058279 _filtered #yiv4761058279 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv4761058279 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv4761058279 {font-family:"Apple Color Emoji";panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv4761058279 #yiv4761058279 p.yiv4761058279MsoNormal, #yiv4761058279 li.yiv4761058279MsoNormal, #yiv4761058279 div.yiv4761058279MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Calibri", sans-serif;}#yiv4761058279 a:link, #yiv4761058279 span.yiv4761058279MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv4761058279 a:visited, #yiv4761058279 span.yiv4761058279MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv4761058279 span.yiv4761058279EmailStyle17 {font-family:"Calibri", sans-serif;color:windowtext;font-weight:normal;font-style:normal;}#yiv4761058279 span.yiv4761058279msoIns {text-decoration:underline;color:teal;}#yiv4761058279 .yiv4761058279MsoChpDefault {font-family:"Calibri", sans-serif;} _filtered #yiv4761058279 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv4761058279 div.yiv4761058279WordSection1 {}-->Hi all I have decided that my ALIX boxes will need to go except for the very small systems. 1.2.10 with Asterisk 13 is just too much for these boxes and I am having to turn off stuff that I don't really want to. It's a bit sad that I cant turn on Monit to tell me that my box is struggling because it makes the box struggle more☹ Thankyou ALIX. You have done me well. PS. Is anyone using the APU2? APU1's seem to be going ok for me but superseded I believe by APU2. Regards Michael Knill ------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2017-09-15 00:02:56
|
Hi all I have decided that my ALIX boxes will need to go except for the very small systems. 1.2.10 with Asterisk 13 is just too much for these boxes and I am having to turn off stuff that I don't really want to. It's a bit sad that I cant turn on Monit to tell me that my box is struggling because it makes the box struggle more ☹ Thankyou ALIX. You have done me well. PS. Is anyone using the APU2? APU1's seem to be going ok for me but superseded I believe by APU2. Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2017-09-12 14:15:57
|
On Sep 12, 2017, at 5:13 AM, Michael Keuter <li...@mk...> wrote: > BTW: Instead of disabling a client in the WebGUI, you could also delete the appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" > in case you don't need them anymore. No Michael, that does not work. The OpenVPN server does not need the client cert/key, but requires the client cert to have been signed by the root OpenVPN CA (ca.crt/ca.key). For reference from the OpenVPN docs: Ref: https://openvpn.net/index.php/open-source/documentation/howto.html One solution to limit client access is by using "tls-verify" and a script, which we currently do in the Web Interface and "Disable" a client, the OVPN_VALIDCLIENTS rc.conf variable is used. After some testing today, there is an alternate solution by using "crl-verify", for example let's revoke "client1": ## Find the client1.crt serial number (in hex) pbx ~ # openssl x509 -serial -noout -in /mnt/kd/openvpn/webinterface/keys/client1.crt serial=53C99883 ## OpenVPN requires the serial number in decimal, convert from hex pbx ~ # printf '%d\n' 0x53C99883 1405720707 ## Create the "crl" directory pbx ~ # mkdir /mnt/kd/openvpn/crl ## Create an empty file using the decimal serial number pbx ~ # touch /mnt/kd/openvpn/crl/1405720707 ## Finally, add a raw command to the Network tab -> OpenVPN Server Configuration ## Note: the 'dir' flag indicates /mnt/kd/openvpn/crl is a directory -- Raw Commands: crl-verify /mnt/kd/openvpn/crl dir -- ## Restart OpenVPN Server Now every time a client attempts to connect it will check the /mnt/kd/openvpn/crl directory for a matching serial number, if there is a match, verification fails and you will see this log: -- VERIFY CRL: certificate serial number 1405720707 is revoked -- Files in the /mnt/kd/openvpn/crl directory can be added or removed without restarting OpenVPN server. Please test for yourself. Lonnie |
|
From: Michael K. <li...@mk...> - 2017-09-12 10:13:37
|
> Am 12.09.2017 um 00:22 schrieb Michael Knill <mic...@ip...>: > > Hi Lonnie > > Just wondering what would be the scenario when it would not work? e.g. it is ONLY done when you are configuring a new client. All other configuration requires a restart. > > Regards > Michael Knill BTW: Instead of disabling a client in the WebGUI, you could also delete the appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" in case you don't need them anymore. > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 8:04 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > I quickly checked, it would be somewhat of a hack to call 'gen-rc-conf' at the appropriate sweet-spot. > > And it would not always work, a restart of OpenVPN is often required. > > Lonnie > > > On Sep 11, 2017, at 4:47 PM, Michael Knill <mic...@ip...> wrote: > >> Sorry when I say script I mean openvpn.php >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Michael Knill <mic...@ip...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Tuesday, 12 September 2017 at 7:47 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Hi Lonnie >> >> Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Tuesday, 12 September 2017 at 7:01 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Not having any "disabled" Client CN's would be a solution. >> >> Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. >> >> Lonnie >> >> >> On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: >> >>> Ah well that explains it then thanks Lonnie. >>> >>> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >>> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 11:16 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >>> >>> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >>> >>> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >>> >>> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >>> >>> Lonnie >>> >>> >>> >>> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 1:24 pm >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> You could try >>>> -- OpenVPN Server -- >>>> Raw Commands: duplicate-cn >>>> -- >>>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>>> >>>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>>> >>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> Ah I did remember seeing something in the logs about this: >>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>>> >>>>> Is this a complaint? Should I just enable it anyway? >>>>> I assume I add it to the RAW Commands? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 11:52 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>>> >>>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>>> >>>>> --duplicate-cn >>>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>>> >>>>> Sounds a little like what you are describing. >>>>> >>>>> else ... >>>>> >>>>> Is your Yealink running the latest (or recent) firmware ? >>>>> >>>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>>> >>>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>>> Hi Lonnie >>>>>> >>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>>> >>>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>>> Can you think why this could be happening? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>>> To: AstLinux List <ast...@li...> >>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>> >>>>>> Michael, >>>>>> >>>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>>> >>>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>>> >>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>>> >>>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>>> >>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>>> >>>>>>> I noticed that I am getting these in the logs: >>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>>> >>>>>>> Im not sure what they mean? What could the problem be? >>>>>>> >>>>>>> Regards >>>>>>> Michael Knill >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2017-09-11 22:22:35
|
Hi Lonnie Just wondering what would be the scenario when it would not work? e.g. it is ONLY done when you are configuring a new client. All other configuration requires a restart. Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 12 September 2017 at 8:04 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, I quickly checked, it would be somewhat of a hack to call 'gen-rc-conf' at the appropriate sweet-spot. And it would not always work, a restart of OpenVPN is often required. Lonnie On Sep 11, 2017, at 4:47 PM, Michael Knill <mic...@ip...> wrote: > Sorry when I say script I mean openvpn.php > > Regards > Michael Knill > > -----Original Message----- > From: Michael Knill <mic...@ip...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:47 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Hi Lonnie > > Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:01 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Not having any "disabled" Client CN's would be a solution. > > Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. > > Lonnie > > > On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > >> Ah well that explains it then thanks Lonnie. >> >> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:16 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >> >> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >> >> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >> >> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >> >> Lonnie >> >> >> >> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >> >>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 1:24 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> You could try >>> -- OpenVPN Server -- >>> Raw Commands: duplicate-cn >>> -- >>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>> >>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>> >>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Ah I did remember seeing something in the logs about this: >>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>> >>>> Is this a complaint? Should I just enable it anyway? >>>> I assume I add it to the RAW Commands? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:52 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>> >>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>> >>>> --duplicate-cn >>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>> >>>> Sounds a little like what you are describing. >>>> >>>> else ... >>>> >>>> Is your Yealink running the latest (or recent) firmware ? >>>> >>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>> >>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> Hi Lonnie >>>>> >>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>> >>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>> Can you think why this could be happening? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>> >>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>> >>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>> >>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>> >>>>>> I noticed that I am getting these in the logs: >>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>> >>>>>> Im not sure what they mean? What could the problem be? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-11 22:04:04
|
Michael, I quickly checked, it would be somewhat of a hack to call 'gen-rc-conf' at the appropriate sweet-spot. And it would not always work, a restart of OpenVPN is often required. Lonnie On Sep 11, 2017, at 4:47 PM, Michael Knill <mic...@ip...> wrote: > Sorry when I say script I mean openvpn.php > > Regards > Michael Knill > > -----Original Message----- > From: Michael Knill <mic...@ip...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:47 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Hi Lonnie > > Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:01 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Not having any "disabled" Client CN's would be a solution. > > Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. > > Lonnie > > > On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > >> Ah well that explains it then thanks Lonnie. >> >> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:16 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >> >> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >> >> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >> >> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >> >> Lonnie >> >> >> >> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >> >>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 1:24 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> You could try >>> -- OpenVPN Server -- >>> Raw Commands: duplicate-cn >>> -- >>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>> >>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>> >>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Ah I did remember seeing something in the logs about this: >>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>> >>>> Is this a complaint? Should I just enable it anyway? >>>> I assume I add it to the RAW Commands? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:52 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>> >>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>> >>>> --duplicate-cn >>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>> >>>> Sounds a little like what you are describing. >>>> >>>> else ... >>>> >>>> Is your Yealink running the latest (or recent) firmware ? >>>> >>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>> >>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> Hi Lonnie >>>>> >>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>> >>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>> Can you think why this could be happening? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>> >>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>> >>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>> >>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>> >>>>>> I noticed that I am getting these in the logs: >>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>> >>>>>> Im not sure what they mean? What could the problem be? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
|
From: Michael K. <mic...@ip...> - 2017-09-11 21:48:00
|
Sorry when I say script I mean openvpn.php Regards Michael Knill -----Original Message----- From: Michael Knill <mic...@ip...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 12 September 2017 at 7:47 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Hi Lonnie Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 12 September 2017 at 7:01 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, Not having any "disabled" Client CN's would be a solution. Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. Lonnie On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > Ah well that explains it then thanks Lonnie. > > Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. > So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 11:16 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. > > This is not a OpenVPN requirement per se. but rather the configuration for openvpn. > > To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. > > On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. > > Lonnie > > > > On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > >> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 1:24 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> You could try >> -- OpenVPN Server -- >> Raw Commands: duplicate-cn >> -- >> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >> >> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >> >> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >> >> Lonnie >> >> >> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >> >>> Ah I did remember seeing something in the logs about this: >>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>> >>> Is this a complaint? Should I just enable it anyway? >>> I assume I add it to the RAW Commands? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 11:52 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>> >>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>> >>> --duplicate-cn >>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>> >>> Sounds a little like what you are describing. >>> >>> else ... >>> >>> Is your Yealink running the latest (or recent) firmware ? >>> >>> AstLinux is using the latest OpenVPN series 2.4.x. >>> >>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Hi Lonnie >>>> >>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>> >>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>> Can you think why this could be happening? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 9:55 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>> >>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>> >>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>> >>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>> >>>>> I noticed that I am getting these in the logs: >>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>> >>>>> Im not sure what they mean? What could the problem be? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2017-09-11 21:46:53
|
Hi Lonnie Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Tuesday, 12 September 2017 at 7:01 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, Not having any "disabled" Client CN's would be a solution. Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. Lonnie On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > Ah well that explains it then thanks Lonnie. > > Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. > So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 11:16 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. > > This is not a OpenVPN requirement per se. but rather the configuration for openvpn. > > To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. > > On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. > > Lonnie > > > > On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > >> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 1:24 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> You could try >> -- OpenVPN Server -- >> Raw Commands: duplicate-cn >> -- >> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >> >> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >> >> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >> >> Lonnie >> >> >> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >> >>> Ah I did remember seeing something in the logs about this: >>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>> >>> Is this a complaint? Should I just enable it anyway? >>> I assume I add it to the RAW Commands? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 11:52 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>> >>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>> >>> --duplicate-cn >>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>> >>> Sounds a little like what you are describing. >>> >>> else ... >>> >>> Is your Yealink running the latest (or recent) firmware ? >>> >>> AstLinux is using the latest OpenVPN series 2.4.x. >>> >>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Hi Lonnie >>>> >>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>> >>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>> Can you think why this could be happening? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 9:55 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>> >>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>> >>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>> >>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>> >>>>> I noticed that I am getting these in the logs: >>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>> >>>>> Im not sure what they mean? What could the problem be? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-11 21:01:00
|
Michael, Not having any "disabled" Client CN's would be a solution. Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. Lonnie On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > Ah well that explains it then thanks Lonnie. > > Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. > So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 11:16 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. > > This is not a OpenVPN requirement per se. but rather the configuration for openvpn. > > To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. > > On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. > > Lonnie > > > > On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > >> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 1:24 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> You could try >> -- OpenVPN Server -- >> Raw Commands: duplicate-cn >> -- >> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >> >> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >> >> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >> >> Lonnie >> >> >> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >> >>> Ah I did remember seeing something in the logs about this: >>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>> >>> Is this a complaint? Should I just enable it anyway? >>> I assume I add it to the RAW Commands? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 11:52 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>> >>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>> >>> --duplicate-cn >>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>> >>> Sounds a little like what you are describing. >>> >>> else ... >>> >>> Is your Yealink running the latest (or recent) firmware ? >>> >>> AstLinux is using the latest OpenVPN series 2.4.x. >>> >>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Hi Lonnie >>>> >>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>> >>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>> Can you think why this could be happening? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 9:55 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>> >>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>> >>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>> >>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>> >>>>> I noticed that I am getting these in the logs: >>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>> >>>>> Im not sure what they mean? What could the problem be? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
|
From: Michael K. <mic...@ip...> - 2017-09-11 20:43:49
|
Ah well that explains it then thanks Lonnie. Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 11 September 2017 at 11:16 pm To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. This is not a OpenVPN requirement per se. but rather the configuration for openvpn. To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. Lonnie On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 1:24 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > You could try > -- OpenVPN Server -- > Raw Commands: duplicate-cn > -- > and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". > > Is there a OpenVPN client you forgot about ? Are any sharing a username ? > > I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. > > Lonnie > > > On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: > >> Ah I did remember seeing something in the logs about this: >> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >> >> Is this a complaint? Should I just enable it anyway? >> I assume I add it to the RAW Commands? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:52 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >> >> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >> >> --duplicate-cn >> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >> >> Sounds a little like what you are describing. >> >> else ... >> >> Is your Yealink running the latest (or recent) firmware ? >> >> AstLinux is using the latest OpenVPN series 2.4.x. >> >> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >> >> Lonnie >> >> >> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >> >>> Hi Lonnie >>> >>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>> >>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>> Can you think why this could be happening? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 9:55 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>> >>> Client Certificates and Keys: -> Disabled checked (correct ?) >>> >>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>> >>> Is your Yealink using one of the "Disabled" CommonNames ? >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>> >>>> I noticed that I am getting these in the logs: >>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>> >>>> Im not sure what they mean? What could the problem be? >>>> >>>> Regards >>>> Michael Knill >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-11 13:16:29
|
Michael, If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. This is not a OpenVPN requirement per se. but rather the configuration for openvpn. To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. Lonnie On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 1:24 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > You could try > -- OpenVPN Server -- > Raw Commands: duplicate-cn > -- > and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". > > Is there a OpenVPN client you forgot about ? Are any sharing a username ? > > I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. > > Lonnie > > > On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: > >> Ah I did remember seeing something in the logs about this: >> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >> >> Is this a complaint? Should I just enable it anyway? >> I assume I add it to the RAW Commands? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:52 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >> >> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >> >> --duplicate-cn >> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >> >> Sounds a little like what you are describing. >> >> else ... >> >> Is your Yealink running the latest (or recent) firmware ? >> >> AstLinux is using the latest OpenVPN series 2.4.x. >> >> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >> >> Lonnie >> >> >> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >> >>> Hi Lonnie >>> >>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>> >>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>> Can you think why this could be happening? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 9:55 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>> >>> Client Certificates and Keys: -> Disabled checked (correct ?) >>> >>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>> >>> Is your Yealink using one of the "Disabled" CommonNames ? >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>> >>>> I noticed that I am getting these in the logs: >>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>> >>>> Im not sure what they mean? What could the problem be? >>>> >>>> Regards >>>> Michael Knill >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
|
From: Michael K. <mic...@ip...> - 2017-09-11 04:59:28
|
Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 11 September 2017 at 1:24 pm To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, You could try -- OpenVPN Server -- Raw Commands: duplicate-cn -- and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". Is there a OpenVPN client you forgot about ? Are any sharing a username ? I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. Lonnie On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: > Ah I did remember seeing something in the logs about this: > Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. > > Is this a complaint? Should I just enable it anyway? > I assume I add it to the RAW Commands? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 11:52 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. > > You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... > > --duplicate-cn > Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. > > Sounds a little like what you are describing. > > else ... > > Is your Yealink running the latest (or recent) firmware ? > > AstLinux is using the latest OpenVPN series 2.4.x. > > You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. > > Lonnie > > > On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: > >> Hi Lonnie >> >> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >> >> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >> Can you think why this could be happening? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 9:55 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >> >> Client Certificates and Keys: -> Disabled checked (correct ?) >> >> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >> >> Is your Yealink using one of the "Disabled" CommonNames ? >> >> Lonnie >> >> >> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >> >>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>> Once its up it seems to be fine but getting it to that stage is an issue. >>> >>> I noticed that I am getting these in the logs: >>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>> >>> Im not sure what they mean? What could the problem be? >>> >>> Regards >>> Michael Knill >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2017-09-11 03:23:53
|
Michael, You could try -- OpenVPN Server -- Raw Commands: duplicate-cn -- and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". Is there a OpenVPN client you forgot about ? Are any sharing a username ? I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. Lonnie On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: > Ah I did remember seeing something in the logs about this: > Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. > > Is this a complaint? Should I just enable it anyway? > I assume I add it to the RAW Commands? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 11:52 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. > > You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... > > --duplicate-cn > Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. > > Sounds a little like what you are describing. > > else ... > > Is your Yealink running the latest (or recent) firmware ? > > AstLinux is using the latest OpenVPN series 2.4.x. > > You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. > > Lonnie > > > On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: > >> Hi Lonnie >> >> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >> >> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >> Can you think why this could be happening? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 9:55 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >> >> Client Certificates and Keys: -> Disabled checked (correct ?) >> >> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >> >> Is your Yealink using one of the "Disabled" CommonNames ? >> >> Lonnie >> >> >> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >> >>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>> Once its up it seems to be fine but getting it to that stage is an issue. >>> >>> I noticed that I am getting these in the logs: >>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>> >>> Im not sure what they mean? What could the problem be? >>> >>> Regards >>> Michael Knill >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
|
From: Michael K. <mic...@ip...> - 2017-09-11 02:22:24
|
Ah I did remember seeing something in the logs about this: Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Is this a complaint? Should I just enable it anyway? I assume I add it to the RAW Commands? Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lo...> Reply-To: AstLinux List <ast...@li...> Date: Monday, 11 September 2017 at 11:52 am To: AstLinux List <ast...@li...> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... --duplicate-cn Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. Sounds a little like what you are describing. else ... Is your Yealink running the latest (or recent) firmware ? AstLinux is using the latest OpenVPN series 2.4.x. You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. Lonnie On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: > Hi Lonnie > > Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. > > After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. > Can you think why this could be happening? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 9:55 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. > > Client Certificates and Keys: -> Disabled checked (correct ?) > > This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script > > Is your Yealink using one of the "Disabled" CommonNames ? > > Lonnie > > > On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: > >> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >> Once its up it seems to be fine but getting it to that stage is an issue. >> >> I noticed that I am getting these in the logs: >> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >> >> Im not sure what they mean? What could the problem be? >> >> Regards >> Michael Knill >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
63 messages has been excluded from this view by a project administrator.
