Menu
▾
▴
Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
|
From: Lonnie A. <li...@lo...> - 2017-09-11 13:16:29
|
Michael, If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. This is not a OpenVPN requirement per se. but rather the configuration for openvpn. To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. Lonnie On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: > Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Monday, 11 September 2017 at 1:24 pm > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > You could try > -- OpenVPN Server -- > Raw Commands: duplicate-cn > -- > and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". > > Is there a OpenVPN client you forgot about ? Are any sharing a username ? > > I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. > > Lonnie > > > On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: > >> Ah I did remember seeing something in the logs about this: >> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >> >> Is this a complaint? Should I just enable it anyway? >> I assume I add it to the RAW Commands? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:52 am >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >> >> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >> >> --duplicate-cn >> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >> >> Sounds a little like what you are describing. >> >> else ... >> >> Is your Yealink running the latest (or recent) firmware ? >> >> AstLinux is using the latest OpenVPN series 2.4.x. >> >> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >> >> Lonnie >> >> >> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >> >>> Hi Lonnie >>> >>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>> >>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>> Can you think why this could be happening? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 9:55 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>> >>> Client Certificates and Keys: -> Disabled checked (correct ?) >>> >>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>> >>> Is your Yealink using one of the "Disabled" CommonNames ? >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>> >>>> I noticed that I am getting these in the logs: >>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>> >>>> Im not sure what they mean? What could the problem be? >>>> >>>> Regards >>>> Michael Knill >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
