Menu
▾
▴
[Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes)
|
From: Lonnie A. <li...@lo...> - 2017-09-12 18:55:00
|
Moved to the astlinux-devel list ... I thought of a more elegant solution, how about if in the /usr/sbin/openvpn-tls-verify script we source /mnt/kd/rc.conf.d/gui.openvpn.conf instead of /etc/rc.conf ? Possibly we could make sure /mnt/kd/rc.conf.d/gui.openvpn.conf is newer than /etc/rc.conf as a sanity check. While this would not be perfect, it would use the updated OVPN_VALIDCLIENTS when a new client was added without having to restart OpenVPN. Additionally. if one or more clients are already "Disabled" this would also allow additional clients to be Disabled also without restarting OpenVPN. The only edge condition I can think of is when OpenVPN was last started with "Disabled" clients and later all "Disabled" clients were unchecked (Enabled) and saved, in that case a OpenVPN Server restart would be needed, and no new clients could connect until the restart. A low percentage edge condition compared to the typical operation. Needs some testing ... Lonnie On Sep 11, 2017, at 4:46 PM, Michael Knill <mic...@ip...> wrote: > Hi Lonnie > > Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lo...> > Reply-To: AstLinux List <ast...@li...> > Date: Tuesday, 12 September 2017 at 7:01 am > To: AstLinux List <ast...@li...> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > Not having any "disabled" Client CN's would be a solution. > > Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. > > Lonnie > > > On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: > >> Ah well that explains it then thanks Lonnie. >> >> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux List <ast...@li...> >> Date: Monday, 11 September 2017 at 11:16 pm >> To: AstLinux List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >> >> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >> >> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >> >> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >> >> Lonnie >> >> >> >> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >> >>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Monday, 11 September 2017 at 1:24 pm >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> You could try >>> -- OpenVPN Server -- >>> Raw Commands: duplicate-cn >>> -- >>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>> >>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>> >>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>> >>>> Ah I did remember seeing something in the logs about this: >>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>> >>>> Is this a complaint? Should I just enable it anyway? >>>> I assume I add it to the RAW Commands? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:52 am >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>> >>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>> >>>> --duplicate-cn >>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>> >>>> Sounds a little like what you are describing. >>>> >>>> else ... >>>> >>>> Is your Yealink running the latest (or recent) firmware ? >>>> >>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>> >>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>>> Hi Lonnie >>>>> >>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>> >>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>> Can you think why this could be happening? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>> >>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>> >>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>> >>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>> >>>>>> I noticed that I am getting these in the logs: >>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>> >>>>>> Im not sure what they mean? What could the problem be? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > |
