Menu
▾
▴
Re: [Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes)
|
From: Lonnie A. <li...@lo...> - 2017-09-12 21:51:55
|
Added: https://github.com/astlinux-project/astlinux/commit/aa703bfc48c0b939348205318387a512bb1fe1fe Works as expected in my testing. Lonnie On Sep 12, 2017, at 3:57 PM, Michael Keuter <li...@mk...> wrote: > For me too! > > Sent from a mobile device. > > Michael Keuter > >> Am 12.09.2017 um 22:20 schrieb Michael Knill <mic...@ip...>: >> >> Sounds great to me! >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lo...> >> Reply-To: AstLinux Developers Mailing List <ast...@li...> >> Date: Wednesday, 13 September 2017 at 4:55 am >> To: AstLinux Developers Mailing List <ast...@li...> >> Subject: [Astlinux-devel] Adding OpenVPN clients needs a service restart (sometimes) >> >> Moved to the astlinux-devel list ... >> >> I thought of a more elegant solution, how about if in the /usr/sbin/openvpn-tls-verify script we source /mnt/kd/rc.conf.d/gui.openvpn.conf instead of /etc/rc.conf ? >> >> Possibly we could make sure /mnt/kd/rc.conf.d/gui.openvpn.conf is newer than /etc/rc.conf as a sanity check. >> >> While this would not be perfect, it would use the updated OVPN_VALIDCLIENTS when a new client was added without having to restart OpenVPN. >> >> Additionally. if one or more clients are already "Disabled" this would also allow additional clients to be Disabled also without restarting OpenVPN. >> >> The only edge condition I can think of is when OpenVPN was last started with "Disabled" clients and later all "Disabled" clients were unchecked (Enabled) and saved, in that case a OpenVPN Server restart would be needed, and no new clients could connect until the restart. A low percentage edge condition compared to the typical operation. >> >> Needs some testing ... >> >> Lonnie >> >> >>> On Sep 11, 2017, at 4:46 PM, Michael Knill <mic...@ip...> wrote: >>> >>> Hi Lonnie >>> >>> Could we reconfigure the script so that when you press the 'New Client' button it automatically does this? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lo...> >>> Reply-To: AstLinux List <ast...@li...> >>> Date: Tuesday, 12 September 2017 at 7:01 am >>> To: AstLinux List <ast...@li...> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> Not having any "disabled" Client CN's would be a solution. >>> >>> Power User tip -> if (only) a new Client is added with previously "disabled" Client CN's and continued "disabled" Client CN's, the CLI command "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting OpenVPN. >>> >>> Lonnie >>> >>> >>>> On Sep 11, 2017, at 3:43 PM, Michael Knill <mic...@ip...> wrote: >>>> >>>> Ah well that explains it then thanks Lonnie. >>>> >>>> Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. >>>> So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one. >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lo...> >>>> Reply-To: AstLinux List <ast...@li...> >>>> Date: Monday, 11 September 2017 at 11:16 pm >>>> To: AstLinux List <ast...@li...> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. >>>> >>>> This is not a OpenVPN requirement per se. but rather the configuration for openvpn. >>>> >>>> To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. >>>> >>>> On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. >>>> >>>> Lonnie >>>> >>>> >>>> >>>>> On Sep 10, 2017, at 11:59 PM, Michael Knill <mic...@ip...> wrote: >>>>> >>>>> Thanks Lonnie. I suspect that this is not the problem but I cant understand why I need to restart the server before it works. >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lo...> >>>>> Reply-To: AstLinux List <ast...@li...> >>>>> Date: Monday, 11 September 2017 at 1:24 pm >>>>> To: AstLinux List <ast...@li...> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> You could try >>>>> -- OpenVPN Server -- >>>>> Raw Commands: duplicate-cn >>>>> -- >>>>> and see if that helps. But you need to understand if you really need "multiple clients using the same certificate or username to concurrently connect". >>>>> >>>>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>>>> >>>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and re-connecting using the same client. But it all works, no issues. >>>>> >>>>> Lonnie >>>>> >>>>> >>>>>> On Sep 10, 2017, at 9:22 PM, Michael Knill <mic...@ip...> wrote: >>>>>> >>>>>> Ah I did remember seeing something in the logs about this: >>>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client '001565F4634C' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. >>>>>> >>>>>> Is this a complaint? Should I just enable it anyway? >>>>>> I assume I add it to the RAW Commands? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>> Date: Monday, 11 September 2017 at 11:52 am >>>>>> To: AstLinux List <ast...@li...> >>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>> >>>>>> Michael, >>>>>> >>>>>> Judging from your error log the Yealink's client CN (Common Name) did not match any of the allowed (non-checked) Clients in the server. As long as you are certain the Yealink client cert is good. >>>>>> >>>>>> You are not "sharing" a client certificate are you ? If you are do you have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>>>> >>>>>> --duplicate-cn >>>>>> Allow multiple clients with the same common name to concurrently connect. In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. >>>>>> >>>>>> Sounds a little like what you are describing. >>>>>> >>>>>> else ... >>>>>> >>>>>> Is your Yealink running the latest (or recent) firmware ? >>>>>> >>>>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>>>> >>>>>> You can increase the Log Verbosity: to High on the server and see if that helps to find a clue. >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill <mic...@ip...> wrote: >>>>>>> >>>>>>> Hi Lonnie >>>>>>> >>>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not the one I was having problems with. >>>>>>> >>>>>>> After testing I can now confirm that this issue occurs when I configure up a new phone and it goes away (and VPN establishes) when I restart the OpenVPN server. >>>>>>> Can you think why this could be happening? >>>>>>> >>>>>>> Regards >>>>>>> Michael Knill >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Lonnie Abelbeck <li...@lo...> >>>>>>> Reply-To: AstLinux List <ast...@li...> >>>>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>>>> To: AstLinux List <ast...@li...> >>>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>>> >>>>>>> Michael, >>>>>>> >>>>>>> On your OpenVPN Server configuration (at the bottom), you must have at least one CommonName disabled. >>>>>>> >>>>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>>>> >>>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the /usr/sbin/openvpn-tls-verify script >>>>>>> >>>>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>>>> >>>>>>> Lonnie >>>>>>> >>>>>>> >>>>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill <mic...@ip...> wrote: >>>>>>>> >>>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. It used to be easy to set up but now it's a bit flakey. >>>>>>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>>>>>> >>>>>>>> I noticed that I am getting these in the logs: >>>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 >>>>>>>> >>>>>>>> Im not sure what they mean? What could the problem be? >>>>>>>> >>>>>>>> Regards >>>>>>>> Michael Knill >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ >>>>>>>> Astlinux-users mailing list >>>>>>>> Ast...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>>> >>>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Ast...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Ast...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Ast...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Ast...@li... >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-devel mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > |
