Ipp.txt

[Ogier Dudley]

Im not sure if you're supposed to use ipp.txt as some sort of editable configuration-file; it seems more like an internal state-file to me. How are the permissions on this file; and as what user is openVPN running?

if i apply chattr +i command to ipp.txt, as expected nobody able to modify that file, even root, i checked this. But when attribute is applied, new connections receives addresses from begin, e.g .1.2, .1.3 e.t.c.

how can i make connection keyaddress permanently? except switching to tcp?

As can i see it happens when connection is open, but physical link is terminated, then appears again, machine starts new connection, but server thinks that first connection is still open and assign new address to machine. is it really possible that OpenVPN assign multiple addresses to one key?

The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool. Maintaining a long-term association is good for clients because it allows them to effectively use the --persist-tun option.

Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push

Unfortunately, the problem remains unsolved

Today i tried to connect to one of my machines, and i failed. i checked ipp.txt on server and saw that it remains unchanged.

checking addresses of machines in my VPN network i saw that addresses changed.

restarting server's and client's openvpn daemons solved the problem, of course temporarily

Have you any more ideas?

I don't know which kind of device you have configured in openvpn.conf (tun or tap), but if you are using tun those IP's will never fly, google it to see which IPs are available for each mode. Also the server takes x.y.z.1 for itself so configuring your client to use it is probably a bad idea.

i use tap, because there are windows, linux, and android clients with different network providers, and uses different protocols (ftp, ssh, vnc, X11, etc).

My server has x.y.z.1 address, i know that configuring it for client is bad idea.

i'll try your advice with empty ipp.txt in monday, but it's interesting to me - why it happens?

I wanted to completely remove a client from the server.

I've ran revoke_client from the easy-rsa2 scripts and revoked their certificate.

I followed this by deleting all the files in the keys folder relating to that client, just to clean up.

However, everytime I start the server I see things relating to that client come up in the logs:

IFCONFIG POOL LIST

My question is:

How do I completely remove all files and records of a client that I no longer need on my server? If I have clients I'm constantly adding/removing I want to clean up those files/records and prevent the server from persisting ip's for them and such.

OpenVPN does not normally remember anything besides ifconfig-pool-persist - and that one needs to be cleared out manually as OpenVPN cannot know that a user is no longer valid (which, from OpenVPN's point of view, is no different from "a user that decides to just no longer use its VPN service"). So if you have users that change very frequently and want to use persistant addressing, you either need to clean out ipp.txt, or do the pool handling / IP address assignment in an client-connect script, outside openvpn.

In the ccd directory, we can create a file for each client that connects to make OpenVPN push client specific settings. To make this happen, create a file with the Common Name of the certificate the remote office gateway uses to authenticate itself to the server (I looked it up in the ipp.txt pool file after the client has connected).

That file needs to contain a single setting:

Note that because we persist the DHCP lease log in ipp.txt, the remote gateway will always be assigned 10.8.0.2 in our example (you can edit this by editing ipp.txt and restrarting the OpenVPN Server Service).

about the topology subnet..I realize its in the Openvpn server config at first then further down you talked about placing else where.. can you clarify for me please.. does it have to be on both the Openvpn server and openvpn client?

I am using dynamic public ip on both networks. I already have dynamic hosting working soi can able to connect both boxes over the internt My remote network is the 192.168.1.0/24 network 192.158.1.8 Client IP , my local network is 192.168.2.0/24 192.168.2.7 Openvpn server ip. I know i have to open port 1194 on both boxes to point to the Openvpn server and Client respectively. Can you please assist in my endeavor. Thanks in advance.

3a8082e126