ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000822 | ClearOS | app-openvpn - OpenVPN | public | 2012-11-16 08:53 | 2013-03-10 10:44 |
|
| Reporter | NickH | |
| Assigned To | user2 | |
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | ClearOS | OS Version | 6.3 |
| Product Version | 6.3.0 | |
| Target Version | 6.4.0 Beta 2 | Fixed in Version | 6.4.0 Beta 2 | |
|
| Summary | 0000822: /var/lib/openvpn/ipp.txt not populated |
| Description | Normally remote users and IP addresses should get recorded in /var/lib/openvpn/ipp.txt to be re-used where possible by OpenVPN. Currently the file is not being populated. It could be due to the permissions which are 600, but OpenVPN runs under user "nobody" so is unable to write to the file. If you change the permissions to 666 the file gets populated as users connect. |
| Steps To Reproduce | Install OpenVPN and have users connect remotely.
/var/lib/openvpn/ipp.txt stays empty
Stop OpenVPN
Change file premissions to 666
Restart OpenVPN
Get users to connect remotely
The file now gets populated. Presumably remote users now effectively have quasi-static leases for their OpenVPN IP's as they used to in 5.2 |
| Additional Information | This bug is odd as OpenVPN also runs under user "nobody" in 5.2 and the file permissions are the same, but in 5.2 the file gets populated. The only obvious difference I can see in the installations is the handling of "script_security" in the 6.3 init file but reading the bugzilla report, I don't think it is relevant.
I don't think the same problem exists with /var/lib/openvpn/openvpn-status.log. |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2012-11-16 08:53 | NickH | New Issue | |
| 2012-11-19 07:24 | user2 | Status | new => confirmed |
| 2012-11-19 12:39 | user2 | Note Added: 0000584 | |
| 2012-11-20 12:17 | NickH | Note Added: 0000585 | |
| 2012-11-20 12:30 | user2 | Note Added: 0000586 | |
| 2012-12-14 11:18 | user2 | Note Added: 0000614 | |
| 2012-12-14 11:18 | user2 | Status | confirmed => resolved |
| 2012-12-14 11:18 | user2 | Fixed in Version | => 6.4.0 Beta 1 |
| 2012-12-14 11:18 | user2 | Resolution | open => fixed |
| 2012-12-14 11:18 | user2 | Assigned To | => user2 |
| 2013-02-02 12:19 | user2 | Status | resolved => closed |
| 2013-02-02 15:25 | NickH | Note Added: 0000685 | |
| 2013-02-02 15:25 | NickH | Status | closed => feedback |
| 2013-02-02 15:25 | NickH | Resolution | fixed => reopened |
| 2013-02-04 06:03 | NickH | Note Added: 0000686 | |
| 2013-02-04 06:03 | NickH | Status | feedback => assigned |
| 2013-02-04 09:13 | user2 | Note Added: 0000687 | |
| 2013-02-05 14:47 | NickH | Note Added: 0000696 | |
| 2013-02-05 17:00 | user2 | Checkin | |
| 2013-02-05 17:00 | user2 | Note Added: 0000697 | |
| 2013-02-05 17:01 | user2 | Note Edited: 0000697 | bug_revision_view_page.php?bugnote_id=697#r39 |
| 2013-02-05 17:06 | user2 | Note Added: 0000698 | |
| 2013-02-05 17:06 | user2 | Fixed in Version | 6.4.0 Beta 1 => |
| 2013-02-05 17:06 | user2 | Target Version | => 6.4.0 Beta 2 |
| 2013-02-07 15:03 | user2 | Category | openvpn => app-openvpn - OpenVPN |
| 2013-02-07 15:29 | user2 | Checkin | |
| 2013-02-07 15:29 | user2 | Note Added: 0000699 | |
| 2013-02-07 15:31 | user2 | Status | assigned => resolved |
| 2013-02-07 15:31 | user2 | Fixed in Version | => 6.4.0 Beta 2 |
| 2013-02-07 15:31 | user2 | Resolution | reopened => fixed |
| 2013-03-10 10:44 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0000584)
|
|
user2
|
|
2012-11-19 12:39
|
|
It looks like the file is only updated after 10 minute intervals? that seems a bit weird. Here's the man page on the topic:
--ifconfig-pool-persist file [seconds]
Persist/unpersist ifconfig-pool data to file, at sec-
onds intervals (default=600), as well as on program
startup and shutdown.
The goal of this option is to provide a long-term asso-
ciation between clients (denoted by their common name)
and the virtual IP address assigned to them from the
ifconfig-pool. Maintaining a long-term association is
good for clients because it allows them to effectively
use the --persist-tun option.
When I changed the default to 10 seconds, the ipp.txt was populated (even with the restrictive file permissions). Can you verify the same behavior? |
|
|
|
(0000585)
|
|
NickH
|
|
2012-11-20 12:17
|
|
I can confirm that changing the line in clients.conf to "ifconfig-pool-persist /var/lib/openvpn/ipp.txt 10" and reverting the permissions to default works. It also works with 600 explicitly set i.e. "ifconfig-pool-persist /var/lib/openvpn/ipp.txt 600".
To me the fix would be to add 600 to the end of the line if there is not already a value there. (A simple sed script?) |
|
|
|
(0000586)
|
|
user2
|
|
2012-11-20 12:30
|
|
|
Thanks for the follow up! Yup, we'll add a fix to the upgrade script. |
|
|
|
(0000614)
|
|
user2
|
|
2012-12-14 11:18
|
|
|
|
|
(0000685)
|
|
NickH
|
|
2013-02-02 15:25
|
|
|
I'm not sure we're there yet and I'm wondering if it is an OpenVPN bug. I'll try to do more research. ipp.txt now seems to be populated but gets cleared when the user logs off. I had a look a few days ago and had to change the permissions to 666 to see any values in the file but have not investigated further. |
|
|
|
(0000686)
|
|
NickH
|
|
2013-02-04 06:03
|
|
|
|
|
(0000687)
|
|
user2
|
|
2013-02-04 09:13
|
|
|
|
|
(0000696)
|
|
NickH
|
|
2013-02-05 14:47
|
|
I've changed the line in clients conf back to "ifconfig-pool-persist /var/lib/openvpn/ipp.txt" and changed the line in clients-tcp.conf to "ifconfig-pool-persist /var/lib/openvpn/ipp-tcp.txt". I have not used any time parameter. Having done this it now looks like my ipp.txt is populating on its own. Also openvpn created the file /var/lib/openvpn/ipp-tcp.txt on its own. Both are using 600 permissions owned by root. So far so good.
Can I suggest that if a bug fix is pushed, a comment line is added to the conf file as well to the effect that this file name must be different in every conf file? (ditto the server IP/subnet) |
|
|
|
(0000697)
|
|
user2
|
2013-02-05 17:00
(edited on: 2013-02-05 17:01) |
|
Follow up to comment 614
Source Code Changelog
---------------------------------------------------
- Updated ifconfig-pool-persist parameter to improve ipp.txt handling [tracker 0000822]
File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=5191 [^]
U webconfig/apps/openvpn/trunk/deploy/info.php
U webconfig/apps/openvpn/trunk/deploy/upgrade
U webconfig/apps/openvpn/trunk/packaging/app-openvpn.spec
U webconfig/apps/openvpn/trunk/packaging/clients-tcp.conf
U webconfig/apps/openvpn/trunk/packaging/clients.conf
|
|
|
|
(0000698)
|
|
user2
|
|
2013-02-05 17:06
|
|
|
Will target for the next release: 6.4.0 Beta 2, but the fix can be backported if upstream 6.4 does not appear soon. |
|
|
|
(0000699)
|
|
user2
|
|
2013-02-07 15:29
|
|
Source Code Changelog
---------------------------------------------------
- Changed ifconfig-pool-persist filename for TCP mode [tracker 0000822]
File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=5621 [^]
U webconfig/apps/openvpn/trunk/deploy/upgrade
U webconfig/apps/openvpn/trunk/packaging/clients-tcp.conf
U webconfig/apps/openvpn/trunk/packaging/clients.conf
|
|