Ah well that explains it then thanks Lonnie. Im glad I found this out early as I have been looking at building a hosted Astlinux server with connectivity via OpenVPN from Yealink phones and this requirement would certainly make this difficult. So are there any other options here? It seems crazy having to drop all your existing OVPN connections just to configure a new one.
Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Monday, 11 September 2017 at 11:16 pm To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable Michael, If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name with one or more "disabled" checked, you will have to Restart OpenVPN Server whenever you add a new Client. This is not a OpenVPN requirement per se. but rather the configuration for openvpn. To explain more ... if there are no "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does not include a tls-verify option. On the other had, if there are "disabled" clients then the rc.conf variable OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify /usr/sbin/openvpn-tls-verify" option. As such only client CN's in OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart OpenVPN Server to update the config, that goes for most any change in OpenVPN Server. Lonnie On Sep 10, 2017, at 11:59 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Thanks Lonnie. I suspect that this is not the problem but I cant understand > why I need to restart the server before it works. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Monday, 11 September 2017 at 1:24 pm > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > You could try > -- OpenVPN Server -- > Raw Commands: duplicate-cn > -- > and see if that helps. But you need to understand if you really need > "multiple clients using the same certificate or username to concurrently > connect". > > Is there a OpenVPN client you forgot about ? Are any sharing a username ? > > I can generate the "duplicate-cn" log myself by connecting, disconnect and > re-connecting using the same client. But it all works, no issues. > > Lonnie > > > On Sep 10, 2017, at 9:22 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Ah I did remember seeing something in the logs about this: >> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client >> '001565F4634C' will cause previous active sessions by this client to be >> dropped. Remember to use the --duplicate-cn option if you want multiple >> clients using the same certificate or username to concurrently connect. >> >> Is this a complaint? Should I just enable it anyway? >> I assume I add it to the RAW Commands? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Monday, 11 September 2017 at 11:52 am >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Judging from your error log the Yealink's client CN (Common Name) did not >> match any of the allowed (non-checked) Clients in the server. As long as >> you are certain the Yealink client cert is good. >> >> You are not "sharing" a client certificate are you ? If you are do you have >> the "duplicate-cn" raw command added ? From the OpenVPN docs ... >> >> --duplicate-cn >> Allow multiple clients with the same common name to concurrently connect. In >> the absence of this option, OpenVPN will disconnect a client instance upon >> connection of a new client having the same common name. >> >> Sounds a little like what you are describing. >> >> else ... >> >> Is your Yealink running the latest (or recent) firmware ? >> >> AstLinux is using the latest OpenVPN series 2.4.x. >> >> You can increase the Log Verbosity: to High on the server and see if that >> helps to find a clue. >> >> Lonnie >> >> >> On Sep 10, 2017, at 8:08 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi Lonnie >>> >>> Do you mean Client Name? Yes I do have one disabled if so but it is not the >>> one I was having problems with. >>> >>> After testing I can now confirm that this issue occurs when I configure up >>> a new phone and it goes away (and VPN establishes) when I restart the >>> OpenVPN server. >>> Can you think why this could be happening? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Date: Monday, 11 September 2017 at 9:55 am >>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> On your OpenVPN Server configuration (at the bottom), you must have at >>> least one CommonName disabled. >>> >>> Client Certificates and Keys: -> Disabled checked (correct ?) >>> >>> This will define the variable OVPN_VALIDCLIENTS and is checked with the >>> /usr/sbin/openvpn-tls-verify script >>> >>> Is your Yealink using one of the "Disabled" CommonNames ? >>> >>> Lonnie >>> >>> >>> On Sep 10, 2017, at 6:34 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>>> I am having some issues with setting up OpenVPN on my Yealink phones. It >>>> used to be easy to set up but now it's a bit flakey. >>>> Once its up it seems to be fine but getting it to that stage is an issue. >>>> >>>> I noticed that I am getting these in the logs: >>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed >>>> running command (--tls-verify script): external program exited with error >>>> status: 1 >>>> >>>> Im not sure what they mean? What could the problem be? >>>> >>>> Regards >>>> Michael Knill >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! >>>> http://sdm.link/slashdot_______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
