> Am 12.09.2017 um 00:22 schrieb Michael Knill 
> <michael.kn...@ipcsolutions.com.au>:
> 
> Hi Lonnie
> 
> Just wondering what would be the scenario when it would not work? e.g. it is 
> ONLY done when you are configuring a new client. All other configuration 
> requires a restart.
> 
> Regards
> Michael Knill

BTW: Instead of disabling a client in the WebGUI, you could also delete the 
appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" 
in case you don't need them anymore.

> 
> -----Original Message-----
> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Tuesday, 12 September 2017 at 8:04 am
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
> 
> Michael,
> 
> I quickly checked, it would be somewhat of a hack to call 'gen-rc-conf' at 
> the appropriate sweet-spot.
> 
> And it would not always work, a restart of OpenVPN is often required.
> 
> Lonnie
> 
> 
> On Sep 11, 2017, at 4:47 PM, Michael Knill 
> <michael.kn...@ipcsolutions.com.au> wrote:
> 
>> Sorry when I say script I mean openvpn.php
>> 
>> Regards
>> Michael Knill
>> 
>> -----Original Message-----
>> From: Michael Knill <michael.kn...@ipcsolutions.com.au>
>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Date: Tuesday, 12 September 2017 at 7:47 am
>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>> 
>> Hi Lonnie
>> 
>> Could we reconfigure the script so that when you press the 'New Client' 
>> button it automatically does this?  
>> 
>> Regards
>> Michael Knill
>> 
>> -----Original Message-----
>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Date: Tuesday, 12 September 2017 at 7:01 am
>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>> 
>> Michael,
>> 
>> Not having any "disabled" Client CN's would be a solution.
>> 
>> Power User tip -> if (only) a new Client is added with previously "disabled" 
>> Client CN's and continued "disabled" Client CN's, the CLI command 
>> "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting 
>> OpenVPN.
>> 
>> Lonnie
>> 
>> 
>> On Sep 11, 2017, at 3:43 PM, Michael Knill 
>> <michael.kn...@ipcsolutions.com.au> wrote:
>> 
>>> Ah well that explains it then thanks Lonnie.
>>> 
>>> Im glad I found this out early as I have been looking at building a hosted 
>>> Astlinux server with connectivity via OpenVPN from Yealink phones and this 
>>> requirement would certainly make this difficult.
>>> So are there any other options here? It seems crazy having to drop all your 
>>> existing OVPN connections just to configure a new one.
>>> 
>>> Regards
>>> Michael Knill
>>> 
>>> -----Original Message-----
>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Date: Monday, 11 September 2017 at 11:16 pm
>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>>> 
>>> Michael,
>>> 
>>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name 
>>> with one or more "disabled" checked, you will have to Restart OpenVPN 
>>> Server whenever you add a new Client.
>>> 
>>> This is not a OpenVPN requirement per se. but rather the configuration for 
>>> openvpn.
>>> 
>>> To explain more ... if there are no "disabled" clients then the rc.conf 
>>> variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does 
>>> not include a tls-verify option.
>>> 
>>> On the other had, if there are "disabled" clients then the rc.conf variable 
>>> OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify 
>>> /usr/sbin/openvpn-tls-verify" option.  As such only client CN's in 
>>> OVPN_VALIDCLIENTS are allowed.  If you add a new Client you need to Restart 
>>> OpenVPN Server to update the config, that goes for most any change in 
>>> OpenVPN Server.
>>> 
>>> Lonnie
>>> 
>>> 
>>> 
>>> On Sep 10, 2017, at 11:59 PM, Michael Knill 
>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>> 
>>>> Thanks Lonnie. I suspect that this is not the problem but I cant 
>>>> understand why I need to restart the server before it works.
>>>> 
>>>> Regards
>>>> Michael Knill
>>>> 
>>>> -----Original Message-----
>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Date: Monday, 11 September 2017 at 1:24 pm
>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>>>> 
>>>> Michael,
>>>> 
>>>> You could try
>>>> -- OpenVPN Server --
>>>> Raw Commands: duplicate-cn
>>>> --
>>>> and see if that helps.  But you need to understand if you really need 
>>>> "multiple clients using the same certificate or username to concurrently 
>>>> connect".
>>>> 
>>>> Is there a OpenVPN client you forgot about ?  Are any sharing a username ?
>>>> 
>>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and 
>>>> re-connecting using the same client.  But it all works, no issues.
>>>> 
>>>> Lonnie
>>>> 
>>>> 
>>>> On Sep 10, 2017, at 9:22 PM, Michael Knill 
>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>> 
>>>>> Ah I did remember seeing something in the logs about this:
>>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client 
>>>>> '001565F4634C' will cause previous active sessions by this client to be 
>>>>> dropped.  Remember to use the --duplicate-cn option if you want multiple 
>>>>> clients using the same certificate or username to concurrently connect.
>>>>> 
>>>>> Is this a complaint? Should I just enable it anyway? 
>>>>> I assume I add it to the RAW Commands?
>>>>> 
>>>>> Regards
>>>>> Michael Knill
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>>> Date: Monday, 11 September 2017 at 11:52 am
>>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>>>>> 
>>>>> Michael,
>>>>> 
>>>>> Judging from your error log the Yealink's client CN (Common Name) did not 
>>>>> match any of the allowed (non-checked) Clients in the server.  As long as 
>>>>> you are certain the Yealink client cert is good.
>>>>> 
>>>>> You are not "sharing" a client certificate are you ?  If you are do you 
>>>>> have the "duplicate-cn" raw command added ?  From the OpenVPN docs ...
>>>>> 
>>>>> --duplicate-cn
>>>>> Allow multiple clients with the same common name to concurrently connect. 
>>>>> In the absence of this option, OpenVPN will disconnect a client instance 
>>>>> upon connection of a new client having the same common name.
>>>>> 
>>>>> Sounds a little like what you are describing.
>>>>> 
>>>>> else ...
>>>>> 
>>>>> Is your Yealink running the latest (or recent) firmware ?
>>>>> 
>>>>> AstLinux is using the latest OpenVPN series 2.4.x.
>>>>> 
>>>>> You can increase the Log Verbosity: to High on the server and see if that 
>>>>> helps to find a clue.
>>>>> 
>>>>> Lonnie
>>>>> 
>>>>> 
>>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill 
>>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>>> 
>>>>>> Hi Lonnie
>>>>>> 
>>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not 
>>>>>> the one I was having problems with.
>>>>>> 
>>>>>> After testing I can now confirm that this issue occurs when I configure 
>>>>>> up a new phone and it goes away (and VPN establishes) when I restart the 
>>>>>> OpenVPN server.
>>>>>> Can you think why this could be happening?
>>>>>> 
>>>>>> Regards
>>>>>> Michael Knill
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>>>> Date: Monday, 11 September 2017 at 9:55 am
>>>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable
>>>>>> 
>>>>>> Michael,
>>>>>> 
>>>>>> On your OpenVPN Server configuration (at the bottom), you must have at 
>>>>>> least one CommonName disabled. 
>>>>>> 
>>>>>> Client Certificates and Keys: -> Disabled checked    (correct ?)
>>>>>> 
>>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the 
>>>>>> /usr/sbin/openvpn-tls-verify script
>>>>>> 
>>>>>> Is your Yealink using one of the "Disabled" CommonNames ?
>>>>>> 
>>>>>> Lonnie
>>>>>> 
>>>>>> 
>>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill 
>>>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>>>> 
>>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. 
>>>>>>> It used to be easy to set up but now it's a bit flakey.
>>>>>>> Once its up it seems to be fine but getting it to that stage is an 
>>>>>>> issue.
>>>>>>> 
>>>>>>> I noticed that I am getting these in the logs:
>>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed 
>>>>>>> running command (--tls-verify script): external program exited with 
>>>>>>> error status: 1
>>>>>>> 
>>>>>>> Im not sure what they mean? What could the problem be?
>>>>>>> 
>>>>>>> Regards
>>>>>>> Michael Knill
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! 
>>>>>>> http://sdm.link/slashdot_______________________________________________
>>>>>>> Astlinux-users mailing list
>>>>>>> Astlinux-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>>>> 
>>>>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>>>>> pay...@krisk.org.
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Astlinux-users mailing list
>>>>>> Astlinux-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>>> 
>>>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>>>> pay...@krisk.org.
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Astlinux-users mailing list
>>>>>> Astlinux-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>>> 
>>>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>>>> pay...@krisk.org.
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Astlinux-users mailing list
>>>>> Astlinux-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>> 
>>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>>> pay...@krisk.org.
>>>>> 
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Astlinux-users mailing list
>>>>> Astlinux-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>> 
>>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>>> pay...@krisk.org.
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>> 
>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>> pay...@krisk.org.
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>> 
>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>> pay...@krisk.org.
>>>> 
>>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>> 
>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>> pay...@krisk.org.
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>> 
>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>> pay...@krisk.org.
>>> 
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to 
>> pay...@krisk.org.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to 
>> pay...@krisk.org.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to 
>> pay...@krisk.org.
>> 
>> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.


Michael

http://www.mksolutions.info




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to