> Am 12.09.2017 um 00:22 schrieb Michael Knill > <michael.kn...@ipcsolutions.com.au>: > > Hi Lonnie > > Just wondering what would be the scenario when it would not work? e.g. it is > ONLY done when you are configuring a new client. All other configuration > requires a restart. > > Regards > Michael Knill
BTW: Instead of disabling a client in the WebGUI, you could also delete the appropriate key files in "/mnt/kd/openvpn/webinterface/keys/" in case you don't need them anymore. > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Tuesday, 12 September 2017 at 8:04 am > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable > > Michael, > > I quickly checked, it would be somewhat of a hack to call 'gen-rc-conf' at > the appropriate sweet-spot. > > And it would not always work, a restart of OpenVPN is often required. > > Lonnie > > > On Sep 11, 2017, at 4:47 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Sorry when I say script I mean openvpn.php >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Michael Knill <michael.kn...@ipcsolutions.com.au> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Tuesday, 12 September 2017 at 7:47 am >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Hi Lonnie >> >> Could we reconfigure the script so that when you press the 'New Client' >> button it automatically does this? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Tuesday, 12 September 2017 at 7:01 am >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >> >> Michael, >> >> Not having any "disabled" Client CN's would be a solution. >> >> Power User tip -> if (only) a new Client is added with previously "disabled" >> Client CN's and continued "disabled" Client CN's, the CLI command >> "gen-rc-conf" will apply the new OVPN_VALIDCLIENTS without restarting >> OpenVPN. >> >> Lonnie >> >> >> On Sep 11, 2017, at 3:43 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Ah well that explains it then thanks Lonnie. >>> >>> Im glad I found this out early as I have been looking at building a hosted >>> Astlinux server with connectivity via OpenVPN from Yealink phones and this >>> requirement would certainly make this difficult. >>> So are there any other options here? It seems crazy having to drop all your >>> existing OVPN connections just to configure a new one. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Date: Monday, 11 September 2017 at 11:16 pm >>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>> >>> Michael, >>> >>> If you have OpenVPN Server -> Client Certificates and Keys: -> Client Name >>> with one or more "disabled" checked, you will have to Restart OpenVPN >>> Server whenever you add a new Client. >>> >>> This is not a OpenVPN requirement per se. but rather the configuration for >>> openvpn. >>> >>> To explain more ... if there are no "disabled" clients then the rc.conf >>> variable OVPN_VALIDCLIENTS is not defined, the openvpn configuration does >>> not include a tls-verify option. >>> >>> On the other had, if there are "disabled" clients then the rc.conf variable >>> OVPN_VALIDCLIENTS is defined, the configuration includes a "tls-verify >>> /usr/sbin/openvpn-tls-verify" option. As such only client CN's in >>> OVPN_VALIDCLIENTS are allowed. If you add a new Client you need to Restart >>> OpenVPN Server to update the config, that goes for most any change in >>> OpenVPN Server. >>> >>> Lonnie >>> >>> >>> >>> On Sep 10, 2017, at 11:59 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>>> Thanks Lonnie. I suspect that this is not the problem but I cant >>>> understand why I need to restart the server before it works. >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Date: Monday, 11 September 2017 at 1:24 pm >>>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>> >>>> Michael, >>>> >>>> You could try >>>> -- OpenVPN Server -- >>>> Raw Commands: duplicate-cn >>>> -- >>>> and see if that helps. But you need to understand if you really need >>>> "multiple clients using the same certificate or username to concurrently >>>> connect". >>>> >>>> Is there a OpenVPN client you forgot about ? Are any sharing a username ? >>>> >>>> I can generate the "duplicate-cn" log myself by connecting, disconnect and >>>> re-connecting using the same client. But it all works, no issues. >>>> >>>> Lonnie >>>> >>>> >>>> On Sep 10, 2017, at 9:22 PM, Michael Knill >>>> <michael.kn...@ipcsolutions.com.au> wrote: >>>> >>>>> Ah I did remember seeing something in the logs about this: >>>>> Mon Sep 11 11:26:06 2017 us=913475 MULTI: new connection by client >>>>> '001565F4634C' will cause previous active sessions by this client to be >>>>> dropped. Remember to use the --duplicate-cn option if you want multiple >>>>> clients using the same certificate or username to concurrently connect. >>>>> >>>>> Is this a complaint? Should I just enable it anyway? >>>>> I assume I add it to the RAW Commands? >>>>> >>>>> Regards >>>>> Michael Knill >>>>> >>>>> -----Original Message----- >>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>>> Date: Monday, 11 September 2017 at 11:52 am >>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>> >>>>> Michael, >>>>> >>>>> Judging from your error log the Yealink's client CN (Common Name) did not >>>>> match any of the allowed (non-checked) Clients in the server. As long as >>>>> you are certain the Yealink client cert is good. >>>>> >>>>> You are not "sharing" a client certificate are you ? If you are do you >>>>> have the "duplicate-cn" raw command added ? From the OpenVPN docs ... >>>>> >>>>> --duplicate-cn >>>>> Allow multiple clients with the same common name to concurrently connect. >>>>> In the absence of this option, OpenVPN will disconnect a client instance >>>>> upon connection of a new client having the same common name. >>>>> >>>>> Sounds a little like what you are describing. >>>>> >>>>> else ... >>>>> >>>>> Is your Yealink running the latest (or recent) firmware ? >>>>> >>>>> AstLinux is using the latest OpenVPN series 2.4.x. >>>>> >>>>> You can increase the Log Verbosity: to High on the server and see if that >>>>> helps to find a clue. >>>>> >>>>> Lonnie >>>>> >>>>> >>>>> On Sep 10, 2017, at 8:08 PM, Michael Knill >>>>> <michael.kn...@ipcsolutions.com.au> wrote: >>>>> >>>>>> Hi Lonnie >>>>>> >>>>>> Do you mean Client Name? Yes I do have one disabled if so but it is not >>>>>> the one I was having problems with. >>>>>> >>>>>> After testing I can now confirm that this issue occurs when I configure >>>>>> up a new phone and it goes away (and VPN establishes) when I restart the >>>>>> OpenVPN server. >>>>>> Can you think why this could be happening? >>>>>> >>>>>> Regards >>>>>> Michael Knill >>>>>> >>>>>> -----Original Message----- >>>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>>>> Date: Monday, 11 September 2017 at 9:55 am >>>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>>>> Subject: Re: [Astlinux-users] OpenVPN on Yealink phones not very reliable >>>>>> >>>>>> Michael, >>>>>> >>>>>> On your OpenVPN Server configuration (at the bottom), you must have at >>>>>> least one CommonName disabled. >>>>>> >>>>>> Client Certificates and Keys: -> Disabled checked (correct ?) >>>>>> >>>>>> This will define the variable OVPN_VALIDCLIENTS and is checked with the >>>>>> /usr/sbin/openvpn-tls-verify script >>>>>> >>>>>> Is your Yealink using one of the "Disabled" CommonNames ? >>>>>> >>>>>> Lonnie >>>>>> >>>>>> >>>>>> On Sep 10, 2017, at 6:34 PM, Michael Knill >>>>>> <michael.kn...@ipcsolutions.com.au> wrote: >>>>>> >>>>>>> I am having some issues with setting up OpenVPN on my Yealink phones. >>>>>>> It used to be easy to set up but now it's a bit flakey. >>>>>>> Once its up it seems to be fine but getting it to that stage is an >>>>>>> issue. >>>>>>> >>>>>>> I noticed that I am getting these in the logs: >>>>>>> Mon Sep 11 08:05:39 2017 us=888912 115.187.181.61:36531 WARNING: Failed >>>>>>> running command (--tls-verify script): external program exited with >>>>>>> error status: 1 >>>>>>> >>>>>>> Im not sure what they mean? What could the problem be? >>>>>>> >>>>>>> Regards >>>>>>> Michael Knill >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! >>>>>>> http://sdm.link/slashdot_______________________________________________ >>>>>>> Astlinux-users mailing list >>>>>>> Astlinux-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>>> >>>>>>> Donations to support AstLinux are graciously accepted via PayPal to >>>>>>> pay...@krisk.org. >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Astlinux-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to >>>>>> pay...@krisk.org. >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Astlinux-users mailing list >>>>>> Astlinux-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>>> >>>>>> Donations to support AstLinux are graciously accepted via PayPal to >>>>>> pay...@krisk.org. >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Astlinux-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to >>>>> pay...@krisk.org. >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Astlinux-users mailing list >>>>> Astlinux-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>>> >>>>> Donations to support AstLinux are graciously accepted via PayPal to >>>>> pay...@krisk.org. >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. Michael http://www.mksolutions.info ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
