Re: [Openvpn-users] 'ifconfig' is present in local config but missing in remote config, local=

[Gert Doering]

Hi,

On Tue, Jan 14, 2020 at 08:47:34AM +0100, free...@tango.lu wrote:
> What is causing the following warning in the logs and what is the best 
> mode using on point2point links?

Well, if you want to use true point-to-point mode, you need to configure
*everything* on both sides.  No CCD, no "server pushing data to client".

I do see ifconfig on both ends in the config, so it should be happy - are
you sure this warning came up with the configs appended below?

[..]
> I have noticed some difference as well when using p2p mode instead of 
> server mode. In this mode it seems that if there is no client connected 
> to the server OpenVPN keeps recreating the tunnel interface periodically 
> on the server. Would this be good for me when using OSPF?

This is likely related to keepalive settings.  If keepalive fails, the
instance assumes "I have to do something now".

Which is totally not needed in p2p mode, especially if you put 
OSPF on top of it - so just remove the statement.

> Server
> dev tun0
> mode p2p
> ifconfig 192.168.5.1 192.168.5.2
> tls-server
> tls-auth ta.key 0
> dh dh2048.pem
> ca ca.crt
> cert server.crt
> key server.key
> port 5555
> comp-lzo
> keepalive 10 120

This looks reasonable, except for the keepalive bit, and you might 
reconsider comp-lzo.  This is nowadays considered somewhere between
"useless" (most user data is compressed anyway) and "dangerous" (there
is an attack where you can recover plaintext by manipulating data
"next to it" and observing how the compressed result varies in size).

> Client
> client
> dev tun0
> route-nopull
> ifconfig 192.168.5.2 192.168.5.1
> tls-version-min 1.0
> proto udp
> remote HOST PORT
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> cipher AES-256-CBC
> mute-replay-warnings
> tls-client
> ca ca.crt
> cert cl.crt
> key cl.key
> keepalive 10 60
> ns-cert-type server
> tls-auth ta.key 1
> comp-lzo


route-nopull is not needed (there is no pull in "p2p, tls-client" mode
anyway).  Keepalive should also go.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users