Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

OpenVPN Preserving recently used remote address

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
crit

OpenVPN Preserving recently used remote address

Post by crit » Fri May 18, 2018 12:16 am

Hi :wave:

I've been searching on the Internet for quite a while now and in the CS forums but I didn't found anything related... so here is my situation.
I'm trying to switch between profiles of OpenVPN like from Portugal to Paris and to Switzerland but a strange thing is happening all the time, I see in the OpenVPN logs "Preserving recently used remote address" and I'm having the Portugal IP everytime no matter what I do.
For info I'm using NetworkManager on Debian and the OpenVPN app on Android and the behavior is the same... :( I will really appreciate your help, thanks!

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: OpenVPN Preserving recently used remote address

Post by parityboy » Fri May 18, 2018 8:09 pm

@OP

So to clarify: you have entirely separate profiles created in NetworkManager? You are simply stopping each one and starting the other?


Topic Author
crit

Re: OpenVPN Preserving recently used remote address

Post by crit » Sat May 19, 2018 6:17 pm

Yes @parityboy, the same behavior happens on Android and I've tried to restart, both Android and Debian.


User avatar

df
Site Admin
Posts: 420
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenVPN Preserving recently used remote address

Post by df » Wed May 23, 2018 10:48 pm

This might be a bug in the OpenVPN implementation of --persist-tun
IIRC, --persist-tun shouldn't affect configs that point at specific nodes (like Paris/Portugal), but it might affect configs that use the balancers.
You could try telling your OpenVPN to ignore the server pushed --persist-tun by adding to your config:

pull-filter ignore "persist-tun"

(only supported in OpenVPN => 2.4.x)
I also noticed this problem on an Android phone, but only when connecting to the old Linux instances, not when connecting to the ECC instances, which is odd since they both use --persist-tun


Topic Author
crit

Re: OpenVPN Preserving recently used remote address

Post by crit » Thu May 24, 2018 12:23 pm

Hello @df

Thanks for your answer, I've tried the option you suggested with no luck :( I've tried also the ECC instances but the same behavior happens. Tried both UDP and TCP config files.

For info I'm using OpenVPN 2.4.0 x86_64-pc-linux-gnu on Debian and OpenVPN 2.5-icsopenvpn on Android.

User avatar

df
Site Admin
Posts: 420
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenVPN Preserving recently used remote address

Post by df » Fri May 25, 2018 6:30 pm

I can't seem to recreate this issue:

Code: Select all

root@oldbox:~/cryptostorm_client_configuration_files-master/ecc# openvpn CS-ECC-frankfurt_udp.ovpn 2>&1|grep -E "Preserving|cryptostorm.*Peer|Initiali"
Fri May 25 07:51:20 2018 us=154000 TCP/UDP: Preserving recently used remote address: [AF_INET]84.16.240.49:5060
Fri May 25 07:51:20 2018 us=902464 [cryptostorm server] Peer Connection Initiated with [AF_INET]84.16.240.49:5060
Fri May 25 07:51:22 2018 us=142206 Initialization Sequence Completed
^C
root@oldbox:~/cryptostorm_client_configuration_files-master/ecc# openvpn CS-ECC-switzerland_udp.ovpn 2>&1|grep -E "Preserving|cryptostorm.*Peer|Initiali"
Fri May 25 07:51:49 2018 us=594727 TCP/UDP: Preserving recently used remote address: [AF_INET]185.60.147.78:5060
Fri May 25 07:51:50 2018 us=385560 [cryptostorm server] Peer Connection Initiated with [AF_INET]185.60.147.78:5060
^C
Even using the balancer it correctly connects me to a different node almost every time.

But I do vaguely remember seeing what you're describing on a Windows machine, where it would Preserve the old server IP even when connecting to a node that doesn't resolve to that IP.
One way that should prevent it from doing that is using IPs instead of hostnames in the config, but that's not really a good idea since server IPs often change when we replace/upgrade servers.

Since there's no config option related to that Preserving feature (that I can think of), another option would be to remove the code from OpenVPN's src. That wouldn't be too difficult to rebuild OpenVPN on Debian, but on Android it would be a pain in the ass.
If that's the route you want to take, the code you're looking for is on line 1681 of OpenVPN 2.4.6's src/openvpn/socket.c -

Code: Select all

  /* should we re-use previous active remote address? */
  if (link_socket_actual_defined(&sock->info.lsa->actual))
  {
    msg(M_INFO, "TCP/UDP: Preserving recently used remote address: %s",
      print_link_socket_actual(&sock->info.lsa->actual, &gc));
    if (remote_dynamic)
    {
      *remote_dynamic = NULL;
    }
  }
  else
  {
    CLEAR(sock->info.lsa->actual);
    if (sock->info.lsa->current_remote)
    {
      set_actual_address(&sock->info.lsa->actual,
                sock->info.lsa->current_remote);
    }
  }
That should be changed to:

Code: Select all

    CLEAR(sock->info.lsa->actual);
    if (sock->info.lsa->current_remote)
    {
      set_actual_address(&sock->info.lsa->actual,
                sock->info.lsa->current_remote);
    }
Of course, an OpenVPN compiled with that change should be tested thoroughly before using it for anything important.

Post Reply