OpenVPN in client mode requires local port set for multiple instances
If you create an OpenVPN client, the local port is left blank, and it will automatically use 1194
If you create a second client instance and leave the field blank, it will also try to bind to 1194, and fail.
Whichever instance happens to start last will not function:
Nov 18 19:23:28 openvpn: UDPv4 link local (bound): [AF_INET]192.168.197.153:1194 [...] Nov 18 19:24:03 openvpn: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.197.153:1194: Address already in use
So we need some way to either find a free port or, if possible, make the client pick a random source port insetad.
#3 Updated by Pierre POMES over 9 years ago
Yes, the directive is "local_port" in config.xml:
<openvpn> <openvpn-client> <vpnid>2</vpnid> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr/> <interface>any</interface> <local_port>7823</local_port>
It is mapped to "lport" in the openvpn config file.
#5 Updated by Pierre POMES over 9 years ago
Sorry, I misunderstood.
It seems the random port feature has been added recently when using "lport 0".
I did not check however if it is available in our openvpn version.
#6 Updated by Jim Pingle over 9 years ago
I'll have to give that one a try. We are on the devel version of openvpn, current number is 201019, which according to the file dates in the tgz is from May, and I see that line in options.c.
So it may be as easy as assuming 0 for the value of lport unless otherwise specified. I'll run some tests tomorrow.
Thanks for looking that up.
#7 Updated by Chris Buechler over 9 years ago
This made me notice a related regression from 1.2.x, you can specify a dynamic source port and it just adds "nobind" to the config rather than lport. The client config in 1.2.x has "Dynamic sourceport", that needs to be brought back and ensure it's properly upgraded from existing configs or it'll break some upgraded configurations with port conflicts.
#8 Updated by Jim Pingle over 9 years ago
I'd have to check the config docs again but I think that if you specify a listening interface you have to use lport. We may have to just use lport 0 in place of the old dynamic source port option. The change was probably made because you can choose the interface in the GUI now, the old option may only work if you choose interface=any.
#11 Updated by Jim Pingle over 9 years ago
Also confirmed that nobind only works if you do not choose an interface, so the old "dynamic sourceport" checkbox isn't needed, and is now the default. I suppose we could add some upgrade code that assumes 1194 if dynamic source is unchecked and local_port is empty in the config, but it seems like it may be asking for trouble.
I combined the test for using nobind and the lport setting in e39243843f16d4c8908bf0726e68e65887774f0d to avoid a situation where the commit I did initially may have used lport 0 and nobind at the same time, which isn't valid.