[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Client/Server initiated SIGHUP


  • Subject: Re: [Openvpn-users] Client/Server initiated SIGHUP
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Wed, 28 May 2003 17:15:46 -0000

Doug,

A few thoughts:

* Generating a new static key, sending it over the tunnel, and using it as
basis to restart a new tunnel is more work and doesn't give you "perfect
forward security".  SSL/TLS gives you dynamic keys + perfect forward security.

* No, currently there's no option to cause an OpenVPN peer to send a remote
restart signal to another openvpn peer.

* I would suggest if you really want to do this, use your original plan of a
cron job at both ends, and keep the clocks reasonably in sync.  OpenVPN will
be tolerant of a time lag between restarts at both ends, however packets will
not go through the tunnel during this period.  As soon as the keys are in
sync, packets will flow again.  Again, this is an area where TLS shines, as
the SSL/TLS implementation in OpenVPN allows an overlap between new and old
keys, so packets are not dropped during the transition.

James

Doug Lytle <support@xxxxxxxxxxxxxxx> said:

> I also failed to mention that I'm mirroring the new key via the tunnel 
> for both client/server.
> 
> Doug
> 
> Doug Lytle wrote:
> 
> > James,
> >
> > Is it possible to have a client or server initiate a SIGHUP so both 
> > ends will re-read configurations and static keys?
> >
> > I want to setup a CRON job to run openvpn --genkey --secret static.key 
> > at midnight and I wanted to use killall -s HUP openvpn on both ends to 
> > re-establish the
> >
> >
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



-- 




____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users