|
|
"Adam V. Richards" <avrich@xxxxxxxxxxxxxx> said: > I've decided to switch from 1.5.0 to 2.0.b1. Under 1.5.0 I was > successfully running around 30 clients (separate openvpn process and udp > port foreach client -- a big pain). I'm *very* excited about 2.0's > multi-client capability!! :) > > I'm having some implementation issues however. 4 questions: > > Setup > ----- > version = openvpn 2.0.b1 on both server and clients > style = tun > server = freebsd 4.9-rel > clients = freebsd 4.9-rel, freebsd 5.2.1-rel, windows xp, (i would like > to get Mac OSX 10.3 working) > > 1. How do you make the connection resilient to interruption events w/out > resulting to exesively chatterful --ping-restart, like "ping-restart 5"? > This "works", but it really isn't ideal as the client is constantly > SIGUSR1'ing! If I have 100-200 clients, this makes for a useless server > logfile. :) Running the clients in TCP isn't desired either for > performance reasons (I'm *only* doing IP protocols). I've tried various > combinations of "ping" and "ping-restart" values, but in the end it always > seems like the client SIGUSR1's at always the "ping-restart" interval ... > even if the "ping" interval is less. What about something like: ping 15 ping-restart 120 push "ping 15" push "ping-restart 60" This will shut down the client instance on the server after 2 minutes without a ping from the client, and will SIGUSR1 the client after 1 minute without anything being heard from the server. > 2. This is more a comment than an implementation issue, but it appears I > need to escape the backslashes in the client configuration file (for > windows client) for things like "up" and "down" script paths. Eg - > > up "c:\\Progra~1\\OpenVPN\\config\\client_up.bat" > > Is this intended? If it isn't, either I'm formating the statement > incorrectly, or this is a non-critical bug. :) This is a feature not a bug :) The backslash is used as a kind of shell escape flag, for doing such things as sending a double quote char to a script. > 3. In the example config file section of the 2.0b1 release notes, there > are 2 statements I have questions about: > > a. "ifconfig 10.8.0.1 10.8.0.2" -- What is actually at the .2 side? > Is this there merely there for completeness? I realize the server's tun > driver probably needs to bind to something, but I'm not totally clear on > what .2 is doing. Also, related to this, why isn't it possible to start > the pool at "10.8.0.1" rather than "10.8.0.4"? The .2 is the "endpoint" of the server side tun/tap interface. Think of the OpenVPN server itself as owning the .2 address, since OpenVPN in this mode is acting as a router. If you route something to 10.8.0.2, it will end up in OpenVPN's lap, which will in turn route it to a client. You don't want to start the pool at 10.8.0.1 because that would clash with the server's own tun IP address which is 10.8.0.1. > b. "push 'route 10.8.0.1 255.255.255.255'" -- What is this for? If the > clients are doing "redirect-gateway", is this particular push statement > needed? Is it trying to push some sort of default route to client? This allows any client to use the IP 10.8.0.1 to communicate with the server over the VPN. It's not needed if all the clients are doing redirect-gateway. > 4. If I want to keep everything as generic as possible, configuration > file-wise, what is the best way (or a good way) to propagate the client's > default gateway w/out having to specify an actual IP addr? The only way I > was able to get this to work is by using "redirect-gateway" and > "route-delay 0" together. I'm not so sure this is a good thing, at least > the route-delay part, as I am trying to dhcp everything, both the real > and virtual interfaces... What happens without "route-delay 0"? > Thanks for any advice! Basic config files for freebsd server and windows > xp client below: > > ----------------server---------------- > dev tun0 > local 10.1.1.1 > port 5000 > > mode server > client-to-client > > ifconfig 192.168.200.1 192.168.200.2 > ifconfig-pool 192.168.200.4 192.168.200.251 > route 192.168.200.0 255.255.255.0 > inactive 600 > > tls-server > dh /usr/local/etc/openvpn/certs/CA/dh1024.pem > ca /usr/local/etc/openvpn/certs/CA/CA.crt > cert /usr/local/etc/openvpn/certs/gw-wifi.crt > key /usr/local/etc/openvpn/certs/gw-wifi.key > > comp-lzo > > verb 3 > -------------------------------------- > > ----------------client---------------- > dev tun > remote 10.1.1.1 > port 5000 > > pull > > redirect-gateway > route-delay 0 > > tls-client > ca CA.crt > cert vega.crt > key vega.key > comp-lzo > > ping 10 > ping-restart 5 > > verb 3 > mute 10 > -------------------------------------- > > -Adam Richards > > > ------------------------------------------------------- > This SF.Net email is sponsored by Sleepycat Software > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver > higher performing products faster, at low TCO. > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |