Hello OpenVPN gurus, we currently utilize OpenVPN with about
100 clients and three servers. Posted below are my various configuration
files:
Server configuration file:
local XX.XXX.XXX.XXX
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server1.crt
key easy-rsa/keys/server1.key
dh easy-rsa/keys/dh2048.pem
server 10.8.80.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.8.81.0 255.255.255.0
keepalive 10 120
tls-auth easy-rsa/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log
openvpn.log
verb 3
Typical client configuration file:
client
dev tun
proto udp
remote XX.XXX.XXX.XXX 1194
remote XX.XX.XXX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert XXXX.crt
key XXXX.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
log openvpn.log
up-restart
up /usr/viewtouch/dat/scripts/Openvpn-Reconnect
Typical ccd file for a client:
ifconfig-push 10.8.81.58 10.8.80.1
I utilize redhat and fedora Linux as clients and servers.
My 3 questions are:
1.
We monitor our systems using Nagios
and I would like to be able to have the monitoring server connect to the main
OpenVPN server as a client and be able to “see” each of the clients
via the VPN. Right now any client can only see the server. Is it
possible to be able to have one client only be able to reach all the other
clients? Or will I have to make a global change to allow each client to
get to any other. Each client has a fixed VPN IP based upon their ccd
file.
2.
We are moving to a point where I
would like to use a second subnet to separate new clients in a new
country. Up until now all my clients get a fixed IP in the 10.8.81.x
subnet based upon their ccd file. How can I now add for instance
10.8.82.x and give specific clients addresses in this subnet? Will adding
another route statement in the server configuration like “route 10.8.82.0
255.255.255.0” work? If I do this will it have any effect on the
existing 10.8.81.x subnet?
3.
This sort of leads out of question
number 1. I have 3 servers running at various places on the Internet,
right now I run all clients on one server but at some point soon I would like
to have clients randomly move between servers. Should the main server go
down I simply run up the daemon on my backup server and the clients then move
over. I know how to accomplish this by changing the options in the client
configuration files. What I would like to know, assuming #1 is possible
(and I’m sure it is) how then could this “special” client
find any other client no matter what server it is connected to? I can
assume that it could simultaneously connect to both servers and then “find”
the client it wants to monitor from there.
I hope these questions make sense and I have given enough
information to be pointed in the right direction. If not, let me know
what I have missed and I will be sure to comply. Thanks in advance.
Ed Russell
Manager, Information Technology
Teriyaki Experience
700 Kerr Street Suite 100
Oakville, Ontario
L6K 3W5
905-337-7777 x500
905-337-5686 direct
905-580-4566 mobile
905-337-0331 fax
erussell@xxxxxxxxxxxxxxxxxxxxxx