[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: Peer to peer operation?

  • Subject: Re: [Openvpn-users] Re: Peer to peer operation?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 19 Oct 2005 08:15:09 -0600 (MDT)

On Wed, 19 Oct 2005, John wrote:

> "James Yonan" <jim@xxxxxxxxx> schreef in bericht 
> news:Pine.LNX.4.58.0510182257550.32723@xxxxxxxxxxxx
> > On Wed, 19 Oct 2005, Cyber Dog wrote:
> >
> >> First, brief info about my topology: I've got two Linux (Debian)
> >> firewalls at separate locations connected via the internet.
> >> Previously, I had used PPTP to connect to either firewall while
> >> roaming, and IPSec connected the two firewalls directly. Hosts on both
> >> LANs could communicate (routed, not bridged).
> >>
> >> Several folks have recommended OpenVPN, so I took the plunge.  My
> >> first attempt was replacing PPTP and using OVPN to connect to the
> >> firewalls while roaming.  I accomplished this successfully using the
> >> howto.
> >>
> > Yes, OpenVPN supports peer-to-peer operation via the "mode p2p" directive
> > (which is actually the default).  In peer-to-peer mode, the peers are
> > configured symmetrically, and each can have a "remote" option pointing to
> > the other peer, so each peer can both initiate or listen for connections.
> > Peer-to-peer configurations can be set up using TLS or static/preshared
> > keys.
> >
> > The peer-to-peer mode was in fact the only mode supported in OpenVPN 1.x.
> > OpenVPN 2.0 still supports peer-to-peer mode as well as the new
> > client/server mode.
> >
> > Here are some docs to check out:
> >
> > http://openvpn.net/1xhowto.html
> >
> > http://openvpn.net/static.html
> >
> > James
> >
> James,
> I think, that's not what he ment. Because I feel the same thing.
> We have 2 remote sites which are always connected and 5 "roadwarriors" When 
> Switching back to "old" peer (1.x mode) for remote sites, you also loose all 
> the "good" things from the server mode.
> Specially 1 tun device / 1 udp port number for all connections and one main 
> configuration file  It would be nice have same sort of in between mode.
> I will try to describe the idea.
> In the ccd/client options specify a "persistent peer" mode. The client 
> remembers this (pushed) "persistent peer" mode and will listen for the 
> server to reconnect.
> The server on the other hand, knows with "persistent peer" directive that it 
> should try to establisch the tunnel itself. In that way you can have both. 
> If remember correctly, ipsec also works with one ipsec0 device for all 
> connections. In that prepective it should also be possible for the tun 
> device used by OpenVPN
> I don't want to be rude or so, but the "every OpenVPN tunnel has his own tun 
> device en port number", as it was in pre 2.0 time, was a major drawback, and 
> showstopper for a lot of people. And most people don't want to go back that 
> way. The setup I use, gave me a lot of iptables firewall headage in 1.5-1.6 
> time....

Why can't a persistent peer connect the same way as the roadwarriers, i.e. 
with the persistent peer being the initiator and the server being the 

What is the functional benefit of creating a new "persistent peer" mode 
over simply having the persistent peer act as a client?


Openvpn-users mailing list