[Openvpn-users] 3 questions

Hello OpenVPN gurus, we currently utilize OpenVPN with about 100 clients and three servers.  Posted below are my various configuration files:


Server configuration file:



port 1194

proto udp

dev tun

ca easy-rsa/keys/ca.crt

cert easy-rsa/keys/server1.crt

key easy-rsa/keys/server1.key

dh easy-rsa/keys/dh2048.pem


ifconfig-pool-persist ipp.txt

client-config-dir ccd


keepalive 10 120

tls-auth easy-rsa/keys/ta.key 0


user nobody

group nobody



status openvpn-status.log

log         openvpn.log

verb 3


Typical client configuration file:



dev tun

proto udp

remote XX.XXX.XXX.XXX 1194

remote XX.XX.XXX.XX 1194

resolv-retry infinite




ca ca.crt

cert XXXX.crt

key XXXX.key

ns-cert-type server

tls-auth ta.key 1


verb 3

log openvpn.log


up /usr/viewtouch/dat/scripts/Openvpn-Reconnect


Typical ccd file for a client:





I utilize redhat and fedora Linux as clients and servers.


My 3 questions are:


1.                   We monitor our systems using Nagios and I would like to be able to have the monitoring server connect to the main OpenVPN server as a client and be able to “see” each of the clients via the VPN.  Right now any client can only see the server.  Is it possible to be able to have one client only be able to reach all the other clients?  Or will I have to make a global change to allow each client to get to any other.  Each client has a fixed VPN IP based upon their ccd file. 

2.                   We are moving to a point where I would like to use a second subnet to separate new clients in a new country.  Up until now all my clients get a fixed IP in the 10.8.81.x subnet based upon their ccd file.  How can I now add for instance 10.8.82.x and give specific clients addresses in this subnet?  Will adding another route statement in the server configuration like “route” work?  If I do this will it have any effect on the existing 10.8.81.x subnet?

3.                   This sort of leads out of question number 1.  I have 3 servers running at various places on the Internet, right now I run all clients on one server but at some point soon I would like to have clients randomly move between servers.  Should the main server go down I simply run up the daemon on my backup server and the clients then move over.  I know how to accomplish this by changing the options in the client configuration files.  What I would like to know, assuming #1 is possible (and I’m sure it is) how then could this “special” client find any other client no matter what server it is connected to?  I can assume that it could simultaneously connect to both servers and then “find” the client it wants to monitor from there.


I hope these questions make sense and I have given enough information to be pointed in the right direction.  If not, let me know what I have missed and I will be sure to comply.  Thanks in advance.


Ed Russell
Manager, Information Technology
Teriyaki Experience
700 Kerr Street Suite 100
Oakville, Ontario L6K 3W5
905-337-7777 x500
905-337-5686 direct
905-580-4566 mobile
905-337-0331 fax