wiki:299-can-openvpn-handle-the-situation-where-both-ends-of-the-connection-are-dynamic

Can OpenVPN handle the situation where both ends of the connection are dynamic?

Yes.

A prerequiste of this method is that you subscribe to a service such as dyndns.org that lets you conveniently point an internet domain name to a dynamic address (or you can do it yourself if you have control over a DNS server that exists on a machine having a static IP address).

The crux of this method is in the 'timeouts' section of the config file below, or more specifically the 'ping' and 'ping-restart' options. Basically, if for whatever reason, OpenVPN doesn't receive a ping from its peer during a 300 second period (as would happen if its peer changed addresses), it will restart. When it restarts, it will re-resolve myremote.mydomain.com to get the new IP address. This method assumes that you are using a dynamic DNS service that lets you immediately update your domain name with your current dynamic address.

Using this technique, OpenVPN will essentially "follow" a dynamic DNS address as it changes.

Here is the config file example:

remote myremote.mydomain.com
dev tun
ifconfig 10.1.0.2 10.1.0.1
up ./up-script # optional

# crypto config
replay-persist replay-persist-file # optional (1.4.0 or above)

# TLS config (or omit TLS security by using a pre-shared key
# such as 'secret static.key').
tls-client
ca key/my-ca.crt
cert key/my-cert.crt
key key/my-key.key
tls-auth key/my-tls-password # optional

# timeouts
ping 15
ping-restart 300 # 5 minutes
resolv-retry 300 # 5 minutes
persist-tun
persist-key

# compression (optional)
comp-lzo

# UID (optional)
user nobody
group nobody

# verbosity (optional)
verb 4

On the other end of the connection, you would duplicate the above config file but change 'remote' appropriately, and swap the ifconfig addresses.

If you are using TLS security, then also change 'tls-client' to 'tls-server', add a 'dh' file for the diffie-hellman file, and change 'cert' and 'key' to match your appropriate local cert and key.

This setup requires that each machine have a dynamic DNS name which is updated automatically when DHCP causes an address change. Such an automatic update can be accomplished by using a tool such as ddclient.

ddclient should be called by your /etc/dhcpc/dhcpcd-eth0.exe file (replace "eth0" in the filename with the appropriate network device name):

/usr/sbin/ddclient -daemon=0 -syslog -use=ip -ip=$1

Here is a sample /etc/ddclient.conf file:

######################################################################
##
## TODO: change mylogin, mypassword, myremote. mydomain.com
##
######################################################################

login=mylogin # default login
password=mypassword # default password
#mx=mx.for.your.host # default MX
#backupmx=yes|no # host is primary MX?
#wildcard=yes|no # add wildcard CNAME?

##
##
## dyndns.org custom addresses
##
## (supports variables: wildcard,mx,backupmx)
##
custom=yes \
server=members.dyndns.org, \
protocol=dyndns2 \
myremote.mydomain.com

Return to FAQ

Last modified 10 years ago Last modified on 01/30/14 16:14:45