Hi, On Sat, Mar 03, 2012 at 12:07:30PM +1300, Jason Haar wrote: > On 03/03/12 03:59, Gert Doering wrote: > > I would *love* to have that. And it's somewhere on my TODO list of > > things to implement in OpenVPN (multiple listening sockets in a single > > process). > > Given the issue with the non-threaded nature of openvpn and the > bottlenecks that can cause under load, what's wrong with running > separate instances on multiple tcp and udp ports, and then using a > "--client-connect" script to return a unique IP to clients?
Well, it's a workaround for shortcomings in OpenVPN :-) - and I prefer
to have my software do things I want, without the workarounds.
One issue I see with your script is that it will also need to change
routing tables on the server, to get the client IP stuffed into the
proper tunnel for this OpenVPN instance, and then it needs updating for
IPv6, and that's all avoidable if OpenVPN could do it in the first place...
> We use that
> so that all VPN users are always assigned "their" constant IP by mapping
> an IP to the CN field
Which works perfectly well from within OpenVPN, using "--client-config-dir"
and "--ifconfig-push"... (or if you don't care for a specific IP address,
as long as it's the same on every time, with --ifconfig-pool-persist)
[..]
> With this, we have the luxury that every client always gets the same IP
That can be achieved much easier :-)
> - which makes asset management *much* easier and means you get
> marvellous side-effects like I can be SSH-ed into a work machine at
> home, suspend my laptop, go to another building and get an completely
> different Internet address, and yet seconds later have openvpn
> auto-reconnect to work and find my SSH session still works. So cool :-)
All *that* is built-in into OpenVPN already ;-))
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpJYoFuT3X8o.pgp
Description: PGP signature
