Hi, On Wed, Dec 10, 2014 at 08:31:27AM +1300, Jason Haar wrote: > LOL! It took Gert to spot the most obvious scenario ;-)
I'm good at breaking things :-)
> That really
> re-enforces what I think about this needing to be an "openvpn ping" type
> solution: it is irrelevant if the server is up or even if openvpn tcp
> ports appear to be open, it's only evidence that openvpn is working that
> should be taken as evidence that openvpn is - well - working :-)
Indeed.
I think what you're proposing is quite a cool feature, but it is not easy
to implement.
The "ping" could actually be fairly easy, though it might need protocol
changes (to permit a quick health check - for tls-auth authorized clients -
without a full TLS negotiation taking place).
More work is the connection loop on the client side - right now, OpenVPN
walks the list of "remotes" sequentially, and if one fails, tries the next
one. This would need to be changed to try them "all at once", at least
for the "ping" check, and then decide on a connection order for the real
connection...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpsEu10XUvXv.pgp
Description: PGP signature
