Hi Selva/All,
Although management hold release stops vpn daemon from running further.
It does not seem to work for me beyond that.
As when I do try to change the remote server using
>remote MOD <vpn-server-2> <vpn-port-2>
The server side gives a TLS handshake failure.
I think that is logical, as the client.conf does try to connect with the same
certificates and keys to the remote server as that of the first VPN server.
What do you think ?
Also, I do not get the first VPN server's connected event all the time.
Abhijit
________________________________
From: Selva Nair [selva.n...@gmail.com]
Sent: Thursday, May 26, 2016 11:23 PM
To: Lamsoge, Abhijit
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Evaluating Openvpn management interface externally
via application
Hi,
On Thu, May 26, 2016 at 4:40 AM, Lamsoge, Abhijit
<abhijit.lams...@harman.com<mailto:abhijit.lams...@harman.com>> wrote:
Hi All,
I am trying to write python and C based application for modifying “OpenVpn” in
client mode via management interface.
I need to do the following
- Update the remote server the vpn client connects to at runtime
However, the current existing management interface works like
- First connects to existing specified.
- And only on reception of event, can the management interface send a
new remote site to client.
I want to
- Start openvpn in client mode, and then via my application tell
openvpn to connect to a remote site, without the reception of event as
specified in the document for management interface.
Is there a way to do this ?
Or maybe I am just lame to not understand it.
As JJK wrote, --management-hold would greatly help in this case though not
absolutely necessary. What you want to do would work without management-hold
but it would be harder to figure out what state openvpn is when the app
connects to the management interface (MI). So, start openvpn with the necessary
options including --management-query-remote and add --management-hold to the
options. Have your application connect to the MI. The rest of the dialog could
go as shown below as an example:
Text following "OVPN:" are received from openvpn while the text following
"APP:" is what to send back. Some of the errors shown depend on options in the
config, actual remote name used etc..
OVPN: >INFO:OpenVPN Management Interface ..
OVPN: >HOLD:Waiting for hold release
APP: log on (if desired)
APP: state on (will be required for the app to figure out when connection is
established/failed etc..))
The application goes about doing whatever tasks until ready to connect
APP: hold release
OVPN: SUCCESS: hold release succeeded
OVPN: >REMOTE:somehost,1051,udp
At this point openvpn has not even tried to connect to the remote.
Here "somehost" is the remote name in the config or command line -- it need not
be a valid server, but something must be specified.
APP: remote MOD vpn.example.com<http://vpn.example.com> 1151
OVPN: SUCCESS: remote command succeeded
OVPN: >STATE:1464276809,RESOLVE,,,,,,
OVPN: >STATE:1464276809,RESOLVE,,,,,,
OVPN: >STATE:1464276809,RECONNECTING,init_instance,,,,,
(Note: use "log on" and parse the >LOG lines to figure why is it reconnecting
-- resolv failed in this case, as expected)
OpenVPN goes back to "on-hold"
OVPN: >HOLD:Waiting for hold release
APP: hold release
OVPN: SUCCESS: hold release succeeded
OVPN: >REMOTE:somehost,1051,udp
APP: remote MOD vpn.mydomain.com<http://vpn.mydomain.com> 1151
OVPN: SUCCESS: remote command succeeded
OVPN: >STATE:1464277194,RESOLVE,,,,,,
OVPN: >STATE:1464277194,WAIT,,,,,,
OVPN: >STATE:1464277194,AUTH,,,,,,
OVPN: >STATE:1464277195,GET_CONFIG,,,,,,
OVPN: >PASSWORD:Verification Failed: 'Auth' .....
OVPN: >STATE:1464277195,RECONNECTING,auth-failure,,,,,
OVPN: >HOLD:Waiting for hold release
APP: hold release
OVPN: SUCCESS: hold release succeeded
OVPN: >REMOTE:somehost,1051,udp
Note the remote name reverted back what is in the config or command-line
APP: signal SIGHUP
(to forget the resolved IP and start afresh)
..
..
OVPN: >HOLD:Waiting for hold release
etc..
Test using telnet to figure out various failure cases that may have to be
handled in the application.
Selva
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
