Re: [Openvpn-users] standby tunnel

Thu, 08 Jun 2017 07:45:33 -0700 

Hi,

On 08/06/17 14:30, richard lucassen wrote:

On Thu, 8 Jun 2017 13:49:28 +0200
Gert Doering <g...@greenie.muc.de> wrote:


But it still tries to initialize (which is quite obvious of course),
but is there a way to tell OpenVPN to only initialize the VPN as
soon as data enters the tunnel?

If you do static-key, there is nothing to initialize remotely - local
init, of course, as there is no tunnel interface otherwise.

It's a simple static-key config:

dev tun0
local a.b.c.d
remote e.f.g.h
ifconfig 192.168.246.1 192.168.246.2
verb 5
secret /etc/openvpn/certs/secret.key
port 1198
proto udp
comp-lzo
user nobody
group nogroup

When starting it remains silent for 10 secs, but after these 10 secs it
starts to look for the other end:

# tcpdump -ni eth0 udp port 1198
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes
14:24:56.852049 IP a.b.c.d.1198 > e.f.g.h.1198: UDP, length 60
14:25:06.830103 IP a.b.c.d.1198 > e.f.g.h.1198: UDP, length 60
14:25:16.613951 IP a.b.c.d.1198 > e.f.g.h.1198: UDP, length 60




just tested it over here:
when *starting* the tunnel, there is some initial traffic between client and server, which is to be expected. After the PtP tunnel has been established there is no traffic over UDP port 1198 , *until* traffic is sent over the tunnel. The only thing I added to both client and server configs was 
  keep-alive 0 0
which is the same as
  ping 0
  ping-restart 0
If you want *no traffic at all* until data is received on the tunnel interface then you'll have to resort to ugly systemd-like tricks: 
- use 'openvpn --mktun tun0' to create the tun device
- do something magic to launch openvpn when packets enteer tun0
but your initial packets will almost always time out - the initial handshake in PtP mode is *at least* 10 seconds. 

HTH,

JJK


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to