Hi, On Sun, Dec 03, 2017 at 11:07:02AM +0100, Florian Weimer wrote: > through systemd, and the configuration file looks like this: > > dev tun3 > lport 28515 > secret deneb.key > ifconfig 192.0.2.1 192.0.2.2 > mtu-disc no > keepalive 10 20 > comp-lzo no > > I think I added the ???keepalive??? setting to compensate for a change in > IP addresses (the configuration above is from a hub, which has a > static IP address, and multiple remote daemons connect to it).
The configuration above is not for really a "hub", but a point-to-point config with exactly one remote allowed to connect to it (different remote machines could play that role, of course, but only one concurrent connection). While this is certainly an allowed config, it's a bit of a "why would anyone want that anymore?" and it seems our connection-retry-backoff logic broke the actual listen()ing bit. OTOH, since there is no difference between "client" and "server" in a point-to-point-static-key setup, the exponential backoff is doinge exactly what it was told to do: back off from re-trying if the remote cannot be reached. Fixable by setting "connect-retry 5 5" to cap the backoff at "5 seconds" (which is the 2.3 default: no backoff, 5s connect-retry time). A much nicer way to solve this, I think, would be to just remove the "keepalive" bit, and add "float" instead. This will permit the remote side to just move to a new IP address without a full session restart (keepalive / ping timeout) - if someone sends in a packet that authenticates, the "server" side will update its "remote" IP address and things will just move over. Technically you won't see in your logs that the remote "went away", but protocol-wise, it does not go away either - there is no connection setup / teardown in p2p-static-key mode. Just "packets that can be decrypted" and "remote IP address to send to-be-encrypted packets to". gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
