On 07/06/2021 09:41, Bo Berglund wrote:
I am now on the home stretch at setting up a number of Raspberry Pi units as data collectors and they need to connect by OpenVPN to a dedicated server. The RPi units are running the latest version of Pi-OS based on Debian Buster.I have seen different ways of accomplishing this: 1) Via the openvpn defaults --------------------------- In this case the client.ovpn file is renamed to client.conf and placed in /etc/openvpn. Then the defaults file is edited: sudo nano /etc/default/openvpn And the AUTOSTART line is set like this: AUTOSTART="client" Then: sudo systemctl restart openvpn
This is not recommended at all. This approach is Debian's way to simulate the behaviour of the pre-systemd days. Over the years, this has caused may unexpected behaviours.
2) By adding a service ---------------------- Do the same as above with the client.ovpn file Then: sudo systemctl enable openvpn@client.service sudo service openvpn@client start or sudo systemctl start openvpn@client
This is also NOT recommended.Put client configuration files into /etc/openvpn/client ... private keys may be placed in /etc/openvpn/private
Then use: systemd start openvpn-client@CONFIG_NAMEThis is the only approach supported by the upstream OpenVPN project. For more details: <https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd>
3) By setting up a cron job running on startup ---------------------------------------------- In this case cron is set up to run openvpn with the client.conf file as config, not necessarily located in /etc/openvpn
This sounds like a cludgy workaround hack. Don't do that. You will have much more control when systemd is used correctly. In addition to systemd's journal also fetching the logs in way which is easier to navigate in afterwords.
The openvpn-server@.service unit also has "RestartSec=5s" and "Restart=on-failure" set, which will automatically restart openvpn servers if they die unexpectedly. You can do a similar trick with the openvpn-client@.service - also for only specific configuration files:
# systemctl edit openvpn-client@CONFIG_NAME This will fire off an editor, where you add these lines: [Service] RestartSec=1m Restart=on-failureThis will automatically restart this particular configuration after 1 minute if the openvpn process dies unexpectedly. "1 minute" may be tweaked, but also consider race conditions against your server. Not all client configs will be too happy if started too quickly afterwards. 1 minute is very conservative - but based on this is a common timer delay on the server side, 30 seconds might be enough and work fine too.
For those wondering why we don't ship with this restart by default on client configs, it is simply that each site has different configs where some values works better than others. We can't evaluate that on-the-fly. Some sites might not even want this behaviour. We could enable it on the server side as we expect most uses wanting OpenVPN servers started via systemd to run constantly. And we can have the short 5 seconds delay as that config will anyhow start the OpenVPN server with a clean and fresh state. For clients restarting, there exists a state already on the server side which we want to avoid confusing.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users