FYI I tried to search for "multiple remote tls" and the like and the forum refused because my words were too common
Anyway, I'm in this situation where I have a provider which doesn't have a load balancer so I plan on putting multiple remote statements in my config. The problem is that each server has its own ca and tls-auth key.
For the ca's, I can get away with concatenating all of them into one file and using that, but with the TLS keys I haven't found a solution.
Does anyone have any suggestions?
Config: Multiple remote statements with different TLS keys
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Aug 14, 2016 3:59 am
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Aug 14, 2016 3:59 am
Re: Config: Multiple remote statements with different TLS keys
I found something that can work.. as of OpenVPN 2.1, there is a notion of connection profiles which allow connection specific properties to be set: https://openvpn.net/index.php/open-sour ... pn-21.html
Unforunately, tls-auth is not one of them. If it can be included as one of those options, this should solve the problem of different servers having different TLS keys.
PS. Ideally, ca would be acceptable also as my provider also has different ca's for each server.
Another way to handle this would be to allow the client to run a script after OpenVPN reads the config but before a connection is attempted (a new event before up.. 'initialized?') where environment variables can be set based on existing environment variables. This way, at run time, I could set the tls-auth variable before a connection is attempted and since my key file names match the host name, ideally I would be able to pull it out of the remote variable.
ie
tls-auth = /path/${remote}.key
Because right now, it looks like executing a script on up is too late and even so, I'm not sure if setting variables at that time is allowed / working.
Unforunately, tls-auth is not one of them. If it can be included as one of those options, this should solve the problem of different servers having different TLS keys.
PS. Ideally, ca would be acceptable also as my provider also has different ca's for each server.
Another way to handle this would be to allow the client to run a script after OpenVPN reads the config but before a connection is attempted (a new event before up.. 'initialized?') where environment variables can be set based on existing environment variables. This way, at run time, I could set the tls-auth variable before a connection is attempted and since my key file names match the host name, ideally I would be able to pull it out of the remote variable.
ie
tls-auth = /path/${remote}.key
Because right now, it looks like executing a script on up is too late and even so, I'm not sure if setting variables at that time is allowed / working.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Config: Multiple remote statements with different TLS keys
Openvpn does not expand shell variables in a config file, so that idea will not work.duren wrote:tls-auth = /path/${remote}.key
You could make this a request to the developers .. I am not sure if the latest development release can do this.duren wrote:there is a notion of connection profiles
Or you could do what you need in a calling shell script.duren wrote:Another way to handle this would be to allow the client to run a script after OpenVPN reads the config but before a connection is attempted
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Aug 14, 2016 3:59 am
Re: Config: Multiple remote statements with different TLS keys
Running shell scripts outside of OpenVPN is less than convenient on environments such as Tomato, DD-WRT or pfSense.
In any case, I've submitted a feature request: https://community.openvpn.net/openvpn/ticket/720#ticket
In any case, I've submitted a feature request: https://community.openvpn.net/openvpn/ticket/720#ticket