[Resolved] Dynamic OpenVPN Server Configuration
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
[Resolved] Dynamic OpenVPN Server Configuration
Hello!
I'm looking for a more dynamic OpenVPN "site to multi-site" solution, currently, it works but, it's very static and requires server restart often (which is really bad).
The whole solution is based on Ubuntu 18.04 and default OpenVPN packages from it.
Let me try to explain it... The network prototype that I'm building today, have 1 OpenVPN Access Server, plus 1~50 remote offices/labs.
Main OpenVPN Server Site 1: 10.101.0.0/16
Site 2: 10.102.0.0/16
Site 3: 10.103.0.0/16
...
Site 50: 10.150.0.0/16
I can deploy the OpenVPN Server site and, let's say, 2 remote sites. They all talk to each other!
According to the OpenVPN docs, at the server side, the remote site subnet must be declared twice, as follows:
Site 1 (server):
---
# cat /etc/openvpn/ccd/site2
iroute 10.102.0.0 255.255.0.0
-
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
So, the problem that I'm facing is that to add a new site (that doesn't exist yet), I need to change the "/etc/openvpn/server.conf" and then, restart the server!! It kills everybody.
I want to be able to add/remove remote sites without restarting the main server, is it possible?
Worth to mention that, on Ubuntu, the command `systemctl reload openvpn@server.service` fails, error:
Jul 29 19:56:55 ovpn-s2s-1 kill[25844]: kill: (25826): Operation not permitted
Maybe this is the source of my problem?
Thanks!
Thiago
I'm looking for a more dynamic OpenVPN "site to multi-site" solution, currently, it works but, it's very static and requires server restart often (which is really bad).
The whole solution is based on Ubuntu 18.04 and default OpenVPN packages from it.
Let me try to explain it... The network prototype that I'm building today, have 1 OpenVPN Access Server, plus 1~50 remote offices/labs.
Main OpenVPN Server Site 1: 10.101.0.0/16
Site 2: 10.102.0.0/16
Site 3: 10.103.0.0/16
...
Site 50: 10.150.0.0/16
I can deploy the OpenVPN Server site and, let's say, 2 remote sites. They all talk to each other!
According to the OpenVPN docs, at the server side, the remote site subnet must be declared twice, as follows:
Site 1 (server):
---
# cat /etc/openvpn/ccd/site2
iroute 10.102.0.0 255.255.0.0
-
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
So, the problem that I'm facing is that to add a new site (that doesn't exist yet), I need to change the "/etc/openvpn/server.conf" and then, restart the server!! It kills everybody.
I want to be able to add/remove remote sites without restarting the main server, is it possible?
Worth to mention that, on Ubuntu, the command `systemctl reload openvpn@server.service` fails, error:
Jul 29 19:56:55 ovpn-s2s-1 kill[25844]: kill: (25826): Operation not permitted
Maybe this is the source of my problem?
Thanks!
Thiago
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Running OpenVPN as root fixes the "systemctl reload openvpn" issue!
About to test the reload while monitoring the other sites... =P
About to test the reload while monitoring the other sites... =P
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Well, reload now works but it kills the connection anyway... Or I don't know how to do it, or OpenVPN doesn't support a reload without killing the client's connections?
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Dynamic OpenVPN Server Configuration
You can do# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
Code: Select all
route 10.0.0.0 255.0.0.0
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Dynamic OpenVPN Server Configuration
but probably should not do this ..Pippin wrote: ↑Tue Jul 30, 2019 9:58 amYou can do# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---Code: Select all
route 10.0.0.0 255.0.0.0
That is correct because systemd kills then starts the process.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Dynamic OpenVPN Server Configuration
Yes, probably not and not without firewalling.but probably should not do this ..
If the client subnets would start at 10.128.0.0 instead of 10.100.0.0 he could half that 10.0.0.0/8 to be 10.128.0.0/9.
Unless there is another solution...
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Oh, nice!!! Thank you!Pippin wrote: ↑Tue Jul 30, 2019 9:58 amYou can do# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---Code: Select all
route 10.0.0.0 255.0.0.0
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
TinCanTech wrote: ↑Tue Jul 30, 2019 11:52 amSo, is this a systemd limitation or bad configuration (unit files?) for OpenVPN, or an OpenVPN limitation?
If OpenVPN supports reloading its config files without killing all the connections, how to do it? `kill -1 openvpn` ?
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Sure! This is just a lab anyway, I'm planning to take slices of 10/8 later on.
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Ok, thanks!TinCanTech wrote: ↑Tue Jul 30, 2019 5:05 pmOpenvpn does not support reloading the config file without restarting the process and thereby disconnecting all users.
What about the ccd subdir files? Do I need to restart openvpn to reload the files under, let's say, /etc/openvpn/ccd/* ?
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Dynamic OpenVPN Server Configuration
Nope, those will be read every time a client connects.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Perfect, thank you!
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Dynamic OpenVPN Server Configuration
This appears to be "Solved" ?
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Yes, definitely "solved". lol
^_^
^_^
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Dynamic OpenVPN Server Configuration
You are ok that this was moved to "Doh!" .. Like a badge of honour
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Jul 29, 2019 11:47 pm
Re: Dynamic OpenVPN Server Configuration
Of course, no problem at all... It was really a Doh! problem anyway... lol