FQDN for remote

[optipharm]

Hi all,

We're using: OpenVPN 2.2-beta5

Given the following client config:
client
dev tap
proto udp
...
remote 1.2.3.4 1194
remote 1.2.3.5 1194
...

When attempting to connect, openvpn will try each of those remote IPs in turn.
Is it possible to rather use a DNS A record which resolves to multiple IP addresses? In that case the config would look like:
client
dev tap
proto udp
...
remote vpn.inter.net 1194
...

Would openvpn still try each A record (IP) in turn if one fails?

This would simplify things tremendeously from a support point of view.

thanks for any comments.

[maikcat]

--ping-restart n
Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote.

This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a service such as http://dyndns.org/ + a dynamic DNS client such as ddclient.

If the peer cannot be reached, a restart will be triggered, causing the hostname used with --remote to be re-resolved (if --resolv-retry is also specified).

In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead.

In client mode, the --ping-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the --keepalive setting in the server configuration. To disable the 120 second default, set --ping-restart 0 on the client.

See the signals section below for more information on SIGUSR1.

Note that the behavior of SIGUSR1 can be modified by the --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options.

Also note that --ping-exit and --ping-restart are mutually exclusive and cannot be used together.

Michael.

[optipharm]

Thanks!

Just to confirm, will --ping-restart (client side) step through the DNS A records (ie, try each in turn), or should we rather set up a round-roubin DNS for the A records?

[maikcat]

hi there,

AFAIK round robin dns is achieved using multiple A records for the same host

f.e

mail IN A 192.168.0.4
IN A 192.168.0.5
IN A 192.168.0.6

the dns servers responds with different ips for the same hostname each time its queried..

sorry i dont quite understand your -or- statement...

Michael.

[optipharm]

Thanks for the response Michael,

Setting up the round-robin/random/serial A records in DNS is not a problem. What I want to confirm is, will openvpn try each IP address in turn as if we had multiple 'remote' lines in our config, or will openvpn try the first IP in our DNS and if it fails, not try any others.

[maikcat]

to be honest i havent implemented similar setup..

please try it and let us know..

Michael.

[Mimiko]

From other users' experience, using DNS round robin to resolve to different ips is problematic. As when OpenVPN will start, it will once resolve dns name to one IP and will try to connect to that IP again and again. OpenVPN does not do re-resolving on connect failure. Some implemented cron jobs to restart openvpn service when no connection established, so openvpn will again resolve dns name.