Page 1 of 1
FQDN for remote
Posted: Fri Jul 20, 2012 7:11 am
by optipharm
Hi all,
We're using: OpenVPN 2.2-beta5
Given the following client config:
client
dev tap
proto udp
...
remote 1.2.3.4 1194
remote 1.2.3.5 1194
...
When attempting to connect, openvpn will try each of those remote IPs in turn.
Is it possible to rather use a DNS A record which resolves to multiple IP addresses? In that case the config would look like:
client
dev tap
proto udp
...
remote vpn.inter.net 1194
...
Would openvpn still try each A record (IP) in turn if one fails?
This would simplify things tremendeously from a support point of view.
thanks for any comments.
Re: FQDN for remote
Posted: Fri Jul 20, 2012 11:30 am
by maikcat
--ping-restart n
Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote.
This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a service such as
http://dyndns.org/ + a dynamic DNS client such as ddclient.
If the peer cannot be reached, a restart will be triggered, causing the hostname used with --remote to be re-resolved (if --resolv-retry is also specified).
In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead.
In client mode, the --ping-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the --keepalive setting in the server configuration. To disable the 120 second default, set --ping-restart 0 on the client.
See the signals section below for more information on SIGUSR1.
Note that the behavior of SIGUSR1 can be modified by the --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options.
Also note that --ping-exit and --ping-restart are mutually exclusive and cannot be used together.
Michael.
Re: FQDN for remote
Posted: Sat Jul 21, 2012 7:49 am
by optipharm
Thanks!
Just to confirm, will --ping-restart (client side) step through the DNS A records (ie, try each in turn), or should we rather set up a round-roubin DNS for the A records?
Re: FQDN for remote
Posted: Sat Jul 21, 2012 10:39 am
by maikcat
hi there,
AFAIK round robin dns is achieved using multiple A records for the same host
f.e
mail IN A 192.168.0.4
IN A 192.168.0.5
IN A 192.168.0.6
the dns servers responds with different ips for the same hostname each time its queried..
sorry i dont quite understand your -or- statement...
Michael.
Re: FQDN for remote
Posted: Mon Jul 23, 2012 12:38 pm
by optipharm
Thanks for the response Michael,
Setting up the round-robin/random/serial A records in DNS is not a problem. What I want to confirm is, will openvpn try each IP address in turn as if we had multiple 'remote' lines in our config, or will openvpn try the first IP in our DNS and if it fails, not try any others.
Re: FQDN for remote
Posted: Mon Jul 23, 2012 1:45 pm
by maikcat
to be honest i havent implemented similar setup..
please try it and let us know..
Michael.
Re: FQDN for remote
Posted: Mon Jul 30, 2012 6:39 am
by Mimiko
From other users' experience, using DNS round robin to resolve to different ips is problematic. As when OpenVPN will start, it will once resolve dns name to one IP and will try to connect to that IP again and again. OpenVPN does not do re-resolving on connect failure. Some implemented cron jobs to restart openvpn service when no connection established, so openvpn will again resolve dns name.