Page 1 of 1
[Resolved] Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 12:08 am
by tmartins
Hello!
I'm looking for a more dynamic OpenVPN "site to multi-site" solution, currently, it works but, it's very static and requires server restart often (which is really bad).
The whole solution is based on Ubuntu 18.04 and default OpenVPN packages from it.
Let me try to explain it... The network prototype that I'm building today, have 1 OpenVPN Access Server, plus 1~50 remote offices/labs.
Main OpenVPN Server Site 1: 10.101.0.0/16
Site 2: 10.102.0.0/16
Site 3: 10.103.0.0/16
...
Site 50: 10.150.0.0/16
I can deploy the OpenVPN Server site and, let's say, 2 remote sites. They all talk to each other!
According to the OpenVPN docs, at the server side, the remote site subnet must be declared twice, as follows:
Site 1 (server):
---
# cat /etc/openvpn/ccd/site2
iroute 10.102.0.0 255.255.0.0
-
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
So, the problem that I'm facing is that to add a new site (that doesn't exist yet), I need to change the "/etc/openvpn/server.conf" and then, restart the server!! It kills everybody.
I want to be able to add/remove remote sites without restarting the main server, is it possible?
Worth to mention that, on Ubuntu, the command `systemctl reload
openvpn@server.service` fails, error:
Jul 29 19:56:55 ovpn-s2s-1 kill[25844]: kill: (25826): Operation not permitted
Maybe this is the source of my problem?
Thanks!
Thiago
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 2:13 am
by tmartins
Running OpenVPN as root fixes the "systemctl reload openvpn" issue!
About to test the reload while monitoring the other sites... =P
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 3:33 am
by tmartins
Well, reload now works but it kills the connection anyway... Or I don't know how to do it, or OpenVPN doesn't support a reload without killing the client's connections?
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 9:58 am
by Pippin
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
You can do
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 11:52 am
by TinCanTech
Pippin wrote: ↑Tue Jul 30, 2019 9:58 am
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
You can do
but probably should not do this ..
tmartins wrote: ↑Tue Jul 30, 2019 3:33 am
OpenVPN doesn't support a reload without killing the client's connections?
That is correct because systemd kills then starts the process.
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 12:12 pm
by Pippin
but probably should not do this ..
Yes, probably not and not without firewalling.
If the client subnets would start at 10.128.0.0 instead of 10.100.0.0 he could half that 10.0.0.0/8 to be 10.128.0.0/9.
Unless there is another solution...
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 4:34 pm
by tmartins
Pippin wrote: ↑Tue Jul 30, 2019 9:58 am
# grep 102 /etc/openvpn/server.conf
route 10.102.0.0 255.255.0.0
---
You can do
Oh, nice!!! Thank you!
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 4:37 pm
by tmartins
TinCanTech wrote: ↑Tue Jul 30, 2019 11:52 am
Pippin wrote: ↑Tue Jul 30, 2019 9:58 am
....
tmartins wrote: ↑Tue Jul 30, 2019 3:33 am
OpenVPN doesn't support a reload without killing the client's connections?
That is correct because systemd kills then starts the process.
So, is this a systemd limitation or bad configuration (unit files?) for OpenVPN, or an OpenVPN limitation?
If OpenVPN supports reloading its config files without killing all the connections, how to do it? `kill -1 openvpn` ?
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 4:41 pm
by tmartins
Pippin wrote: ↑Tue Jul 30, 2019 12:12 pm
but probably should not do this ..
Yes, probably not and not without firewalling.
If the client subnets would start at 10.128.0.0 instead of 10.100.0.0 he could half that 10.0.0.0/8 to be 10.128.0.0/9.
Unless there is another solution...
Sure! This is just a lab anyway, I'm planning to take slices of 10/8 later on.
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 5:05 pm
by TinCanTech
tmartins wrote: ↑Tue Jul 30, 2019 4:37 pm
If OpenVPN supports reloading its config files without killing all the connections, how to do it?
Openvpn does
not support reloading the config file without restarting the process and thereby disconnecting all users.
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 8:06 pm
by tmartins
TinCanTech wrote: ↑Tue Jul 30, 2019 5:05 pm
tmartins wrote: ↑Tue Jul 30, 2019 4:37 pm
If OpenVPN supports reloading its config files without killing all the connections, how to do it?
Openvpn does
not support reloading the config file without restarting the process and thereby disconnecting all users.
Ok, thanks!
What about the ccd subdir files? Do I need to restart openvpn to reload the files under, let's say, /etc/openvpn/ccd/* ?
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 8:43 pm
by Pippin
Nope, those will be read every time a client connects.
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 11:02 pm
by tmartins
Perfect, thank you!
Re: Dynamic OpenVPN Server Configuration
Posted: Tue Jul 30, 2019 11:30 pm
by TinCanTech
This appears to be "Solved" ?
Re: Dynamic OpenVPN Server Configuration
Posted: Wed Jul 31, 2019 1:04 am
by tmartins
Yes, definitely "solved". lol
^_^
Re: Dynamic OpenVPN Server Configuration
Posted: Wed Jul 31, 2019 1:11 am
by TinCanTech
You are ok that this was moved to "Doh!" .. Like a badge of
honour 
Re: Dynamic OpenVPN Server Configuration
Posted: Wed Jul 31, 2019 1:57 pm
by tmartins
Of course, no problem at all... It was really a Doh! problem anyway... lol