Persist-tun

Persist-tun

Install tails and setup persistent volume for tor access

Because of the persist-tun directive, if a periodic ping from the client results in no response from the server, the tunnel will experience a “soft” rather than a “hard” restart. A soft restart does not shut down the VPN network interface, restore routing tables, or run any user-defined scripts. The only thing it does, as far as I can tell, is try to re-initialize the link to the OpenVPN server. Since the OpenVPN client uses resolv-retry, it will ALWAYS try to re-resolve the domain name of the OpenVPN server. You can never resolve the domain name if the routing table hasn’t changed, the default gateway still points to the VPN (because you checked the Redirect Internet traffic option in the GUI or defined redirect-gateway def1 in the Custom Configuration field), and the nameserver(s) used is/are only accessible through the default gateway, and the VPN is down! And then you’re stuck with the following message in the syslog over and over again.

Fix streamlabs obs connection issue

There is a tun0 system on the server. Nobody and nogroup are used by the OpenVPN method. So far, so good. But what does the persist-tun option actually do? Regardless of whether I bind or not, the tun0 unit remains.
2- If the tun interface is disabled, the path leading to it will be lost. This will mean that your traffic will pass through the default route unencrypted. It’s most likely something you don’t want to happen.
This, I assume, is more of a client-side situation. If the client loses connection, it can delete and re-create the tunnel in some circumstances. On the server side, I’m not sure it does anything useful. Since the server remains operational the entire time.

October 13th 2020 – mug meeting: openvpn

# User Alias VPNUSER=vpnuser1, vpnuser2 VPNUSER=vpnuser1 VPNUSER=vpnuser2 VPNUSER=vpnuser1 VPNUSER=vpnuser2 VPNUSER=vpnuser2 VPNUSER=vpnuser1 VPNUSER=vpnuser2 VPNUSER=vpn # To test the VPN, remove the —daemon option, # in order to get evtl. errors on stdout. OPENVPN=/usr/local/sbin/openvpn —config /etc/openvpn/SAR-VPN.ovpn —daemon Cmnd Alias OPENVPN=/usr/local/sbin/openvpn KILLOPENVPN=/usr/bin/killall openvpn # Cmnd Alias KILLOPENVPN=/usr/bin/killall openvpn # NOPASSWD is an option. # If the user must enter his or her password, the entry must be written as follows: #VPNUSER ALL=KILLOPENVPN #VPNUSER ALL=OPENVPN #VPNUSER ALL=KILLOPENVPN VPNUSER ALL=NOPASSWD:OPENVPN VPNUSER ALL=NOPASSWD:OPENVPN VPNUSER ALL=NOPASS VPNUSER ALL=NOPASSWD:KILLOPENVPN VPNUSER ALL=NOPASSWD:KILLOPENVPN VPNUSER ALL=NOPASS
# OpenVPN’s version must be updated on a regular basis # (find out more at http://openvpn.sourceforge.net/beta/ with your browser) tar xzf openvpn-2.0 beta15.tar.gz wget http://openvpn.sourceforge.net/beta/openvpn-2.0 beta15.tar.gz cd openvpn-2.0 beta15./configure —with-lzo-headers=/usr/local/include —with-lzo-lib=/usr/local/lib create make update # /usr/share/ssl/misc/CA.pl -newca # Server-Zertifikat /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -newreq /usr/share/ss -signreq /usr/share/ssl/misc/CA.pl /usr/share/ssl/misc/CA.pl mv newcert.p12 server.p12 rm newreq.pem newcert.pem -pkcs12 “Server-Zertifikat” # /usr/share/ssl/misc/CA.pl Client-1-Zertifikat -newreq /usr/share/ssl/misc/CA.pl /usr/share/ssl/misc/CA.pl -signreq /usr/share/ssl/misc/CA.pl /usr/share/ssl/misc/CA.pl # Client-n-Zertifikat /usr/share/ssl/misc/CA.pl -pkcs12 “Client-1-Zertifikat” mv newcert.p12 client-1.p12 rm newreq.pem newcert.pem… -signreq /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl -newreq /usr/share/ssl/misc/CA.pl mv newcert.p12 client-n.p12 rm newreq.pem newcert.pem -pkcs12 “Client-n-Zertifikat”

Openvpn сервер: настройка и запуск

OpenVPN01 (IP:50001) and OpenVPN02 (IP:50002) are my two OpenVPN server hosts. According to https://openvpn.net/index.php/open-source/documentation/howto.html#loadbalance, the client uses these.
Both servers’ tun devices are on separate subnets, namely 172.29.131/24 and 172.29.132/24, so clients receive different IP addresses. Clients receive a new IP address upon failover, and the link is lost due to (shortened for readability):
If the ‘persist-tun’ option is not used, this does not happen. It also doesn’t happen if the link is started as root with ‘persist-tun’ but no privileges are downgraded after initialization (for example, by not defining ‘user’ and ‘group’). Both options are, unfortunately, implicitly fixed and cannot be modified.
There’s also the matter of: The connection is not lost (i.e., an openvpn process is still connected to the new server after failover), but the tun system is no longer present. Instead of using ‘persist-tun,’ it may be easier to offer the ‘nm-openvpn’ user/group control of the tun system.

About the author

admin

admin

View all posts