Context Navigation

← Previous Change
Ticket History
Next Change →

Changes between Initial Version and Version 2 of Ticket #1069

Timestamp:

06/08/18 14:53:30 (6 years ago)

Author:

David Sommerseth

Comment:

I've trimmed all comments out of your config file .... and there are several things to pick on here.

Of those most likely causing this issue are (which you should remove):

resolv-retry infinite    # This is the default
remap-usr1 SIGTERM       # This is just odd
connect-retry-max 2      # No clear reason for this
single-session           # No clear reason for this, it will just disconnect and exit on first failure after first successful connection
tls-exit                 # No clear reason for this, it will just disconnect and exit on first TLS error

Others you need to reconsider are:

chroot /etc/openvpn: That is a very odd directory to chroot into. Did you by chance mean cd /etc/openvpn instead?
ca, cert and key: Those files are located in /root in your setup. They belong somewhere under /etc/openvpn
status: Do you really intend to use that file for anything? If not, don't configure it.

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #1069 – Description

-                      initial
+                      v2
 {{{
-##############################################
-# client-side OpenVPN config file
-# for connecting to multi-client server.
+#
-# This configuration can be used by multiple
-# clients, however each client should have
-# its own cert and key files.
-##############################################
-# Specify that we are a client and that we
-# will be pulling certain config file directives
-# from the server.
 client
-# CLIENT ACCEPTS SERVER OPTIONS
-# The client should accept options pushed
-# by the server
 pull
-# The hostname/IP and port of the server.
-# You can have multiple remote entries
-# to load balance between the servers.
 remote siuhsudf.sdfiuhsdfui.com 4000
 remote 11.11.11.11 4000
-# Are we connecting to a TCP or
-# UDP server?  Use the same setting as
-# on the server.
 proto tcp-client
-# Keep trying indefinitely to resolve the
-# host name of the OpenVPN server.  Very useful
-# on machines which are not permanently connected
-# to the internet such as laptops.
 resolv-retry infinite
-# Most clients don't need to bind to
-# a specific local port number.
-# nobind => do not bind
-# #nobind => bind
-#nobind
-# It's a good idea to reduce the OpenVPN
-# daemon's privileges after initialization.
 user nobody
 group nogroup
-# After initialization, OpenVPN can only
-# access a directory
-# The directory can be empty
-# OpenVPN process limitation
 chroot /etc/openvpn/
-# The persist options will try to avoid
-# accessing certain resources on restart
-# that may no longer be accessible because
-# of the privilege downgrade.
 persist-tun
-#################################################
-# Encryption
-#################################################
-# SSL/TLS root certificate (ca), certificate
-# (cert), and private key (key).  Each client
-# and the server must have their own cert and
-# key file.  The server and all clients will
-# use the same ca file.
+#
-# See the "easy-rsa" directory for a series
-# of scripts for generating RSA certificates
-# and private keys.  Remember to use
-# a unique Common Name for the server
-# and each of the client certificates.
+#
-# Any X509 key management system can be used.
-# OpenVPN can also use a PKCS #12 formatted key file
-# (see "pkcs12" directive in man page).
-# CA Public Key
 ca /root/ca.crt
-# Local certificate
 cert /root/cert.crt
-# Local key
 key /root/cert.key
 tls-client
-# Select a cryptographic cipher.
-# This config item must be copied to
-# the client config file as well.
-# Note that 2.4 client/server will automatically
-# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
 cipher AES-256-CBC
-# For compression compatible with older clients use comp-lzo
-# If you enable it here, you must also
-# enable it in the client config file.
-#comp-lzo
-#################################################
-# Network
-#################################################
-# Use the same setting as you are using on
-# the server.
-# On most systems, the VPN will not function
-# unless you partially or fully disable
-# the firewall for the TUN/TAP interface.
 dev myvpn
 dev-type tun
-#################################################
-# Logging
-#################################################
-# Output a short status file showing
-# current connections, truncated
-# and rewritten every minute.
 status /var/logs//openvpn//myvpn-status.log 20
-# By default, log messages will go to the syslog (or
-# on Windows, if running as a service, they will go to
-# the "\Program Files\OpenVPN\log" directory).
-# Use log or log-append to override this default.
-# "log" will truncate the log file on OpenVPN startup,
-# while "log-append" will append to it.  Use one
-# or the other (but not both).
 log /var/logs//openvpn//myvpn.log
-# Set the appropriate level of log
-# file verbosity.
+#
-# 0 is silent, except for fatal errors
-# 4 is reasonable for general usage
-# 5 and 6 can help to debug connection problems
-# 9 is extremely verbose
 verb 3
 remap-usr1 SIGTERM