Changes between Initial Version and Version 2 of Ticket #1069


Ignore:
Timestamp:
06/08/18 14:53:30 (4 years ago)
Author:
David Sommerseth
Comment:

I've trimmed all comments out of your config file .... and there are several things to pick on here.

Of those most likely causing this issue are (which you should remove):

resolv-retry infinite    # This is the default
remap-usr1 SIGTERM       # This is just odd
connect-retry-max 2      # No clear reason for this
single-session           # No clear reason for this, it will just disconnect and exit on first failure after first successful connection
tls-exit                 # No clear reason for this, it will just disconnect and exit on first TLS error

Others you need to reconsider are:

  • chroot /etc/openvpn: That is a very odd directory to chroot into. Did you by chance mean cd /etc/openvpn instead?
  • ca, cert and key: Those files are located in /root in your setup. They belong somewhere under /etc/openvpn
  • status: Do you really intend to use that file for anything? If not, don't configure it.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1069 – Description

    initial v2  
    4747
    4848{{{
    49 ##############################################
    50 # client-side OpenVPN config file
    51 # for connecting to multi-client server.
    52 #
    53 # This configuration can be used by multiple
    54 # clients, however each client should have
    55 # its own cert and key files.
    56 ##############################################
    57 
    58 # Specify that we are a client and that we
    59 # will be pulling certain config file directives
    60 # from the server.
    6149client
    62 
    63 # CLIENT ACCEPTS SERVER OPTIONS
    64 # The client should accept options pushed
    65 # by the server
    6650pull
    67 
    68 # The hostname/IP and port of the server.
    69 # You can have multiple remote entries
    70 # to load balance between the servers.
    7151remote siuhsudf.sdfiuhsdfui.com 4000
    7252remote 11.11.11.11 4000
    73 
    74 
    75 # Are we connecting to a TCP or
    76 # UDP server?  Use the same setting as
    77 # on the server.
    7853proto tcp-client
    79 
    80 # Keep trying indefinitely to resolve the
    81 # host name of the OpenVPN server.  Very useful
    82 # on machines which are not permanently connected
    83 # to the internet such as laptops.
    8454resolv-retry infinite
    85 
    86 # Most clients don't need to bind to
    87 # a specific local port number.
    88 # nobind => do not bind
    89 # #nobind => bind
    90 #nobind
    91 
    92 # It's a good idea to reduce the OpenVPN
    93 # daemon's privileges after initialization.
    9455user nobody
    9556group nogroup
    96 
    97 # After initialization, OpenVPN can only
    98 # access a directory
    99 # The directory can be empty
    100 # OpenVPN process limitation
    10157chroot /etc/openvpn/
    102 # The persist options will try to avoid
    103 # accessing certain resources on restart
    104 # that may no longer be accessible because
    105 # of the privilege downgrade.
    10658persist-tun
    107 
    108 #################################################
    109 # Encryption
    110 #################################################
    111 # SSL/TLS root certificate (ca), certificate
    112 # (cert), and private key (key).  Each client
    113 # and the server must have their own cert and
    114 # key file.  The server and all clients will
    115 # use the same ca file.
    116 #
    117 # See the "easy-rsa" directory for a series
    118 # of scripts for generating RSA certificates
    119 # and private keys.  Remember to use
    120 # a unique Common Name for the server
    121 # and each of the client certificates.
    122 #
    123 # Any X509 key management system can be used.
    124 # OpenVPN can also use a PKCS #12 formatted key file
    125 # (see "pkcs12" directive in man page).
    126 # CA Public Key
    12759ca /root/ca.crt
    128 # Local certificate
    12960cert /root/cert.crt
    130 # Local key
    13161key /root/cert.key
    13262tls-client
    133 
    134 # Select a cryptographic cipher.
    135 # This config item must be copied to
    136 # the client config file as well.
    137 # Note that 2.4 client/server will automatically
    138 # negotiate AES-256-GCM in TLS mode.
    139 # See also the ncp-cipher option in the manpage
    14063cipher AES-256-CBC
    141 
    142 # For compression compatible with older clients use comp-lzo
    143 # If you enable it here, you must also
    144 # enable it in the client config file.
    145 #comp-lzo
    146 
    147 #################################################
    148 # Network
    149 #################################################
    150 # Use the same setting as you are using on
    151 # the server.
    152 # On most systems, the VPN will not function
    153 # unless you partially or fully disable
    154 # the firewall for the TUN/TAP interface.
    15564dev myvpn
    15665dev-type tun
    157 
    158 #################################################
    159 # Logging
    160 #################################################
    161 # Output a short status file showing
    162 # current connections, truncated
    163 # and rewritten every minute.
    16466status /var/logs//openvpn//myvpn-status.log 20
    165 
    166 # By default, log messages will go to the syslog (or
    167 # on Windows, if running as a service, they will go to
    168 # the "\Program Files\OpenVPN\log" directory).
    169 # Use log or log-append to override this default.
    170 # "log" will truncate the log file on OpenVPN startup,
    171 # while "log-append" will append to it.  Use one
    172 # or the other (but not both).
    17367log /var/logs//openvpn//myvpn.log
    174 
    175 # Set the appropriate level of log
    176 # file verbosity.
    177 #
    178 # 0 is silent, except for fatal errors
    179 # 4 is reasonable for general usage
    180 # 5 and 6 can help to debug connection problems
    181 # 9 is extremely verbose
    18268verb 3
    183 
    18469
    18570remap-usr1 SIGTERM