Changes between Initial Version and Version 1 of 299-can-openvpn-handle-the-situation-where-both-ends-of-the-connection-are-dynamic


Ignore:
Timestamp:
01/30/14 16:14:45 (7 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • 299-can-openvpn-handle-the-situation-where-both-ends-of-the-connection-are-dynamic

    v1 v1  
     1= Can OpenVPN handle the situation where both ends of the connection are dynamic? =
     2
     3{{{
     4#!html
     5<p>Yes.</p>
     6<p>A prerequiste of this method is that you subscribe to a service such as <a href="http://www.dyndns.com/">dyndns.org</a> that lets you conveniently point an internet domain name to a dynamic address (or you can do it yourself if you have control over a DNS server that exists on a machine having a static IP address).</p>
     7<p>The crux of this method is in the 'timeouts' section of the config file below, or more specifically the 'ping' and 'ping-restart' options. Basically, if for whatever reason, OpenVPN doesn't receive a ping from its peer during a 300 second period (as would happen if its peer changed addresses), it will restart. When it restarts, it will re-resolve myremote.mydomain.com to get the new IP address. This method assumes that you are using a dynamic DNS service that lets you immediately update your domain name with your current dynamic address.</p>
     8<p>Using this technique, OpenVPN will essentially "follow" a dynamic DNS address as it changes.</p>
     9<p>Here is the config file example:</p>
     10<blockquote>
     11<pre>remote myremote.mydomain.com<br />dev tun<br />ifconfig 10.1.0.2 10.1.0.1<br />up ./up-script # optional<br /><br /># crypto       config<br />replay-persist replay-persist-file # optional (1.4.0 or above)<br /><br /># TLS config (or omit TLS security by using a pre-shared          key<br /># such as 'secret static.key').<br />tls-client<br />ca             key/my-ca.crt<br />cert                    key/my-cert.crt<br />key            key/my-key.key<br />tls-auth                key/my-tls-password # optional<br /><br /># timeouts<br />ping               15<br />ping-restart      300 # 5 minutes<br />resolv-retry        300 # 5 minutes<br />persist-tun<br />persist-key<br /><br /># compression (optional)<br />comp-lzo<br /><br /># UID (optional)<br />user nobody        <br />group nobody<br /><br /># verbosity (optional)<br />verb 4</pre>
     12</blockquote>
     13<p>On the other end of the connection, you would duplicate the above config file but change 'remote' appropriately, and swap the ifconfig addresses.</p>
     14<p>If you are using TLS security, then also change 'tls-client' to 'tls-server', add a 'dh' file for the diffie-hellman file, and change 'cert' and 'key' to match your appropriate local cert and key.</p>
     15<p>This setup requires that each machine have a dynamic DNS name which is updated automatically when DHCP causes an address change. Such an automatic update can be accomplished by using a tool such as <a href="http://sourceforge.net/apps/trac/ddclient">ddclient</a>.</p>
     16<p><strong>ddclient</strong> should be called by your <strong>/etc/dhcpc/dhcpcd-eth0.exe</strong> file (replace "eth0" in the filename with the appropriate network device name):</p>
     17<blockquote>
     18<pre><strong>/usr/sbin/ddclient -daemon=0 -syslog -use=ip -ip=$1</strong></pre>
     19</blockquote>
     20<p>Here is a sample <strong>/etc/ddclient.conf</strong> file:</p>
     21<blockquote>
     22<pre>######################################################################<br />##<br />## TODO: change mylogin, mypassword, myremote. mydomain.com<br />##<br />######################################################################<br /><br />login=mylogin                                    # default login<br />password=mypassword                        # default password<br />#mx=mx.for.your.host                           # default MX<br />#backupmx=yes|no                            # host is primary MX?<br />#wildcard=yes|no                                # add wildcard CNAME?<br /><br />##<br />##<br />## dyndns.org custom addresses<br />##<br />## (supports variables: wildcard,mx,backupmx)<br />##<br />custom=yes                                                 \<br />server=members.dyndns.org,                       \<br />protocol=dyndns2                                         \<br />myremote.mydomain.com</pre>
     23</blockquote>
     24}}}
     25
     26[wiki:FAQ Return to FAQ]