| 1 | = Can OpenVPN handle the situation where both ends of the connection are dynamic? = |
| 2 | |
| 3 | {{{ |
| 4 | #!html |
| 5 | <p>Yes.</p> |
| 6 | <p>A prerequiste of this method is that you subscribe to a service such as <a href="http://www.dyndns.com/">dyndns.org</a> that lets you conveniently point an internet domain name to a dynamic address (or you can do it yourself if you have control over a DNS server that exists on a machine having a static IP address).</p> |
| 7 | <p>The crux of this method is in the 'timeouts' section of the config file below, or more specifically the 'ping' and 'ping-restart' options. Basically, if for whatever reason, OpenVPN doesn't receive a ping from its peer during a 300 second period (as would happen if its peer changed addresses), it will restart. When it restarts, it will re-resolve myremote.mydomain.com to get the new IP address. This method assumes that you are using a dynamic DNS service that lets you immediately update your domain name with your current dynamic address.</p> |
| 8 | <p>Using this technique, OpenVPN will essentially "follow" a dynamic DNS address as it changes.</p> |
| 9 | <p>Here is the config file example:</p> |
| 10 | <blockquote> |
| 11 | <pre>remote myremote.mydomain.com<br />dev tun<br />ifconfig 10.1.0.2 10.1.0.1<br />up ./up-script # optional<br /><br /># crypto config<br />replay-persist replay-persist-file # optional (1.4.0 or above)<br /><br /># TLS config (or omit TLS security by using a pre-shared key<br /># such as 'secret static.key').<br />tls-client<br />ca key/my-ca.crt<br />cert key/my-cert.crt<br />key key/my-key.key<br />tls-auth key/my-tls-password # optional<br /><br /># timeouts<br />ping 15<br />ping-restart 300 # 5 minutes<br />resolv-retry 300 # 5 minutes<br />persist-tun<br />persist-key<br /><br /># compression (optional)<br />comp-lzo<br /><br /># UID (optional)<br />user nobody <br />group nobody<br /><br /># verbosity (optional)<br />verb 4</pre> |
| 12 | </blockquote> |
| 13 | <p>On the other end of the connection, you would duplicate the above config file but change 'remote' appropriately, and swap the ifconfig addresses.</p> |
| 14 | <p>If you are using TLS security, then also change 'tls-client' to 'tls-server', add a 'dh' file for the diffie-hellman file, and change 'cert' and 'key' to match your appropriate local cert and key.</p> |
| 15 | <p>This setup requires that each machine have a dynamic DNS name which is updated automatically when DHCP causes an address change. Such an automatic update can be accomplished by using a tool such as <a href="http://sourceforge.net/apps/trac/ddclient">ddclient</a>.</p> |
| 16 | <p><strong>ddclient</strong> should be called by your <strong>/etc/dhcpc/dhcpcd-eth0.exe</strong> file (replace "eth0" in the filename with the appropriate network device name):</p> |
| 17 | <blockquote> |
| 18 | <pre><strong>/usr/sbin/ddclient -daemon=0 -syslog -use=ip -ip=$1</strong></pre> |
| 19 | </blockquote> |
| 20 | <p>Here is a sample <strong>/etc/ddclient.conf</strong> file:</p> |
| 21 | <blockquote> |
| 22 | <pre>######################################################################<br />##<br />## TODO: change mylogin, mypassword, myremote. mydomain.com<br />##<br />######################################################################<br /><br />login=mylogin # default login<br />password=mypassword # default password<br />#mx=mx.for.your.host # default MX<br />#backupmx=yes|no # host is primary MX?<br />#wildcard=yes|no # add wildcard CNAME?<br /><br />##<br />##<br />## dyndns.org custom addresses<br />##<br />## (supports variables: wildcard,mx,backupmx)<br />##<br />custom=yes \<br />server=members.dyndns.org, \<br />protocol=dyndns2 \<br />myremote.mydomain.com</pre> |
| 23 | </blockquote> |
| 24 | }}} |
| 25 | |
| 26 | [wiki:FAQ Return to FAQ] |