Otdfbt

Is it truly impossible to tell what a CPU is doing?

Compaq Portable vs IBM 5155 Portable PC

Could a 19.25mm revolver actually exist?

Is it possible to remotely hack the GPS system and disable GPS service worldwide?

Is it legal to meet with potential future employers in the UK, whilst visiting from the USA

Does pair production happen even when the photon is around a neutron?

Why did the person in charge of a principality not just declare themself king?

What does $!# mean in Shell scripting?

My employer faked my resume to acquire projects

Count rotary dial pulses in a phone number (including letters)

Why do Russians almost not use verbs of possession akin to "have"?

Why most published works in medical imaging try reducing false positives?

Is there an online tool which supports shared writing?

I know that there is a preselected candidate for a position to be filled at my department. What should I do?

Why did Jon Snow do this immoral act if he is so honorable?

How to let other coworkers know that I don't share my coworker's political views?

A steel cutting sword?

Is the field of q-series 'dead'?

Why didn't Thanos use the Time Stone to stop the Avengers' plan?

Can I summon an otherworldly creature with the Gate spell without knowing its true name?

Why does this if-statement combining assignment and an equality check return true?

Ingress filtering on edge routers and performance concerns

Is the Indo-European language family made up?

How to cut a climbing rope?

How to stop OpenVPN tunnel if server doesn't response?

Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?openvpn: connection established, can't ping server tun interface (debian server, windows & os x clients)OpenVPN: forward client's LAN to the VPNTomato to OpenVPN Server on Ubuntu ServerConfiguring OpenVPN server (Debian 8) and client (Windows 10)OpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I have two openvpn servers, but both routes to the one network. It made for the fault tolerance. If one of them is down traffic should go via another one. Clients receive routes with different metric, so this task is solved.

But when one of the servers goes offline, client try to reconnect to this server and doesn't turn off tun-interface. So traffic tries to go via problem server.

I want to client turns off tun-interface when server goes offline and automatically turn it on when server turns back.

This is client's config:

tls-client

dev tun
proto udp
remote server1.ovpn.example.com 2100

topology subnet

pull

#resolv-retry infinite
#nobind

tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

cipher DES-EDE3-CBC

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

verb 3

route 172.19.20.0 255.255.255.0 172.16.150.3
route-metric 3

I think if I remove keep-alive the tun-interface will goes offline after ping timeout, but will it turns back when server return?

configuration openvpn timeout

share|improve this question

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Your question does not seems to be clear, shouldn't just a matter of having multiple servers, with infinite resolv be enough? remote server1; remote server2; resolv-retry infinite. Tun will keep trying until it finds a healthy openvpn server...
  
  – user122772
  May 31 '16 at 20:52
  

  
  
  
  

add a comment | 

0

I have two openvpn servers, but both routes to the one network. It made for the fault tolerance. If one of them is down traffic should go via another one. Clients receive routes with different metric, so this task is solved.

But when one of the servers goes offline, client try to reconnect to this server and doesn't turn off tun-interface. So traffic tries to go via problem server.

I want to client turns off tun-interface when server goes offline and automatically turn it on when server turns back.

This is client's config:

tls-client

dev tun
proto udp
remote server1.ovpn.example.com 2100

topology subnet

pull

#resolv-retry infinite
#nobind

tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

cipher DES-EDE3-CBC

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

verb 3

route 172.19.20.0 255.255.255.0 172.16.150.3
route-metric 3

I think if I remove keep-alive the tun-interface will goes offline after ping timeout, but will it turns back when server return?

configuration openvpn timeout

share|improve this question

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Your question does not seems to be clear, shouldn't just a matter of having multiple servers, with infinite resolv be enough? remote server1; remote server2; resolv-retry infinite. Tun will keep trying until it finds a healthy openvpn server...
  
  – user122772
  May 31 '16 at 20:52
  

  
  
  
  

add a comment | 

I have two openvpn servers, but both routes to the one network. It made for the fault tolerance. If one of them is down traffic should go via another one. Clients receive routes with different metric, so this task is solved.

But when one of the servers goes offline, client try to reconnect to this server and doesn't turn off tun-interface. So traffic tries to go via problem server.

I want to client turns off tun-interface when server goes offline and automatically turn it on when server turns back.

This is client's config:

tls-client

dev tun
proto udp
remote server1.ovpn.example.com 2100

topology subnet

pull

#resolv-retry infinite
#nobind

tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

cipher DES-EDE3-CBC

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

verb 3

route 172.19.20.0 255.255.255.0 172.16.150.3
route-metric 3

I think if I remove keep-alive the tun-interface will goes offline after ping timeout, but will it turns back when server return?

configuration openvpn timeout

share|improve this question

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

tls-client

dev tun
proto udp
remote server1.ovpn.example.com 2100

topology subnet

pull

#resolv-retry infinite
#nobind

tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

cipher DES-EDE3-CBC

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

verb 3

route 172.19.20.0 255.255.255.0 172.16.150.3
route-metric 3

share|improve this question

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

share|improve this question

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

asked May 31 '16 at 20:38

abr_stackoverflowabr_stackoverflow

160110

2 Answers
2

active

oldest

votes

0

Get rid of the persist-tun option. Without that option, then the VPN link goes down, the tun device will close and be removed. The problem of course is that removing that option means that you need to run your VPN daemon as root instead of nobody. Because as nobody account, OpenVPN will not be able to create a new tun device when the connection is re-established.

share|improve this answer

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

add a comment | 

0

After creating my VPN project for Qubes, I discovered OpenVPN has a definite tendency to hang when a connection goes down.

Here are the options I've added to make OpenVPN responsive to disconnections:

ping 10
ping-restart 40
connect-retry 5 30
connect-retry-max 7
resolv-retry 15

According to the docs, if you have multiple remote entries then upon connection failure ping-restart will cause the next remote to be used. Therefore, specifying multiple remote lines for your servers could be useful here.

share|improve this answer

answered Dec 8 '18 at 16:57

taskettasket

213

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f780124%2fhow-to-stop-openvpn-tunnel-if-server-doesnt-response%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Get rid of the persist-tun option. Without that option, then the VPN link goes down, the tun device will close and be removed. The problem of course is that removing that option means that you need to run your VPN daemon as root instead of nobody. Because as nobody account, OpenVPN will not be able to create a new tun device when the connection is re-established.

share|improve this answer

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

add a comment | 

0

Get rid of the persist-tun option. Without that option, then the VPN link goes down, the tun device will close and be removed. The problem of course is that removing that option means that you need to run your VPN daemon as root instead of nobody. Because as nobody account, OpenVPN will not be able to create a new tun device when the connection is re-established.

share|improve this answer

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

add a comment | 

Get rid of the persist-tun option. Without that option, then the VPN link goes down, the tun device will close and be removed. The problem of course is that removing that option means that you need to run your VPN daemon as root instead of nobody. Because as nobody account, OpenVPN will not be able to create a new tun device when the connection is re-established.

share|improve this answer

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

share|improve this answer

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

answered May 31 '16 at 22:02

ZoredacheZoredache

112k30232380

0

After creating my VPN project for Qubes, I discovered OpenVPN has a definite tendency to hang when a connection goes down.

Here are the options I've added to make OpenVPN responsive to disconnections:

ping 10
ping-restart 40
connect-retry 5 30
connect-retry-max 7
resolv-retry 15

According to the docs, if you have multiple remote entries then upon connection failure ping-restart will cause the next remote to be used. Therefore, specifying multiple remote lines for your servers could be useful here.

share|improve this answer

answered Dec 8 '18 at 16:57

taskettasket

213

add a comment | 

0

After creating my VPN project for Qubes, I discovered OpenVPN has a definite tendency to hang when a connection goes down.

Here are the options I've added to make OpenVPN responsive to disconnections:

ping 10
ping-restart 40
connect-retry 5 30
connect-retry-max 7
resolv-retry 15

According to the docs, if you have multiple remote entries then upon connection failure ping-restart will cause the next remote to be used. Therefore, specifying multiple remote lines for your servers could be useful here.

share|improve this answer

answered Dec 8 '18 at 16:57

taskettasket

213

add a comment | 

After creating my VPN project for Qubes, I discovered OpenVPN has a definite tendency to hang when a connection goes down.

Here are the options I've added to make OpenVPN responsive to disconnections:

ping 10
ping-restart 40
connect-retry 5 30
connect-retry-max 7
resolv-retry 15

According to the docs, if you have multiple remote entries then upon connection failure ping-restart will cause the next remote to be used. Therefore, specifying multiple remote lines for your servers could be useful here.

share|improve this answer

answered Dec 8 '18 at 16:57

taskettasket

213

ping 10
ping-restart 40
connect-retry 5 30
connect-retry-max 7
resolv-retry 15

share|improve this answer

answered Dec 8 '18 at 16:57

taskettasket

213

answered Dec 8 '18 at 16:57

taskettasket

213

answered Dec 8 '18 at 16:57

taskettasket

213