Re: [Openvpn-devel] Running udp and tcp server in the same instance
Hi, On Sat, Mar 03, 2012 at 12:07:30PM +1300, Jason Haar wrote: > On 03/03/12 03:59, Gert Doering wrote: > > I would *love* to have that. And it's somewhere on my TODO list of > > things to implement in OpenVPN (multiple listening sockets in a single > > process). > > Given the issue with the non-threaded nature of openvpn and the > bottlenecks that can cause under load, what's wrong with running > separate instances on multiple tcp and udp ports, and then using a > "--client-connect" script to return a unique IP to clients? Well, it's a workaround for shortcomings in OpenVPN :-) - and I prefer to have my software do things I want, without the workarounds. One issue I see with your script is that it will also need to change routing tables on the server, to get the client IP stuffed into the proper tunnel for this OpenVPN instance, and then it needs updating for IPv6, and that's all avoidable if OpenVPN could do it in the first place... > We use that > so that all VPN users are always assigned "their" constant IP by mapping > an IP to the CN field Which works perfectly well from within OpenVPN, using "--client-config-dir" and "--ifconfig-push"... (or if you don't care for a specific IP address, as long as it's the same on every time, with --ifconfig-pool-persist) [..] > With this, we have the luxury that every client always gets the same IP That can be achieved much easier :-) > - which makes asset management *much* easier and means you get > marvellous side-effects like I can be SSH-ed into a work machine at > home, suspend my laptop, go to another building and get an completely > different Internet address, and yet seconds later have openvpn > auto-reconnect to work and find my SSH session still works. So cool :-) All *that* is built-in into OpenVPN already ;-)) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpJYoFuT3X8o.pgp Description: PGP signature
Re: [Openvpn-devel] Running udp and tcp server in the same instance
On 03/03/12 03:59, Gert Doering wrote: > I would *love* to have that. And it's somewhere on my TODO list of > things to implement in OpenVPN (multiple listening sockets in a single > process). Given the issue with the non-threaded nature of openvpn and the bottlenecks that can cause under load, what's wrong with running separate instances on multiple tcp and udp ports, and then using a "--client-connect" script to return a unique IP to clients? We use that so that all VPN users are always assigned "their" constant IP by mapping an IP to the CN field - that also stops them using the same cert on >1 clients... (ie that's a feature for us - not a bug). Actually it doesn't stop them using it on >1 clients - but it stops them running >1 clients simultaneously :-) With this, we have the luxury that every client always gets the same IP - which makes asset management *much* easier and means you get marvellous side-effects like I can be SSH-ed into a work machine at home, suspend my laptop, go to another building and get an completely different Internet address, and yet seconds later have openvpn auto-reconnect to work and find my SSH session still works. So cool :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Running udp and tcp server in the same instance
Hi, On Fri, Mar 02, 2012 at 03:32:36PM +0100, michael-dev wrote: > I've got multiple tcp und udp based OpenVPN instances here, that > prevent duplicate login of the same user by running some custom > connect-scripts with some extra user-cannot-connect-anywhere timeslide. > Are there any plans to support clients connecting via tcp and udp in > the same instance? I would *love* to have that. And it's somewhere on my TODO list of things to implement in OpenVPN (multiple listening sockets in a single process). Alas, socket.c is not for the faint of heart, and I haven't had the time yet to do so. So I'd certainly welcome your patch :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgppY8I5bFrUt.pgp Description: PGP signature
[Openvpn-devel] Running udp and tcp server in the same instance
Hi, I've got multiple tcp und udp based OpenVPN instances here, that prevent duplicate login of the same user by running some custom connect-scripts with some extra user-cannot-connect-anywhere timeslide. Are there any plans to support clients connecting via tcp and udp in the same instance? Regards, M. Braun
