On Sun, 23 Oct 2005, Andreas Gaufer wrote: > Hi, > > my deep respect for this beautiful peace of software. It helps a lot > every day. > > I was a little astonished because client-configuration-directory files > seemed to be not re-read on > client connect. > > I learned from the source that the responsible function only runs on > session-init and not on > session-move.
This is by design for UDP-based configurations, since UDP is connectionless and we therefore need to distinguish between a "new" connection and a merely "renegotiated" session. The client-config-dir file is only read on a new connection. What you can do however, to help OpenVPN know when a client is disconnecting, is to use --explicit-exit-notify. This will immediately clear out the client instance object on the server, rather than passively letting it time out over n minutes. Now, new connections will result in a new initialization of the client instance object on the server, and therefore cause a re-read of the client-config-dir file. You can also try --nobind on the client. This will cause the reconnection to be on a new port #, which will give a hint to OpenVPN that this is a new connection and not merely the continuation of an older connection. > I did?t expect this from reading the man page. The patch > attached introduces a hint > which could save other users a little time. I would be honored if you > consider including it. The problem is that if we start talking about session "init" vs. "move", then we need to define what we mean by each to avoid confusion. It might be more instructive to document the concept of a client instance object on the server, and the different ways in which this object can be created or destroyed. James
