On 03/09/14 10:05, David Sommerseth wrote: > Just to explain --explicit-exit-notify slightly more. This is a > client-side option, which will notify the server when the client > disconnects. Otherwise the server will keep the connection state open > until the connection times out (defined by --ping-restart).
Caveat on that: "--explicit-exit-notify" means when openvpn *formally* shuts down, it notifies the server that it is doing so. If you come along with a Big Hammer (as I'm prone to do) and "kill -9" your openvpn process, then it dies outright and never gets to send the "I'm shutting down now!" message :-) So in that corner-case you still have to rely on the server "ping-restart" setting for it to be able to detect that the client isn't there anymore. TCP - being below openvpn - doesn't suffer from this issue of course, the server always sees the TCP FIN/RSET packet and "knows" the client is no more. > > But instead of parsing the log file, I would rather recommend looking > at the --client-connect, --client-disconnect and/or --learn-address > script hooks for more advanced ways of connection tracking. Couldn't agree more. You really need to use "client-connect" and "client-disconnect" so that you can create START/STOP records - they are the only things that really get it right -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
