-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/14 06:52, Jason Haar wrote: > Hi there > > I've got openvpn-2.3.4 under Win7 running. Works fine - except > when there's a network change... I have "verb 3" enabled and the > log ends with > > Thu Sep 04 15:42:09 2014 [dns.host.name] Inactivity timeout > (--ping-restart), restarting Thu Sep 04 15:42:09 2014 > C:\WINDOWS\system32\route.exe DELETE 12.3.1 MASK 255.255.255.255 > 192.168.22.1 Thu Sep 04 15:42:09 2014 Warning: route gateway is not > reachable on any active network adapters: 1.2.3.1 Thu Sep 04 > 15:42:09 2014 Route deletion via IPAPI failed [adaptive] Thu Sep 04 > 15:42:09 2014 Route deletion fallback to route.exe Thu Sep 04 > 15:42:09 2014 env_block: add > PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Thu > Sep 04 15:42:09 2014 Closing TUN/TAP interface Thu Sep 04 15:42:09 > 2014 ..\scripts\down.cmd openvpn 1500 1546 1.2.3.25 255.255.255.0 > init Thu Sep 04 15:42:09 2014 env_block: add > PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem > > > This machine changed from Ethernet to WiFi and got a new IP - > which meant that openvpn's tunnel would have hung and > "ping-restart" should have ensured it noticed and got a new tunnel > up.
You might need --float in the server config to allow more smooth client IP change transitions. OpenVPN uses the client's IP address as an extra check-point when parsing the packets from the client. If the IP changes, OpenVPN disregards the packet as junk - basically resulting in a time-out and a full re-connection on the client. With - --float, OpenVPN doesn't consider the client's IP address in this process, and the packets will still be accepted. But I'd strongly recommend you to use --tls-auth, especially if you use --float. Just to have somewhat of an additional security layer. - --tls-auth + float is not the same thing as not using both or just - --tls-auth. But it does help somewhat, and --tls-auth improves the security in other aspects as well. Given that an attacker doesn't have a copy of the static tls-auth secret. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQIOb8ACgkQDC186MBRfrp6NgCfb8x/9XT6o149e+D0iL3VrQGO MfQAn0hPm0hOYm90nLj5XrFcHjf3VoJz =92hC -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
