On 2017-11-01 07:48 PM, Jason Haar wrote: > On Wed, Nov 1, 2017 at 2:08 PM, Steffan Karger <stef...@karger.me > <mailto:stef...@karger.me>> wrote: >> Coming back to tls-crypt/tls-auth key rotation: the preferred way is >> what Ilya suggested: add a new openvpn daemon which is using the new key >> and is running on another port, then migrate your clients to the new >> server and finally kill the old server. > > I guess we could assign new (2nd) IP addresses to the existing servers, > and use identical configs - except for the new keys - and then alter DNS > to round-robin? That way old-key clients would fail against the new IP > but work on the old, and new-key clients would work on the new IP but > fail on the old. Then after we see no more old-key connections, change > the old IP server config to match the new. > > (I don't want to use more ports because we already use the good ones ;-)
If you have the extra IP(s), that's a clean way indeed. For those who
don't have that luxury, it's possible to keep the same public facing
port and NAT between the 2 local servers. Assuming your old server
listens to TCP/443, you could redirect 1 packet every 2 packets to the
new server listening on TCP/444:
iptables -t nat -A PREROUTING -p tcp -m statistic --mode nth --every 2 \
--packet 0 -m tcp --dport 443 -j REDIRECT --to-ports 444
The nice thing with that trick is that you can easily control which
percentage of connections get moved to the new server and can play with
it in case of problem.
HTH,
Simon
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
