It is probably too late for you now but simply adding more 'remote '
lines in the client config would probably suffice for what you need.
On 01/05/2020 12:38, Frömmel, Christian wrote:
Hi,
we are currently running three OpenVPN-Gateways for all the remote-workers in
our company. As the numbers grew in the beginning of March (from around 200 to
now 1700 parallel users) we had to build up new gateways very quickly. In this
process we made some (sort of) design-mistakes. To correct these mistakes or to
do other maintenance we have to clear the appropriate gateway from usage. We
cannot simply reboot the device, as this would be too interrupting for the
users.
As we are “controlling” the usage of the gateways via a single DNS-RR-Record
(which isn’t a real control as it just statistically distributes the clients –
but it works well for us), the first thing to do is to remove the IP from the
DNS-Record. But even after 18 hours waiting we have still active users on the
gateway.
We have developed own scripts for “auth-user-pass-verify”, “client-connect” and
“learn-address”.
Now for the question:
Would it be possible to “soft-reject” the connecting clients during the
connection-phase? That we can redirect the client to use another gateway and
free the corresponding gateway gently.
From what I’ve read it is only possible to reject the user
(auth-user-pass-verify) or disconnect the user (client-connect). The first
isn’t very nice and would confuse users as the password might be correct.
Kind regards,
Christian Frömmel
Charité – Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Hindenburgdamm 30 | D-12200 Berlin
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
