On 19/07/20 10:44 pm, Gert Doering wrote: > Hi, > > On Sun, Jul 19, 2020 at 10:32:42PM +1200, Richard Hector wrote: >> > NAT with port translation in beteween? If the port >> > changes after a restart, and the other end has no --float in the config, >> > things will not work. Here a clear client/server role also helps, as >> > there is a well defined "setup connection" phase (p2p just sends off >> > packets, no handshake involved). >> >> No NAT. These are all VPSes from a (single) public provider. I use >> static ports, so I can configure them predictably and automatically, and >> avoid having them tread on each others' toes. > > In that case what I'd do is > > - run tcpdump on the "lan" interface on both sides, on that port > - restart one instance > - see if observed traffic shifts (ports? not reaching the other side? > - see what, if anything, is in the openvpn logs > > But indeed, the basic assumption is "if you have static ports on both > sides, and no NAT in between, restarting either side at any time should > just work" - that's the point of having a static pre-shared key: no > negotiation whatsoever (= the peer does not even know you've been > restarted, unless ports change).
That's what I'd hoped. One possible catch is firewalling. I haven't actually seen any packets hit my specific iptables rules, but given it mostly works, I assume that since both sides are trying to start together, they'll each set up the established/related tracking with their outgoing packets, which should allow the incoming packets from the other side, assuming they can both cope with losing a few (or a lot of) packets at the beginning. But perhaps there's some oddity when restarting one side, and I need to revisit the rules that don't match. But from what I've learned here, I think I need to switch to the cert mode, with clients/servers, and see how it works from there. Thanks, Richard _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
