In this recipe, we will demonstrate how to troubleshoot issues related to the use of multiple remote
directives. The ability to use multiple remote
directives is one of the lesser well-known features of OpenVPN that has been available since version 2.2. It allows a user to specify multiple connection profiles to different hosts, different ports, and different protocols (for example, TCP versus UDP).
When using this directive, there is a pitfall to watch out for when specifying extra directives elsewhere in the configuration files, or on the command line. In this recipe, we will demonstrate what this pitfall is.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11, and the client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the client configuration file, basic-udp-client.conf
, handy along with the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf
.
basic-udp-server.conf
:[root@server]# openvpn --config basic-udp-server.conf
client remote openvpnserver.example.com 1195 udp remote openvpnserver.example.com 1196 tcp port 1194 dev tun nobind remote-cert-tls server tls-auth /etc/openvpn/cookbook/ta.key 1 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key
Note that we are specifying two connection profiles, one to the server using the UDP protocol, port 1195
, and one using the TCP protocol, port 1196
. However, we expect to overrule the port number using the line port 1194
. Save this file as example6-8-client.conf
.
[root@client]# openvpn --config example6-8-client.conf
Then, the client will fail to connect with a message:
... UDPv4 link local: [undef] ... UDPv4 link remote: [AF_INET]server-ip:1195
So, even though we explicitly stated port 1194
, the client is still connecting using protocol UDP, port 1195
.
When you specify a remote connection entry using:
remote openvpnserver.example.com 1195 udp
OpenVPN transforms this internally into a connection profile. In general, connection profiles inherit settings from the global configuration. Anything specified inside a connection profile overrules whatever is specified globally, even if it is specified later in the configuration file, or on the command line. Thus, the line port 1194
does not have any effect and the client attempts to connect using the first (default) remote
connection profile, protocol UDP, and port 1195
.
To solve this issue, the port number needs to be modified in the remote
line in the configuration file.
An alternative way to specify the remote openvpnserver.example.com 1195 udp
is by using a connection block:
<connection> remote openvpnserver.example.com port 1195 proto udp </connection>
However, inside connection blocks, you can specify more directives, as we will see in the Using connection blocks recipe in Chapter 10, Advanced Configuration.
13.58.41.111