Troubleshooting multiple remote issues

In this recipe, we will demonstrate how to troubleshoot issues related to the use of multiple remote directives. The ability to use multiple remote directives is one of the lesser well-known features of OpenVPN that has been available since version 2.2. It allows a user to specify multiple connection profiles to different hosts, different ports, and different protocols (for example, TCP versus UDP).

When using this directive, there is a pitfall to watch out for when specifying extra directives elsewhere in the configuration files, or on the command line. In this recipe, we will demonstrate what this pitfall is.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11, and the client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the client configuration file, basic-udp-client.conf, handy along with the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf.

How to do it...

  1. Start the server using the configuration file, basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Next, create the client configuration:
            client 
            remote openvpnserver.example.com 1195 udp 
            remote openvpnserver.example.com 1196 tcp 
            port 1194 
     
            dev tun 
            nobind 
     
            remote-cert-tls server 
            tls-auth /etc/openvpn/cookbook/ta.key 1 
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/client1.crt 
            key      /etc/openvpn/cookbook/client1.key  
    

    Note that we are specifying two connection profiles, one to the server using the UDP protocol, port 1195, and one using the TCP protocol, port 1196. However, we expect to overrule the port number using the line port 1194. Save this file as example6-8-client.conf .

  3. Start the client:
            [root@client]# openvpn --config example6-8-client.conf
    

    Then, the client will fail to connect with a message:

            ... UDPv4 link local: [undef] 
            ... UDPv4 link remote: [AF_INET]server-ip:1195 
    

    So, even though we explicitly stated port 1194, the client is still connecting using protocol UDP, port 1195.

How it works...

When you specify a remote connection entry using:

 remote openvpnserver.example.com 1195 udp

OpenVPN transforms this internally into a connection profile. In general, connection profiles inherit settings from the global configuration. Anything specified inside a connection profile overrules whatever is specified globally, even if it is specified later in the configuration file, or on the command line. Thus, the line port 1194 does not have any effect and the client attempts to connect using the first (default) remote connection profile, protocol UDP, and port 1195.

To solve this issue, the port number needs to be modified in the remote line in the configuration file.

There's more...

An alternative way to specify the remote openvpnserver.example.com 1195 udp is by using a connection block:

<connection> 
    remote openvpnserver.example.com 
    port 1195  
    proto udp 
</connection> 

However, inside connection blocks, you can specify more directives, as we will see in the Using connection blocks recipe in Chapter 10Advanced Configuration.

See also

  • The Using connection blocks recipe in Chapter 10Advanced Configuration, which goes into detail into the usage of connection blocks
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.41.111