Including configuration files in config files

One of the lesser-known possibilities when using configuration files is the ability to include other configuration files. This can be especially handy when setting up a complex OpenVPN server, where multiple OpenVPN instances are offered simultaneously. The common configuration directives can be stored in a single file, whereas the connection-specific parts can be stored in a file for each instance. In this recipe, we will set up two OpenVPN instances, one using UDP and the other using TCP as the transport protocol.

Note that this option does not allow for the sharing of VPN IP address ranges between instances.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11.

How to do it...

  1. First, create the common configuration file:
            dev tun 
     
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/server.crt 
            key      /etc/openvpn/cookbook/server.key 
            dh       /etc/openvpn/cookbook/dh2048.pem 
            tls-auth /etc/openvpn/cookbook/ta.key 0 
     
            persist-key 
            persist-tun 
            keepalive 10 60 
     
            push "route 10.198.0.0 255.255.0.0" 
            topology subnet 
     
            user  nobody 
            group nobody 
     
            daemon 
    

    Save it as example10-1-common.conf. Note that this configuration file does not include a protocol specification or server line. Also, note that we will be using the same server certificate for both OpenVPN instances.

  2. Next, create the following server configuration file for UDP-based connections:
            config example10-1-common.conf 
     
            proto udp 
            port 1194 
            server 10.200.0.0 255.255.255.0 
     
            log-append /var/log/openvpn-udp.log 
    

    Save it as example10-1-server1.conf.

  3. And createa server configuration file for TCP-based connections:
            config example10-1-common.conf 
     
            proto tcp 
            port 443 
            server 10.201.0.0 255.255.255.0 
     
            log-append /var/log/openvpn-tcp.log 
    

    Save it as example10-1-server2.conf. This instance is listening on the HTTPS port443, which is an often-used trick to circumvent very strict firewalls, or to work around a badly configured firewall.

  4. Start both servers:
    [root@server]# openvpn --config example10-1-server1.conf
    [root@server]# openvpn --config example10-1-server2.conf
    

    Check the log files to see if both the servers have successfully started.

How it works...

OpenVPN configuration files are treated very similarly to command line options. As the --config command line option is used almost always, it is also possible to use it inside a configuration file again. This allows for a split in the configuration options, where directives that are common to all OpenVPN instances can be stored in a single file for easy maintenance. The instance-specific directives (such as the server directive) can then be stored in much smaller configuration files, which are also less likely to change over time. This again eases maintenance of a large-scale OpenVPN server setup.

OpenVPN has a built-in protection mechanism to avoid including the same configuration file recursively.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.190.156.13