openvpn configuration stuff
2 views
Skip to first unread message
Russell Senior
Jan 29, 2015, 8:13:44 AM1/29/15
to ptp...@googlegroups.com
After some recently instability in our OpenVpn configuration, I did
some digging this evening. In the olden days, a few years ago, we
used to have static configuration for node vpn ipaddrs using server
side ccd (client-config-dir) files. Keegan wanted it to be dynamic,
and we largely dropped the ccd static configuration. The problem
occurs when the server restarts, and the clients can't reconfigure
themselves, the tunnel does something evil, like retaining stale
ipaddrs and clashing with another node. The
reconfiguration/reconnection is prevented by our use of persist-tun
and user nobody and group nogroup (the latter two drop the necessary
privileges to reconfigure). So, the recommendation from the openvpn
irc channel was to either go back to static configuration or turn off
those three options.
Thoughts?
some digging this evening. In the olden days, a few years ago, we
used to have static configuration for node vpn ipaddrs using server
side ccd (client-config-dir) files. Keegan wanted it to be dynamic,
and we largely dropped the ccd static configuration. The problem
occurs when the server restarts, and the clients can't reconfigure
themselves, the tunnel does something evil, like retaining stale
ipaddrs and clashing with another node. The
reconfiguration/reconnection is prevented by our use of persist-tun
and user nobody and group nogroup (the latter two drop the necessary
privileges to reconfigure). So, the recommendation from the openvpn
irc channel was to either go back to static configuration or turn off
those three options.
Thoughts?
Keegan Quinn
Feb 2, 2015, 1:20:18 PM2/2/15
to Russell Senior, Personal Telco Ops
Good morning!
Do the OpenVPN people not consider this a bug? Seems like (at very
least) it should refuse this set of configuration options, if it's
known they aren't going to work properly. Anyway, it is what it is
so...
My personal preference would be to get rid of the privilege dropping
options rather than return to managing the VPN IPs manually. OpenVPN
has a decent security track record and this doesn't feel like a
significant attack vector to me. On the other hand, Russell, it'll be
you who will have to do the work of maintaining the address space so
if you really want to do that, I'm okay with it.
In the long term, we could probably bake a VPN IP reservation system
into our node database, but this sounds like something that should be
addressed sooner than we'd be able to develop that in a satisfactory
way.
Thanks!
- Keegan
--
Keegan Quinn
http://keegan.ws/
+1-619-663-5432
keega...@gmail.com
least) it should refuse this set of configuration options, if it's
known they aren't going to work properly. Anyway, it is what it is
so...
My personal preference would be to get rid of the privilege dropping
options rather than return to managing the VPN IPs manually. OpenVPN
has a decent security track record and this doesn't feel like a
significant attack vector to me. On the other hand, Russell, it'll be
you who will have to do the work of maintaining the address space so
if you really want to do that, I'm okay with it.
In the long term, we could probably bake a VPN IP reservation system
into our node database, but this sounds like something that should be
addressed sooner than we'd be able to develop that in a satisfactory
way.
Thanks!
- Keegan
--
Keegan Quinn
http://keegan.ws/
+1-619-663-5432
keega...@gmail.com
Reply all
Reply to author
Forward
0 new messages