-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
Can I please get +1's for the below configuration patch? Reasoning is in the commit message.
This should solve the issues we have where RHEL7 machines don't come back onto the VPN automatically in some specific non-rare cases.
commit b1db3bafd8bfde6fac9cc8c7fc3a5bedd39a1483 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Oct 21 18:26:32 2015 +0000
Disable persist-tun for openvpn
This should solve the issue where RHEL7 machines that get a network hiccup need an OpenVPN restart to restore their routes.
The code is broken in the current upstream OpenVPN release, such that it does tear down some of the routes during a ping-restart (when the connection is dropped due to network hiccups), but the reconnection code does not restore the routes. I am working on an upstream patch to fix this, but in the meantime disabling persist-tun will make sure that OpenVPN does the entire initialization upon reconnection, which makes sure that all routes are created.
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/files/openvpn/client.conf b/files/openvpn/client.conf index d274e72..abb5d03 100644 - --- a/files/openvpn/client.conf +++ b/files/openvpn/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key - -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index d274e72..abb5d03 100644 - --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key - -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf index c824b12..3ba8fab 100644 - --- a/roles/openvpn/server/files/server.conf +++ b/roles/openvpn/server/files/server.conf @@ -6,7 +6,6 @@ comp-lzo
ping-timer-rem
- -persist-tun persist-key
ca ca.crt
- -- With kind regards, Patrick Uiterwijk Fedora Infra
This looks sane and can be backed out. +1
On 21 October 2015 at 12:30, Patrick Uiterwijk puiterwijk@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi all,
Can I please get +1's for the below configuration patch? Reasoning is in the commit message.
This should solve the issues we have where RHEL7 machines don't come back onto the VPN automatically in some specific non-rare cases.
commit b1db3bafd8bfde6fac9cc8c7fc3a5bedd39a1483 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Oct 21 18:26:32 2015 +0000
Disable persist-tun for openvpn This should solve the issue where RHEL7 machines that get a network hiccup need an OpenVPN restart to restore their routes. The code is broken in the current upstream OpenVPN release, such that it does tear down some of the routes during a ping-restart (when the connection is dropped due to network hiccups), but the reconnection code does not restore the routes. I am working on an upstream patch to fix this, but in the meantime disabling persist-tun will make sure that OpenVPN does the entire initialization upon reconnection, which makes sure that all routes are created. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/files/openvpn/client.conf b/files/openvpn/client.conf index d274e72..abb5d03 100644
- --- a/files/openvpn/client.conf
+++ b/files/openvpn/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key
- -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index d274e72..abb5d03 100644
- --- a/roles/openvpn/client/files/client.conf
+++ b/roles/openvpn/client/files/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key
- -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf index c824b12..3ba8fab 100644
- --- a/roles/openvpn/server/files/server.conf
+++ b/roles/openvpn/server/files/server.conf @@ -6,7 +6,6 @@ comp-lzo
ping-timer-rem
- -persist-tun
persist-key
ca ca.crt
With kind regards, Patrick Uiterwijk Fedora Infra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJWJ9nbAAoJEIZXmA2atR5QMR0QAJ4JcXqY7sifgIpgiqwjJljJ W8weXDdPU8BMS3xBKXYNn20VjcDM1Rwb515Xrjn4nxvHOjKbOoMLW7ccSwYLRcJ5 momInfqviHZLYKAyz8qsXGAY2Zve56BpGCgVNBdNWs05qVq8JTkLeTrymWaAhDdy ju+KrkVZ/6TvrI8+IDJOzccTLmGU8MjtFFWlEYiz5AEScPN2CAJG8gGUOrHHoNcN QMGpckixo3Vupo3kp/OGB4fnbvDtHi6NvHK7QfcySlK9CXcVIdVm8VoGVV4E0dP9 hAqndD7wzVbMSWBu5wmVUICzXSXlvM9SzAMXiHC8G6BEbYdAcAYZWBsJeyJzedh+ 1x+PUFaLuxrFC7YvxEsHZiQdwP4xXRb8L2FBeO96i2k2dYnrfJk3pTgppRHriCZY vKnGf1dSovV0phV3KOrsGsyPA+R5eK2WKQ0EIQE2h0iEfk/uLM4j5Npt4OHZlnlX mcCqNg32KCS+tTzGnJt4LoPzc/pcH5DpStYEkc/iCHL+6Wzx9Ce73m+7tVjVf0Uh R2vaXPcubdvZDOJ5QMwpCZvHJAp5DI011wC/D+dZ62sblt5oeP6BeMnUUMuWdWx5 ITjllgObDm7NVxhzR2rKWzfX7ZvJYffQkSbMgYjyFJ0b3b/+uFWNwPWUYsk7Gpf6 sAFRW2+ANdPoCB31ofd+ =e7Ij -----END PGP SIGNATURE----- _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
On Wed, Oct 21, 2015 at 08:30:52PM +0200, Patrick Uiterwijk wrote:
Hi all,
Can I please get +1's for the below configuration patch? Reasoning is in the commit message.
This should solve the issues we have where RHEL7 machines don't come back onto the VPN automatically in some specific non-rare cases.
+1 for me as well
Pierre
commit b1db3bafd8bfde6fac9cc8c7fc3a5bedd39a1483 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Oct 21 18:26:32 2015 +0000
Disable persist-tun for openvpn This should solve the issue where RHEL7 machines that get a network hiccup need an OpenVPN restart to restore their routes. The code is broken in the current upstream OpenVPN release, such that it does tear down some of the routes during a ping-restart (when the connection is dropped due to network hiccups), but the reconnection code does not restore the routes. I am working on an upstream patch to fix this, but in the meantime disabling persist-tun will make sure that OpenVPN does the entire initialization upon reconnection, which makes sure that all routes are created. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/files/openvpn/client.conf b/files/openvpn/client.conf index d274e72..abb5d03 100644 --- a/files/openvpn/client.conf +++ b/files/openvpn/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf index d274e72..abb5d03 100644 --- a/roles/openvpn/client/files/client.conf +++ b/roles/openvpn/client/files/client.conf @@ -13,7 +13,6 @@ resolv-retry infinite nobind
persist-key -persist-tun
ca ca.crt cert client.crt diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf index c824b12..3ba8fab 100644 --- a/roles/openvpn/server/files/server.conf +++ b/roles/openvpn/server/files/server.conf @@ -6,7 +6,6 @@ comp-lzo
ping-timer-rem
-persist-tun persist-key
ca ca.crt
-- With kind regards, Patrick Uiterwijk Fedora Infra _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/infrastructure@lists.fedoraproject.org
infrastructure@lists.fedoraproject.org