search

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
987 stars 392 forks source link

Disable auto reconnecting #311

Open tmpdat opened 3 months ago

tmpdat commented 3 months ago

How openvpn client to disable auto reconnecting when another device connect with the same profile?

p/s: with openvpn version 2.x, I use the remap-usr1 optione to remap signal SIGUSR1 to SIGTERM and stop client reconnects.

dsommers commented 3 months ago

Related openvpn3-linux issue: https://codeberg.org/OpenVPN/openvpn3-linux/issues/6

dsommers commented 3 months ago

After pondering a bit on this specific case and discussing it in the team, it's clear that this feature is not available in the OpenVPN 3 Core Library.

Porting remap-usr1 to OpenVPN 3 makes little sense, since this library does not use Unix signals, like OpenVPN 2.x does. In addition, the remap-usr1 is intended for a different use case than yours. It could be said that using remap-usr1 in this context is working due to the side-effect of what this signal remapping does.

Your real issue is that you're connecting two devices containing the same client certificate. Which ends up in a re-connect game where client A which connected first gets kicked off when client B connects and then A reconnects, kicking off client B - in an endless loop. This reconnection behaviour is actually considered a feature in OpenVPN - and is the default behaviour in OpenVPN 2.x as well (without the remap-usr1).

The best solution for you is actually to not work around this, but to either issue different client certificates for each connecting device. Or to configure the server to use --duplicate-cn.

We have not concluded at the moment if a "disable reconnect" feature is really wanted in OpenVPN 3.

tmpdat commented 3 months ago

After pondering a bit on this specific case and discussing it in the team, it's clear that this feature is not available in the OpenVPN 3 Core Library.

Porting remap-usr1 to OpenVPN 3 makes little sense, since this library does not use Unix signals, like OpenVPN 2.x does. In addition, the remap-usr1 is intended for a different use case than yours. It could be said that using remap-usr1 in this context is working due to the side-effect of what this signal remapping does.

Your real issue is that you're connecting two devices containing the same client certificate. Which ends up in a re-connect game where client A which connected first gets kicked off when client B connects and then A reconnects, kicking off client B - in an endless loop. This reconnection behaviour is actually considered a feature in OpenVPN - and is the default behaviour in OpenVPN 2.x as well (without the remap-usr1).

The best solution for you is actually to not work around this, but to either issue different client certificates for each connecting device. Or to configure the server to use --duplicate-cn.

We have not concluded at the moment if a "disable reconnect" feature is really wanted in OpenVPN 3.

Hi guy, thanks so much for a clean answer. This answer covered my case well.

I know the remap_usr1 option is not intended for this case, but I don't want to use two profiles for each user, and also don't want to enable the --duplicate-cn option (for security).

Anyway, properly, I must choose another solution, such as creating more than one profile for users connecting to multiple devices at the same time.