From: Stefan M. <mo...@ir...> - 2009-10-05 03:10:54
|
>> in my server's config and "allow-pull-fqdn" in my client's config. >> It mostly works, except that when the FQDN has several IPs, OpenVPN >> seems to behave a bit unpredictably: some FQDN with 2 IPs get both IPs >> added to the routing table, but others only get the first, while >> another FQDN that has 3 IPs has only 2 of them added to the routing >> table (the first and the third). Is there some rational explanation >> for it, or would that be a bug? > Routing is done by means of IP addresses. DNS names are a shorthand > or user-friendly way to get IP addresses. The right way to do this is > to specify IP addresses for routes. If you choose to use names, fine, > but you should ensure that the names resolve to exactly what you > need. Note that resolver client implementations vary too, as do the > clients' upstream nameservers ... Yes, I do understand the difference between IP and DNS, and that's exactly why I want to use DNS entries: some of my entries are for machines which are completely outside of my control and whose (set of) IP addresses can change without warning, so I don't want to list the current set of IP addresses and then have to keep updating it. Actually, after I sent this question I noticed that my client's logs actually say explicitly: Oct 4 15:02:00 ceviche ovpn-oficina[2375]: RESOLVE: NOTE: <fqdn1> resolves to 3 addresses, choosing one by random Oct 4 15:02:00 ceviche ovpn-oficina[2375]: RESOLVE: NOTE: <fqdn2> resolves to 2 addresses, choosing one by random Oct 4 15:02:00 ceviche ovpn-oficina[2375]: RESOLVE: NOTE: <fqdn3> resolves to 2 addresses, choosing one by random [BTW, I think it should be "at random" rather than "by random". ] so apparently the OpenVPN client explicitly chooses one IP at random. I think that's a bug, or at least a misfeature, since when the client connects to that FQDN, it will sometimes be routed through the VPN and sometimes not, depending on that random choice. I've submitted a bug-report together with a sample patch to fix it, at https://sourceforge.net/tracker/?func=detail&aid=2872760&group_id=48978&atid=454719 > IIUC the metrics are ignored by some IP stacks. A complicating factor > here is that openvpn works across numerous distinct operating systems > which might do things differently. Personally, I think "def1" was a > pretty clever little hack. No doubt that it's a cute hack. Still, it's just a hack. Maybe it should only be used on systems where OpenVPN's code doesn't support route metrics or where those metrics don't work. Any comment about the "novpn" idea? Stefan |