Re: [Openvpn-users] Re: Client seeking server

[James Y. <ji...@yo...>]

On Sun, 27 Mar 2005, Nik wrote:

> Some time ago, I was involved in a conversation regarding the 
> interaction between the --persist-remote-ip option, and multiple 
> --remote options. The last post on this topic was from James Yonan, and 
> read:
> 
> > I think your idea makes sense: If --persist-remote-ip is used, then a 
> > ping-restart or other SIGUSR1-type conditional restart will retry the 
> > current IP and and only move on to the next IP in the list if the retry 
> > fails.
> 
> I had a look in the code last week, with a view to working out what was 
> involved in implementing this change (I had indicated I was quite 
> prepared to do the coding myself, rather than expecting it to be done 
> for me).
> 
> I have come across a relatively new piece of code that seems to have 
> some bearing on this, and wanted to understand its purpose before I went 
> any further. (This code is in R2.0_rc17, but not in R2.0_rc6.)
> 
> in init.c:
> 
>    /* Flag remote_list that we initialized */
>    if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && c->c1.remote_list && 
> c->c1.remote_list->len > 1)
>      c->c1.remote_list->no_advance = true;
> 
> 
> Q1: Has this code (or any other code) been added to address the issue of 
> --persist-remote-ip and multiple --remote interactions?
> 
> If so, thank you very much!

Yes, I coded this shortly after we discussed it:

2005.02.05 -- Version 2.0-rc12

* Client code for cycling through --remote list will
  retry the last address which successfully authenticated
  before moving on through the list.

> Q2: If so, then  what conditions is this code intended to address?
>      In my current tests, the first server in the remote_list is not 
> reachable, and so the client loops on receiving a NETWORK_UNREACHABLE 
> error and then retrying the same server.

If the keepalive and resolv-retry parameters are set, you should see a
restart at some point.  Here's a simple test you can do on the command
line.  Note that x1, x2, and x3 are bogus DNS names which don't resolve to
anything.

ai:~/openvpn/20/openvpn # openvpn --dev tap --keepalive 5 30 
--resolv-retry 30 --remote x1 --remote x2 --remote x3
Sun Mar 27 20:40:32 2005 OpenVPN 2.0_rc17 i586-suse-linux [SSL] [LZO] 
[EPOLL] built on Mar 13 2005
Sun Mar 27 20:40:32 2005 IMPORTANT: OpenVPN's default port number is now 
1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Sun Mar 27 20:40:32 2005 ******* WARNING *******: all encryption and 
authentication features disabled -- all data will be tunnelled as 
cleartext
Sun Mar 27 20:40:32 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:32 2005 TUN/TAP device tap0 opened
Sun Mar 27 20:40:32 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:37 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:42 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:47 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:52 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:57 2005 RESOLVE: Cannot resolve host address: x1: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:57 2005 SIGUSR1[soft,init_instance] received, process 
restarting
Sun Mar 27 20:40:59 2005 IMPORTANT: OpenVPN's default port number is now 
1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Sun Mar 27 20:40:59 2005 ******* WARNING *******: all encryption and 
authentication features disabled -- all data will be tunnelled as 
cleartext
Sun Mar 27 20:40:59 2005 RESOLVE: Cannot resolve host address: x2: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:40:59 2005 TUN/TAP device tap0 opened
Sun Mar 27 20:40:59 2005 RESOLVE: Cannot resolve host address: x2: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:41:04 2005 RESOLVE: Cannot resolve host address: x2: 
[HOST_NOT_FOUND] The specified host is unknown.
Sun Mar 27 20:41:07 2005 RESOLVE: signal received during DNS resolution 
attempt
Sun Mar 27 20:41:07 2005 SIGINT[hard,init_instance] received, process 
exiting

Note how it switched from trying x1 to trying x2 after 30 seconds.

Here's the same test again.  This time the address resolves, but there's
no one listening:

ai:~/openvpn/20/openvpn # openvpn --dev tap --keepalive 5 30 
--resolv-retry 30 --remote 127.0.0.1 --remote 127.0.0.2 --remote 127.0.0.3 
--lport 4000 --rport 4001
Sun Mar 27 20:45:56 2005 OpenVPN 2.0_rc17 i586-suse-linux [SSL] [LZO] 
[EPOLL] built on Mar 13 2005
Sun Mar 27 20:45:56 2005 ******* WARNING *******: all encryption and 
authentication features disabled -- all data will be tunnelled as 
cleartext
Sun Mar 27 20:45:56 2005 TUN/TAP device tap0 opened
Sun Mar 27 20:45:56 2005 UDPv4 link local (bound): [undef]:4000
Sun Mar 27 20:45:56 2005 UDPv4 link remote: 127.0.0.1:4001
Sun Mar 27 20:45:56 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:01 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:06 2005 write UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:11 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:16 2005 write UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:22 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:26 2005 Inactivity timeout (--ping-restart), restarting
Sun Mar 27 20:46:26 2005 SIGUSR1[soft,ping-restart] received, process 
restarting
Sun Mar 27 20:46:28 2005 ******* WARNING *******: all encryption and 
authentication features disabled -- all data will be tunnelled as 
cleartext
Sun Mar 27 20:46:28 2005 TUN/TAP device tap0 opened
Sun Mar 27 20:46:28 2005 UDPv4 link local (bound): [undef]:4000
Sun Mar 27 20:46:28 2005 UDPv4 link remote: 127.0.0.2:4001
Sun Mar 27 20:46:28 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:33 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:38 2005 write UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:43 2005 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Sun Mar 27 20:46:43 2005 event_wait : Interrupted system call (code=4)
Sun Mar 27 20:46:43 2005 SIGINT[hard,] received, process exiting

Note that it tried 127.0.0.1 for 30 seconds, then switched over to 
127.0.0.2.  The lport/rport is just for the example, to prevent OpenVPN 
from connecting with itself on localhost.

James