Menu
▾
▴
Re: [Openvpn-users] DNS Round-robin-records vs. "Preserving recently used remote address"
|
From: Jochen B. <Joc...@bi...> - 2024-04-03 11:26:00
|
On 03.04.24 11:31, Ralf Hildebrandt via Openvpn-users wrote: > We're using DNS Round-robin-records with a TTL of 300s for our openvpn > endpoint servers. > > Yet, clients seem to reconnect to the same IP, although the DNS entry > has expired; the log usually shows something like: > > 2024-02-21 11:37:04 TCP/UDP: Preserving recently used remote address: [AF_INET]193.175.73.xxx:1194 > > Yes, it makes perfect sense to re-use a known IP, especially in the > VPN context (DNS settings might just be off while dropping out of the > VPN etc.), but this does really clash with our intentionally low TTL - > at least when we're removeing one endpoint from the DNS for maintenance. I shall assume that your question is "how do I tell the client *not* to try sticking to the last IP used?". ;-) I don't see such an option in the docs (for 2.6, to be precise), but let me ask a question for clarification: Does your setup answer requests to a now-disabled IP with some explicit denial (ICMP UNREACHABLE, RST, whatever), in which case I'd be surprised if the client takes more than a second or two to give up on the old server, or are we talking about one or more minute-or-so timeout delays? If the latter, would it be possible to extend your going-down-for-maintenance routines so as to tell some firewall to generate such denial packets? On 03.04.24 12:40, Marek Zarychta via Openvpn-users wrote: > in your case setting "explicit-exit-notify 2" on the servers should solve the problem. ... as long as the VPNs are running in UDP mode, and the server goes through an *orderly* shutdown ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH |