20

I have the config in /etc/openvpn/server.conf.

Most time I update routing.

In the init script there's no case for reload. The service openvpn restart is just stop and then start the process, which obviously will kick everybody off (but I don't want to).

Valerio Bozzolan
  • 314
  • 2
  • 15
Carl
  • 489
  • 1
  • 6
  • 10
  • 1
    Will it kick everybody off? Not sure that is true. – dmourati Jan 16 '16 at 05:21
  • dmourati, you can try. Once you reload the connections will be terminated immediately from server end. – Carl Jan 18 '16 at 01:43
  • 4
    From the OpenVPN manual page: `SIGHUP Cause OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections.` – FlogFR Sep 12 '17 at 07:04
  • Did you ever get this figured out? – emmdee Apr 23 '18 at 23:25

3 Answers3

4

If you need to immediately propagate new routes to the connected clients, you have to kick off anybody and let them reconnect, as routes are pushed only after connection establishment.

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • 8
    update routing is just one scenario, and it does not need to push new routes to everyone immediately, it can happen when clients reconnect next time, but the server need to load new configuration. – Carl Jan 18 '16 at 01:44
  • 1
    doesn't really answer the question. – erik258 Jan 09 '20 at 22:25
  • *had* instead of *have*, meaning past tense and now you can? – Law29 Sep 17 '21 at 10:36
1

I happened to see this question and realized I have the solution variant.

Use scripts. A routing can be specified not in the config file, but built dynamically using client-connect script. So if you update script and connect new client it will get updated set of routes.

This way I manage quite large VPN server. In particular, I use Python and I group route sets that it gives out to different users, which turned out to be convenient (defined some "templates" as lists and assign several templates to a user by joining lists with just +).

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
0

As noted elsewhere, you sort of have to kick people off and make them reconnect (so that they pick up the config change you're making).

However, this presents issues, especially when using multi-factor (time based) authentication. Clearly, when they reconnect, they won't be able to use the same MFA code, so will have to re-enter it (which isn't always a nice experience in the VPN client).

OpenVPN AS solves this problem quite neatly, as it seems to let users re-authenticate without needing the MFA. The connection underneath does seem to completely close and reopen to do this, so I assume there's some server "magic" to allow recently disconnected people to reconnect.

If I had to guess, the server tracks who is connected at the time the process is restarted. It then allows those users to reconnect without needing authentication (just relying on the client certificate, which is unique for each user on the AS product). I'd also guess it only allows reconnecting without authentication for maybe a few seconds after disconnect because on occasion it asks for username/password/MFA after a restart, even though most times it doesn't. None of this is present in the community edition though.

Ralph Bolton
  • 257
  • 3
  • 9