On Wed, Oct 21, 2015 at 08:30:52PM +0200, Patrick Uiterwijk wrote: > Hi all, > > Can I please get +1's for the below configuration patch? > Reasoning is in the commit message. > > This should solve the issues we have where RHEL7 machines don't come > back onto the VPN automatically in some specific non-rare cases. +1 for me as well Pierre > commit b1db3bafd8bfde6fac9cc8c7fc3a5bedd39a1483 > Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> > Date: Wed Oct 21 18:26:32 2015 +0000 > > Disable persist-tun for openvpn > > This should solve the issue where RHEL7 machines that get a network > hiccup need an OpenVPN restart to restore their routes. > > The code is broken in the current upstream OpenVPN release, such that > it does tear down some of the routes during a ping-restart (when the > connection is dropped due to network hiccups), but the reconnection > code does not restore the routes. > I am working on an upstream patch to fix this, but in the meantime > disabling persist-tun will make sure that OpenVPN does the entire > initialization upon reconnection, which makes sure that all routes > are created. > > Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> > > diff --git a/files/openvpn/client.conf b/files/openvpn/client.conf > index d274e72..abb5d03 100644 > --- a/files/openvpn/client.conf > +++ b/files/openvpn/client.conf > @@ -13,7 +13,6 @@ resolv-retry infinite > nobind > > persist-key > -persist-tun > > ca ca.crt > cert client.crt > diff --git a/roles/openvpn/client/files/client.conf b/roles/openvpn/client/files/client.conf > index d274e72..abb5d03 100644 > --- a/roles/openvpn/client/files/client.conf > +++ b/roles/openvpn/client/files/client.conf > @@ -13,7 +13,6 @@ resolv-retry infinite > nobind > > persist-key > -persist-tun > > ca ca.crt > cert client.crt > diff --git a/roles/openvpn/server/files/server.conf b/roles/openvpn/server/files/server.conf > index c824b12..3ba8fab 100644 > --- a/roles/openvpn/server/files/server.conf > +++ b/roles/openvpn/server/files/server.conf > @@ -6,7 +6,6 @@ comp-lzo > > ping-timer-rem > > -persist-tun > persist-key > > ca ca.crt > > > > -- > With kind regards, > Patrick Uiterwijk > Fedora Infra > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx >
Attachment:
pgp7FaJRCHZ1L.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
