File: connection-profiles.rst

package info (click to toggle)
openvpn 2.6.3-1%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 11,340 kB
  • sloc: ansic: 97,644; sh: 5,801; makefile: 791; python: 203; javascript: 73; perl: 66
file content (74 lines) | stat: -rw-r--r-- 2,569 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
CONNECTION PROFILES
===================

Client configuration files may contain multiple remote servers which
it will attempt to connect against.  But there are some configuration
options which are related to specific ``--remote`` options.  For these
use cases, connection profiles are the solution.

By enacpulating the ``--remote`` option and related options within
``<connection>`` and ``</connection>``, these options are handled as a
group.

An OpenVPN client will try each connection profile sequentially until it
achieves a successful connection.

``--remote-random`` can be used to initially "scramble" the connection
list.

Here is an example of connection profile usage::

   client
   dev tun

   <connection>
   remote 198.19.34.56 1194 udp
   </connection>

   <connection>
   remote 198.19.34.56 443 tcp
   </connection>

   <connection>
   remote 198.19.34.56 443 tcp
   http-proxy 192.168.0.8 8080
   </connection>

   <connection>
   remote 198.19.36.99 443 tcp
   http-proxy 192.168.0.8 8080
   </connection>

   persist-key
   persist-tun
   pkcs12 client.p12
   remote-cert-tls server
   verb 3

First we try to connect to a server at 198.19.34.56:1194 using UDP. If
that fails, we then try to connect to 198.19.34.56:443 using TCP. If
that also fails, then try connecting through an HTTP proxy at
192.168.0.8:8080 to 198.19.34.56:443 using TCP. Finally, try to connect
through the same proxy to a server at 198.19.36.99:443 using TCP.

The following OpenVPN options may be used inside of a ``<connection>``
block:

``bind``, ``connect-retry``, ``connect-retry-max``, ``connect-timeout``,
``explicit-exit-notify``, ``float``, ``fragment``, ``http-proxy``,
``http-proxy-option``, ``key-direction``, ``link-mtu``, ``local``,
``lport``, ``mssfix``, ``mtu-disc``, ``nobind``, ``port``, ``proto``,
``remote``, ``rport``, ``socks-proxy``, ``tls-auth``, ``tls-crypt``,
``tun-mtu and``, ``tun-mtu-extra``.

A defaulting mechanism exists for specifying options to apply to all
``<connection>`` profiles. If any of the above options (with the
exception of ``remote`` ) appear outside of a ``<connection>`` block,
but in a configuration file which has one or more ``<connection>``
blocks, the option setting will be used as a default for
``<connection>`` blocks which follow it in the configuration file.

For example, suppose the ``nobind`` option were placed in the sample
configuration file above, near the top of the file, before the first
``<connection>`` block. The effect would be as if ``nobind`` were
declared in all ``<connection>`` blocks below it.