Lessons Learned
I thought I'd share a couple discoveries we've made this week during the rollout of OpenVPN.
First, we started wondering how we would ever migrate the OpenVPN Server to a different provider. Bottom Line: As configured, you can't because, unlike NeoRouter, the server IP address gets pushed out in every client config. So, if the server IP address changes, every client config has to be modified and reinstalled. This is quite different than NeoRouter where the client simply logs in to a different IP address after cloning the NeoRouter Server to a different platform. We will be adjusting the tutorial to strongly recommend that folks set up their server with an FQDN instead of an IP address. While the install script prompts for an IP address, it will accept an FQDN without balking. If an FQDN is entered, the OpenVPN server script then generates clients with the FQDN instead of the server IP address. Still not quite sure how to clone the OpenVPN server setup, but we'll continue to work on that.
Second, we never intended to route all client network traffic through the OpenVPN server. We found a workaround for non-VPN traffic by tweaking the install script for client generation with the addition of
pull-filter ignore "redirect-gateway". Unfortunately, an iOS bug ignores this command on iPhones and iPads. A better solution which also works with iOS is to remove the redirect-gateway commands from the server itself BEFORE the script is first run:
Code:
sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" /root/openvpn-install.sh
sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" /root/openvpn-install.sh
If you've already installed the server, then you can remove the
redirect-gateway line from the
/etc/openvpn/server.conf file and restart your server:
Then the
pull-filter command can be removed from
/etc/openvpn/client-template.txt and all of your previously generated
.ovpn configs as well.