Multiple VPN servers in OpenVPN?

odragon

Dabbler
Joined
Nov 9, 2016
Messages
28
Hello all. I wanted to see if anyone knows or has tried to list multiple vpn servers in the openvpn.conf file of their openvpn clients? I have a transmission plugin with openvpn and ipfw running in the jail and it's working great. The only thing I wish I could do is list multiple vpn servers to attempt to connect to in the event the server I initially chose is down so I won't have any interruptions with downloads. I'm using FreeNAS 11.1-U4 with the latest openvpn/transmission versions (just installed all this today) and I'm connecting to IPVanish for VPN services.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
I don't know why you're asking because it seems like you already know, list the multiple servers in the order you want it to connect to them if the previous one fails or drops.

An example I have running on a raspberry pi and the corresponding .ovpn file:
Code:
client

dev tun

proto udp

script-security 2

remote chi.central.usa.torguardvpnaccess.com 1912

remote ny.east.usa.torguardvpnaccess.com 1912

remote la.west.usa.torguardvpnaccess.com 1912

remote lon.uk.torguardvpnaccess.com 1912

resolv-retry infinite

##continued code here##
 

odragon

Dabbler
Joined
Nov 9, 2016
Messages
28
I don't know why you're asking]

Well since I am using IPVanish, my config file looks a little different

Code:
client
dev tun
proto udp
remote iad-a01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name iad-a01.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA


Is it safe to assume that I can simply add more "remote iad-a01.ipvanish.com 443" lines for other servers here? Hence the question.
 

amiskell

Patron
Joined
Jun 25, 2015
Messages
266
Well since I am using IPVanish, my config file looks a little different

Code:
client
dev tun
proto udp
remote iad-a01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-IP
ca ca.ipvanish.com.crt
verify-x509-name iad-a01.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA


Is it safe to assume that I can simply add more "remote iad-a01.ipvanish.com 443" lines for other servers here? Hence the question.

You'll probably need to drop the verify-x509-name line as well, otherwise it'll fail with other VPN servers because it's certificate name won't match what's listed (verify-x509-name makes sure that you talk to only the server which presents a valid certificate with that name inside to prevent you from talking to potentially untrusted machines).
 

odragon

Dabbler
Joined
Nov 9, 2016
Messages
28
You'll probably need to drop the verify-x509-name line as well, otherwise it'll fail with other VPN servers because it's certificate name won't match what's listed (verify-x509-name makes sure that you talk to only the server which presents a valid certificate with that name inside to prevent you from talking to potentially untrusted machines).

Ah that makes sense thank you! I will give that a try then :)
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
From my understanding in specifying backup servers, it really doesn't matter what specific VPN provider you are using (beyond any specific configuration options your VPN provider requires). Just add the other servers to mimic mine (ignore other options or change ones when appropriate) and try.

I don't see any harm in it. Do a test to see if it falls back properly.
 

saviodesign

Dabbler
Joined
Apr 7, 2017
Messages
21
@odragon

I don't believe creating multiple jails will solve your issue, I've experienced this in the past when creating a VPN within my Warden Jail,
and the settings do NOT play nice. Random failure could still occur regardless of whether which host it picked up.
This was most likely due to a lack of "keep alive" packets being sent by the Open VPN server or being answered by the VPN Host.

Note: I haven't moved this service over to iocage yet since Open VPN is still a bit unstable on it, but I would assume the steps would be similar once established.

To resolve this I simply created a Cron Job which restarts the VPN hourly to prevent this (drops occurred every 2 - 5 hrs on avg for me)

To do this log in to your FreeNAS host from the Web GUI, and head to: Shell

Find the hostname of your jail: jls
[root@frenashost ~]# jls
JID IP Address Hostname Path
1 transmission /mnt/container/transmission
2 plex /mnt/iocage/jails/plex/root

Next head to: Tasks > Cron Jobs and set up your Cron job using the following parameters:

- Description: Force Open VPN service to restart every (1) Hours to prevent shutdown from re-occurring
- Command: jexec jailhostname service openvpn onestart
- Run As User: root

Note: Never use the Jail ID # ( JID) as the JID will change if you restart the jail or reboot the NAS Host itself
 
Top