We can switch to the TCP protocol and use some flags to make our connections more stable.

Server

Flags:

  • keepalive <time 1> <time 2>: Ping every <time 1> seconds. Restart the connection if the client does not respond in <time 2> seconds.
/etc/openvpn/proxy-multiclient.conf:
------------------------------------
# Server
mode server
tls-server

# Networking
port 1194               <---
proto tcp               <---
dev tun
topology subnet
server 10.200.0.0 255.255.255.0
keepalive 60 300        <---

# CA
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/proxy.tnfxhosting.com.crt
key /etc/openvpn/server/proxy.tnfxhosting.com.key
dh /etc/openvpn/server/dh2048.pem

# Client
client-config-dir /etc/openvpn/ccd

# Allow different clients to see each other
client-to-client

# Extra security (block DoS attacks and UDP port flooding)
tls-auth /etc/openvpn/server/ta.key 0

# Cipher
cipher AES-128-CBC

# Logging
log /var/log/openvpn-multiclient.log

Client

Flags:

  • persist-key: Keep using the same key when the connection is restarted.
  • persist-tun: Keep using the same tun device when the connection is restarted.
/etc/openvpn/<user>.ovpn:
-------------------------
# Client
client

# Server
remote <server IP address> 1194 tcp         <---
remote-cert-tls server

# Networking
dev tun
persist-key                                 <---
persist-tun                                 <---

# CA
<ca>
# Contents from /etc/openvpn/client/ca.crt
</ca>

<cert>
# Contents from /etc/openvpn/client/desktop.dcere.com.crt
</cert>

<key>
# Contents from /etc/openvpn/client/desktop.dcere.com.key
</key>

# Extra security (block DoS attacks and UDP port flooding)
key-direction 1
<tls-auth>
# Contents from /etc/openvpn/ca/keys/ta.key
</tls-auth>