How to Reload OpenVPN Server Configuration Without Dropping Active Connections


1 views

When administering OpenVPN servers, administrators often need to update routing tables or make other configuration changes in /etc/openvpn/server.conf. The standard service openvpn restart approach terminates all active VPN connections, which is unacceptable for production environments.

OpenVPN supports live configuration reloading through process signals:

# Find the OpenVPN process ID
pid=$(pidof openvpn)

# Send SIGHUP for config reload
sudo kill -SIGHUP $pid

This method maintains existing connections while applying:

  • Updated routing directives
  • Changed TLS parameters
  • Modified push routes

Check successful reload through system logs:

sudo grep "SIGHUP" /var/log/syslog

Or query the management interface (if enabled):

echo "status 2" | nc -U /var/run/openvpn.server.sock

For frequent configuration changes, implement an inotify watcher:

#!/bin/bash
inotifywait -m -e modify /etc/openvpn/server.conf |
while read; do
  kill -SIGHUP $(pidof openvpn)
  logger "OpenVPN config reloaded via inotify"
done

Note that SIGHUP won't affect:

  • Changed listening ports
  • Modified server mode (from udp to tcp)
  • Certificate/CRL updates (requires full restart)

For more control, enable the management interface in server.conf:

management 127.0.0.1 7505 /etc/openvpn/management.password

Then send reload commands programmatically:

echo -e "management_password\nsignal SIGHUP" | nc 127.0.0.1 7505

When managing an OpenVPN server, administrators often need to update routing rules or modify configurations in /etc/openvpn/server.conf. The standard service openvpn restart command completely stops and restarts the service, terminating all active VPN connections. This creates unnecessary disruption for users.

OpenVPN supports configuration reloading through the SIGHUP signal. This allows the service to:

  • Re-read the configuration file
  • Update routing tables
  • Maintain existing connections

To implement this:

# Find the OpenVPN process ID
PID=$(pgrep openvpn)

# Send SIGHUP to reload configuration
sudo kill -SIGHUP $PID

For frequent configuration changes, create a reload script:

#!/bin/bash
# /usr/local/bin/reload-openvpn

PID=$(pgrep -f "openvpn /etc/openvpn/server.conf")
if [ -z "$PID" ]; then
    echo "OpenVPN process not found"
    exit 1
fi

sudo kill -SIGHUP $PID
echo "OpenVPN configuration reloaded"

Check the OpenVPN log to confirm successful reload:

sudo tail -f /var/log/openvpn.log | grep SIGHUP

You should see entries like:

MANAGEMENT: CMD 'signal SIGHUP'
OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client1

Note that SIGHUP won't apply all configuration changes:

  • Port changes require full restart
  • Protocol changes (TCP/UDP) require restart
  • Certificate authority changes may need restart

For routing updates specifically, SIGHUP works perfectly as it triggers OpenVPN to re-read all route directives from the configuration file.