OpenVPN persist-tun option - what's the point?

Question

According the OpenVPN 2 Cookbook:

The persist-tun and persist-key options are used to ensure that the connection comes back up automatically if the underlying network is disrupted. These options are necessary when using user nobody and group nobody (or group nogroup).

What does this mean in the practice?

On the server side there is a tun0 device. The OpenVPN process runs as nobody and nogroup. So far it's okay. But what exactly does persist-tun option do? Depending on whether or not I connect, the same tun0 device is still there.

From an another question:

Get rid of the persist-tun option. Without that option, then the VPN link goes down, the tun device will close and be removed. The problem of course is that removing that option means that you need to run your VPN daemon as root instead of nobody. Because as nobody account, OpenVPN will not be able to create a new tun device when the connection is re-established.

After removing the persist-tun option the tun device is still there without a connected client.

Somebody please explain in detail the process in which persist-tun, persist-key, user nobody, group nogroup and keepalive options are involved.

Answer 1

There can be 3 reasons for using persist-tun

1- You need root permissions to be able to manage interfaces. If OpenVPN changes to nobody/nogroup it can't add/remove interfaces. Therefore it would be necessary to persist the tun interface.

2- If the tun interface is removed, you would lose the route pointing to it. This would mean that your traffic would flow unencrypted through the default route. Probably something that you do not want to happen.

3- If the interface is not removed (persists) then the up/down scripts would not be executed. The manual says:

–persist-tun Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.

Similar is also explained in the 2.4 manual for persist-key

–persist-key Don’t re-read key files across SIGUSR1 or –ping-restart.This option can be combined with –user nobody to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files.

This option solves the problem by persisting keys across SIGUSR1 resets, so they don’t need to be re-read.

Answer 2

I believe this is more of a client-side setting. If the client gets disconnected, under some conditions it would remove, and then re-create the tunnel. I am not sure that it does anything useful on the server side. Since the server side basically stays up the entire time.