OpenVPN persist-tun option - what's the point?
There can be 3 reasons for using persist-tun
1- You need root permissions to be able to manage interfaces. If OpenVPN changes to nobody/nogroup it can't add/remove interfaces. Therefore it would be necessary to persist the tun interface.
2- If the tun interface is removed, you would lose the route pointing to it. This would mean that your traffic would flow unencrypted through the default route. Probably something that you do not want to happen.
3- If the interface is not removed (persists) then the up/down scripts would not be executed. The manual says:
–persist-tun Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
Similar is also explained in the 2.4 manual for persist-key
–persist-key Don’t re-read key files across SIGUSR1 or –ping-restart.This option can be combined with –user nobody to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files.
This option solves the problem by persisting keys across SIGUSR1 resets, so they don’t need to be re-read.
I believe this is more of a client-side setting. If the client gets disconnected, under some conditions it would remove, and then re-create the tunnel. I am not sure that it does anything useful on the server side. Since the server side basically stays up the entire time.