OpenVPN - Making it more tolerant to packet loss without re-auth
-
Hi All,
Could I get your view on the best quick win to make OpenVPN more tolerant to packet loss without constant re-authentication.
I use MFA on users - which makes re-auth time consuming when just a few packets have been lost -
Unfortunately not all networks are perfect.
When they are - it'll stay connected for 8 hours straight no issues.
-
How does it fail? A gateway event?
Steve
-
Hi Steve - I cant yet check but will tomorrow.
Scenario is perfect network connection our end obviously OVPN stays connected 8 hours until reneg-sec
Hotel Wi-Fi distant connection - some packet loss - and it drops requires re-auth -
I will check logs when I can and get back to you,. -
If you see timeouts in the server logs try adjusting the keepalive values in the settings it pushes to clients.
-
Hi Stephen -
Now its not that - all clients 100% ..
Just need to find a way of making it more tolerant when the user is on a dodgy connection - I don't think KeepAlive will help that will it? -
@Jake-Biker said in OpenVPN - Making it more tolerant to packet loss without re-auth:
I don't think KeepAlive will help that will it?
Isn't keepalive a TCP thing ?
Are you using UDP or TCP with your VPN ?To make a rock solid VPN, easy, cable up the user to the VPN server and I guarantee you : it will last forever (up until the power drops).
On the other side : when things can go pretty bad fast : if the user uses a 4G/5G data connection, or even a messed up wifi (most of them are, people just don't notice) and is at the border of a 'cell', or is just mobile, then switching happens, packets arrive in disorder at the server, time stamps differ. The VPN process can handle some "total data madness" but as 'security' is part of the protocol (right ?), at some point the server can't be sure that the connection is still the same device/user, it has to re authenticate.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
If a client is using connection that's bad enough that it drops enough keep-alives the server will drop the connection.
But we really need to see the logs to see why it's dropping. Preferably from both ends.
-
@Gertjan said in OpenVPN - Making it more tolerant to packet loss without re-auth:
Isn't keepalive a TCP thing ?
Actually, it's an application thing and can be over TCP or UDP. IIRC, there is no keep alive function in TCP, only timeout.
Incidentally, several years ago, I tried an experiment. I was in a coffee shop and used the WiFi to set up a VPN. I noticed there was another open WiFi in the area. I was able to switch WiFi, without dropping the VPN. This is a result of using UDP to carry the VPN. So long as the other end is reachable, it doesn't care how it gets there. This is also why, with WiFi calling, you can transparently move between a WiFi and cell network connection.
BTW, that coffee shop was at the corner of Harbord and Grace in Toronto. That other WiFi's SSID was "GraceLAN".
