[Solved] Dynamic IP client and reconnection problem
-
did you check on your opnvpn-server the checkbox: "Dynamic IP"
checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.
-
did you check on your opnvpn-server the checkbox: "Dynamic IP"
checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.
Yes, it's checked. Looking at openvpn options I tried adding a –float manually in custom options. but no changes.
-
could you post the content of your server-config-file
and the client config-file of the "problem-client"? -
could you post the content of your server-config-file
and the client config-file of the "problem-client"?OK, that's the server config (i hope you mean this excerpt from the xml, otherwise i don't know where to look)
<config><disable><protocol>TCP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1196</local_port>
<addresspool>10.0.4.0/24</addresspool>
<nopool><local_network><remote_network>192.168.11.0/24</remote_network>
<client2client><crypto>BF-CBC</crypto>
<auth_method>shared_key</auth_method>
<shared_key>(snip)</shared_key>
<ca_cert><server_cert><server_key><dh_params><crl><dhcp_domainname><dhcp_dns><dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
<dhcp_nbtscope><dhcp_nbtdisable></dhcp_nbtdisable></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_dns></dhcp_domainname></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>And here's from the client side
<openvpnclient><config><disable><protocol>TCP</protocol>
<serveraddr>myFQNservername</serveraddr>
<serverport>1196</serverport>
<interface_ip>10.0.4.0/24</interface_ip>
<remote_network>10.0.0.0/24</remote_network>
<proxy_hostname><proxy_port>3128</proxy_port>
<crypto>BF-CBC</crypto>
<auth_method>shared_key</auth_method>
<shared_key>(idem)</shared_key>
<ca_cert><client_cert><client_key><use_lzo><use_shaper><use_dynamicport></use_dynamicport></use_shaper></use_lzo></client_key></client_cert></ca_cert></proxy_hostname></disable></config></openvpnclient>The non standard port it's because, as previously said, I've another 2 site-to-site openvpn clients.
thank you -
i meant the config file itself.
you can find it here:/var/etc/openvpn_server0.conf
you use two shared key's to connect to both ends.
wouldnt it be easier if the two side's connect to a single PKI-server? -
i meant the config file itself.
you can find it here:/var/etc/openvpn_server0.conf
ok, here it is the server side:
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.4.1 10.0.4.2
lport 1196
route 192.168.11.0 255.255.255.0
secret /var/etc/openvpn_server2.secret
persist-remote-ip
floatAnd here's the client side
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote (myserver) 1196
lport 1194
ifconfig 10.0.4.2 10.0.4.1
route 10.0.0.0 255.255.255.0
secret /var/etc/openvpn_client0.secretyou use two shared key's to connect to both ends.
wouldnt it be easier if the two side's connect to a single PKI-server?Probably I'll use PKI when I've all up and running.
I already use PKI for single users connecting remotely with notebooks, shared keys are quicker for tests (IMHO, obviously).thanks
-
i think your problem is the line with persist-remote-ip
Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.
your log shows:
openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
openvpn[11703]: Connection reset, restartingprobably your server stay's on the old IP while he recieved data from the new IP and discards them.
-
i think your problem is the line with persist-remote-ip
Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.
your log shows:
openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
openvpn[11703]: Connection reset, restartingprobably your server stay's on the old IP while he recieved data from the new IP and discards them.
Ok. I'm not that familiar with the architecture of pfsense, but since I've not manually edited the mentioned config files I suppose that they are automatically generated with those options by pfsense whenever something is changed in the openvpn server GUI page, it's correct?
So even if I remove the line with that option the config file will remain the same only until the next edit via GUI?
Or until the next restart?
However: I'll try to remove it, disconnect the adsl cable from the remote router a couple of times, see what happens and post the results.
Thank you -
Ok, after some guess work the problem is solved.
Unchecked "Dynamic IP" in VPN server webConfigurator page BUT added "float" as custom option.
This removes
persist-remote-ip
from server side config and mantains
float
Now, when client reconnect from a different dynamic IP the server accept the connection.
Beeing a neewbie I think "Dynamic IP" means exactly this behavior. Instead "persist-remote-ip" pop up in config file which prevents exactly this. There's something I don't understand or this is a bug? -
Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!
I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.
But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.
Regards
Robby
