OpenVPN cannot connect if the client IP changes, need server reboot

pvinodkr

Thanks for the suggestion. However, it did not work.

AhnHEL

Did you try the float option on the client as well?

GruensFroeschli

Did you check on the server the checkbox
"Dynamic IP"
–> "Assume dynamic IPs, so that DHCP clients can connect. "
?

AhnHEL

@GruensFroeschli:

Did you check on the server the checkbox
"Dynamic IP"
–> "Assume dynamic IPs, so that DHCP clients can connect. "
?

Suggested that above  ;)

GruensFroeschli

Ah yes :D
I only read the discription of the –float option and thought "isn't that the same as this checkbox?" ^^".

But the OpenVPN log should show if a client with an IP connects which is discarded.

@pvinodkr : what does the log say?

pvinodkr

Hi,
Thank you all for the responses.  Here are the openvpn logs.

This is before reboot of the client (HO and Branch can't talk to each other):
–----------------------------------------------------------------------
Jan 12 20:41:23 pfsense openvpn[364]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
uilt on Nov  9 2008
Jan 12 20:41:23 pfsense openvpn[364]: gw <ho_wan_ip>Jan 12 20:41:23 pfsense openvpn[364]: TUN/TAP device /dev/tun0 opened
Jan 12 20:41:23 pfsense openvpn[364]: /sbin/ifconfig tun0 192.168.31.1 192.168.31.2 mtu 1
500 netmask 255.255.255.255 up
Jan 12 20:41:23 pfsense openvpn[364]: /etc/rc.filter_configure tun0 1500 1544 192.168.31.
1 192.168.31.2 init
Jan 12 20:41:24 pfsense openvpn[373]: UDPv4 link local (bound): [undef]:1185
Jan 12 20:41:24 pfsense openvpn[373]: UDPv4 link remote: [undef]
Jan 12 20:41:25 pfsense openvpn[375]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
uilt on Nov  9 2008
Jan 12 20:41:25 pfsense openvpn[375]: gw <ho_wan_ip>Jan 12 20:41:25 pfsense openvpn[375]: TUN/TAP device /dev/tun1 opened
Jan 12 20:41:25 pfsense openvpn[375]: /sbin/ifconfig tun1 192.168.1.1 192.168.1.2 mtu 150
0 netmask 255.255.255.255 up
Jan 12 20:41:25 pfsense openvpn[375]: /etc/rc.filter_configure tun1 1500 1544 192.168.1.1
192.168.1.2 init
Jan 12 20:41:26 pfsense openvpn[386]: UDPv4 link local (bound): [undef]:1189
Jan 12 20:41:26 pfsense openvpn[386]: UDPv4 link remote: [undef]
Jan 12 20:41:27 pfsense openvpn[390]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
uilt on Nov  9 2008
Jan 12 20:41:27 pfsense openvpn[390]: gw <ho_wan_ip>Jan 12 20:41:27 pfsense openvpn[390]: TUN/TAP device /dev/tun2 opened
Jan 12 20:41:27 pfsense openvpn[390]: /sbin/ifconfig tun2 192.168.32.1 192.168.32.2 mtu 1
500 netmask 255.255.255.255 up
Jan 12 20:41:27 pfsense openvpn[390]: /etc/rc.filter_configure tun2 1500 1544 192.168.32.
1 192.168.32.2 init
Jan 12 20:41:28 pfsense openvpn[404]: UDPv4 link local (bound): [undef]:1188
Jan 12 20:41:28 pfsense openvpn[404]: UDPv4 link remote: [undef]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^

The one below is after a client reboot (The connection is good):
–----------------------------------------------------------
Jan 12 20:57:31 pfsense openvpn[363]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
Jan 12 20:57:31 pfsense openvpn[363]: gw <ho_wan_ip>Jan 12 20:57:31 pfsense openvpn[363]: TUN/TAP device /dev/tun0 opened
Jan 12 20:57:31 pfsense openvpn[363]: /sbin/ifconfig tun0 192.168.31.1 192.168.31.2 mtu 500 netmask 255.255.255.255 up
Jan 12 20:57:31 pfsense openvpn[363]: /etc/rc.filter_configure tun0 1500 1544 192.168.311 192.168.31.2 init
Jan 12 20:57:32 pfsense openvpn[372]: UDPv4 link local (bound): [undef]:1185
Jan 12 20:57:32 pfsense openvpn[372]: UDPv4 link remote: [undef]
Jan 12 20:57:33 pfsense openvpn[374]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
Jan 12 20:57:33 pfsense openvpn[374]: gw <ho_wan_ip>Jan 12 20:57:33 pfsense openvpn[374]: TUN/TAP device /dev/tun1 opened
Jan 12 20:57:33 pfsense openvpn[374]: /sbin/ifconfig tun1 192.168.1.1 192.168.1.2 mtu 150 netmask 255.255.255.255 up
Jan 12 20:57:33 pfsense openvpn[374]: /etc/rc.filter_configure tun1 1500 1544 192.168.1. 192.168.1.2 init
Jan 12 20:57:34 pfsense openvpn[385]: UDPv4 link local (bound): [undef]:1189
Jan 12 20:57:34 pfsense openvpn[385]: UDPv4 link remote: [undef]
Jan 12 20:57:34 pfsense openvpn[385]: Peer Connection Initiated with <br_wan_ip>:1196
Jan 12 20:57:35 pfsense openvpn[389]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
Jan 12 20:57:35 pfsense openvpn[389]: gw <ho_wan_ip>Jan 12 20:57:35 pfsense openvpn[389]: TUN/TAP device /dev/tun2 opened
Jan 12 20:57:35 pfsense openvpn[389]: /sbin/ifconfig tun2 192.168.32.1 192.168.32.2 mtu 500 netmask 255.255.255.255 up
Jan 12 20:57:35 pfsense openvpn[389]: /etc/rc.filter_configure tun2 1500 1544 192.168.321 192.168.32.2 init
Jan 12 20:57:35 pfsense openvpn[385]: Initialization Sequence Completed
Jan 12 20:57:36 pfsense openvpn[403]: UDPv4 link local (bound): [undef]:1188
Jan 12 20:57:36 pfsense openvpn[403]: UDPv4 link remote: [undef]</ho_wan_ip></br_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip>

wm408

This thread http://forum.pfsense.org/index.php/topic,5340.0.html discusses the options that get applied when you check the dynamic IP box on the server.  I believe its:

float
persist-remote-ip

Gruens you should know this!  (naw its cool, that was years ago it looks like you were involved in this thread  :))

I am actually having the same problem.  I have followed the thread that I listed above and only manually used the "float" option, not using the dynamic IP checkbox on server.

I still lose conection, Logs: (my logs read from bottom to top)

Mar 4 13:24:14 openvpn[34044]: UDPv4 link remote: [undef]
Mar 4 13:24:14 openvpn[34044]: UDPv4 link local (bound): [undef]:1194
Mar 4 13:24:14 openvpn[34044]: Preserving previous TUN/TAP instance: tun0
Mar 4 13:24:14 openvpn[34044]: LZO compression initialized
Mar 4 13:24:14 openvpn[34044]: Re-using pre-shared static key
Mar 4 13:24:12 openvpn[34044]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 4 13:24:12 openvpn[34044]: Inactivity timeout (–ping-restart), restarting

It looks like it works.  But I cannot talk to either end of the tunnel from either location, no pinging possible.  Obviously if I restart the link manually by restarting the server / client, it works fine.

So, manually placing the "float" in custom options on server does not seem to work.  I will try adding it to client as well.  Gonna play with it some more.

wm408

Still struggling to keep the link alive after the Client changes its IP.  Any thoughts?

wm408

Here are my logs and confs.  Again: I don't have a problem establishing the link, but when the client changes its IP (dynamic pppoe), the connection does not recover.  Let me know what you all think.

-I have tried unchecking the "dynamic ip" option on the server because in previous posts mentioned, the "persist-remote-ip" flag "probably your server stay's on the old IP while he recieved data from the new IP and discards them" (Gruens quote). and manually adding "float" to the server conf.

Im pretty sure "dynamic IP" checked adds "persist-remote-ip" and "float"

Thanks for your time!

CLIENT LOG: (My logs read from bottom to top, fyi this is a bridge setup)

Mar 9 03:44:18 openvpn[16537]: Exiting
Mar 9 03:44:18 openvpn[16537]: Cannot allocate TUN/TAP dev dynamically
Mar 9 03:44:18 openvpn[16537]: gw 75.52.146.39
Mar 9 03:44:18 openvpn[16537]: LZO compression initialized
Mar 9 03:44:18 openvpn[16537]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
Mar 9 03:44:16 openvpn[16537]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
Mar 9 03:44:16 openvpn[16537]: SIGHUP[hard,] received, process restarting
Mar 9 03:44:03 openvpn[16537]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.2 10.0.0.1 init
Mar 9 03:44:03 openvpn[16537]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
Mar 9 03:44:03 openvpn[16537]: event_wait : Interrupted system call (code=4)
Mar 9 03:41:21 openvpn[16537]: Initialization Sequence Completed
Mar 9 03:41:20 openvpn[16537]: Peer Connection Initiated with x.x.x.x(remote ip):1194
Mar 9 03:40:49 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
Mar 9 03:40:49 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
Mar 9 03:40:49 openvpn[16537]: Preserving previous TUN/TAP instance: tun0
Mar 9 03:40:49 openvpn[16537]: LZO compression initialized
Mar 9 03:40:49 openvpn[16537]: Re-using pre-shared static key
Mar 9 03:40:47 openvpn[16537]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 9 03:40:47 openvpn[16537]: Inactivity timeout (–ping-restart), restarting
Mar 9 03:39:47 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
Mar 9 03:39:47 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
Mar 9 03:39:47 openvpn[16537]: Preserving previous TUN/TAP instance: tun0
Mar 9 03:39:47 openvpn[16537]: LZO compression initialized
Mar 9 03:39:47 openvpn[16537]: Re-using pre-shared static key
Mar 9 03:39:45 openvpn[16537]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 9 03:39:45 openvpn[16537]: Inactivity timeout (–ping-restart), restarting
Mar 8 07:18:09 openvpn[16537]: Initialization Sequence Completed
Mar 8 07:18:08 openvpn[16537]: Peer Connection Initiated with x.x.x.x(remote IP):1194
Mar 8 07:18:06 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
Mar 8 07:18:06 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
Mar 8 07:18:06 openvpn[16537]: UID set to nobody
Mar 8 07:18:06 openvpn[16537]: GID set to nobody
Mar 8 07:18:03 openvpn[16519]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.2 10.0.0.1 init
Mar 8 07:18:03 openvpn[16519]: /sbin/ifconfig tun0 10.0.0.2 10.0.0.1 mtu 1500 netmask 255.255.255.255 up
Mar 8 07:18:03 openvpn[16519]: TUN/TAP device /dev/tun0 opened
Mar 8 07:18:03 openvpn[16519]: gw 99.137.16.43
Mar 8 07:18:03 openvpn[16519]: LZO compression initialized
Mar 8 07:18:03 openvpn[16519]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
Mar 8 07:18:03 openvpn[16519]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009

Client conf:

writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote x.x.x.x(remote IP) 1194
lport 1195
ifconfig 10.0.0.2 10.0.0.1
route 192.168.85.0 255.255.255.0
secret /var/etc/openvpn_client1.secret
comp-lzo
user nobody
group nobody

Server Log (logs read from bottom to top)

Mar 9 15:47:51 openvpn[24358]: SIGTERM[hard,] received, process exiting
Mar 9 15:47:38 openvpn[24358]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.1 10.0.0.2 init
Mar 9 15:47:38 openvpn[24358]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
Mar 9 15:47:38 openvpn[24358]: event_wait : Interrupted system call (code=4)
Mar 9 03:44:56 openvpn[24358]: UDPv4 link remote: [undef]
Mar 9 03:44:56 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
Mar 9 03:44:56 openvpn[24358]: Preserving previous TUN/TAP instance: tun0
Mar 9 03:44:56 openvpn[24358]: LZO compression initialized
Mar 9 03:44:56 openvpn[24358]: Re-using pre-shared static key
Mar 9 03:44:54 openvpn[24358]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 9 03:44:54 openvpn[24358]: Inactivity timeout (–ping-restart), restarting
Mar 9 03:41:20 openvpn[24358]: Initialization Sequence Completed
Mar 9 03:41:20 openvpn[24358]: Peer Connection Initiated with 75.52.146.38:1195
Mar 9 03:39:49 openvpn[24358]: UDPv4 link remote: [undef]
Mar 9 03:39:49 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
Mar 9 03:39:49 openvpn[24358]: Preserving previous TUN/TAP instance: tun0
Mar 9 03:39:49 openvpn[24358]: LZO compression initialized
Mar 9 03:39:49 openvpn[24358]: Re-using pre-shared static key
Mar 9 03:39:47 openvpn[24358]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 9 03:39:47 openvpn[24358]: Inactivity timeout (–ping-restart), restarting
Mar 8 07:18:07 openvpn[24358]: Initialization Sequence Completed
Mar 8 07:18:06 openvpn[24358]: Peer Connection Initiated with 99.137.16.42:1195
Mar 8 07:17:47 openvpn[24358]: UDPv4 link remote: [undef]
Mar 8 07:17:47 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
Mar 8 07:17:47 openvpn[24358]: UID set to nobody
Mar 8 07:17:47 openvpn[24358]: GID set to nobody
Mar 8 07:17:45 openvpn[24340]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.1 10.0.0.2 init
Mar 8 07:17:45 openvpn[24340]: /sbin/ifconfig tun0 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.255 up
Mar 8 07:17:45 openvpn[24340]: TUN/TAP device /dev/tun0 opened
Mar 8 07:17:45 openvpn[24340]: gw x.x.x.x
Mar 8 07:17:45 openvpn[24340]: LZO compression initialized
Mar 8 07:17:45 openvpn[24340]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
Mar 8 07:17:45 openvpn[24340]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009

Server conf
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.0.1 10.0.0.2
lport 1194
route 192.168.40.0 255.255.255.0
secret /var/etc/openvpn_server1.secret
comp-lzo
user nobody
group nobody
float

wm408

I am still having this problem.  I have also tried just running openvpn from the command line using the above listed configs.  It just seems like the float command is not doing anything or is not working the way that it should.  I see the client try to re-establish the link, and the server just doesn't accept the connection.

Any thoughts / suggestions?

Thanks