OpenVPN Disconnects every 5-10 minutes

CM350

Hi Guys,

Love your forum, love this product!

But sadly we ran in a problem with it.

Problem: Openvpn Disconnects every 6 minutes (give or take a minute) and than connects back. Our customer uses it for external connections to a internal RDP Server (which is behind the firewall).

Setup:  2.2.3-RELEASE  (amd64)  with 5 nic's
WAN: Behind a modem 192.168.200.1 (pfsense had 192.168.200.2)
LAN1: 10.220.14.81 (this is the main lan adapter - the RDS Server is on  this network - this is the network the vpn must go to)
LAN2: 192.168.2.1 (little smal network for the camera's - not so important)
LAN3: 10.0.0.1 (this is the old network where the old server is connected to - not important at all!!!)
LAN4: 10.222.14.81 (the wifi guest network - is the same adapter as LAN1 but on another VLAN - which connects to a switch - which connects to the Cisco AP with multiple SSID - 1 for the guest - 1 for the internal wifi)

We have firewall rules to protect the internal lan from the other lans.

I created aliases to help me with this:
Alias1: networks: 10.220.14.0/24 - 10.0.0.0/24 - 10.222.14.0/24 - 10.221.14.0/24
Alias2: networks: 10.220.14.0/24 - 10.0.0.0/24 - 192.168.2.0/24 - 10.221.14.0/24

So now the rules:
On LAN2:
block    IPv4 *  CAMERA net  *  Alias1 *  *  none
allow    IPv4 *  CAMERA net  *  *        *  *  none
allow    IPv4 *  CAMERA net  *  CAMERA net  *  *  none

On LAN3:
allow    IPv4 *  LEGACYDFD net  *  LEGACYDFD net  *  *  none

On LAN4:
block    IPv4 *  GUESTWIFI net  *  Alias2 *  *  none     
allow    IPv4 *  GUESTWIFI net  *  *  *  *  none

Back to the problem, I already disabled gateway monitoring as described: https://208.123.73.68/index.php?topic=45725.0
I already enabled bypass firewall rules for traffic on same interface as described: http://community.spiceworks.com/topic/432543-pfsense-blocking-subnet-traffic

But I ran out of options. The VPN config is exactly the same as any other client we have, if u know a fast way to copy things, then explain it to me and I will paste the config. But in fact its really just following the wizard. (it has network 10.221.14.0/24)

heper

show logs

CM350

oh right!

client logs:
Fri Aug 07 15:20:21 2015 OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jul  9 2015
Fri Aug 07 15:20:21 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Fri Aug 07 15:20:21 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Fri Aug 07 15:20:21 2015 Need hold release from management interface, waiting…
Fri Aug 07 15:23:07 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195
Fri Aug 07 15:23:07 2015 MANAGEMENT: CMD 'state on 1'
Fri Aug 07 15:23:07 2015 MANAGEMENT: CMD 'log on 20'
Fri Aug 07 15:23:07 2015 MANAGEMENT: CMD 'bytecount 3'
Fri Aug 07 15:24:25 2015 MANAGEMENT: CMD 'hold release'
Fri Aug 07 15:24:26 2015 Control Channel Authentication: using 'C:\Program Files\OpenVPN\config\customer.key' as a OpenVPN static key file
Fri Aug 07 15:24:26 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:24:26 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:24:26 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Aug 07 15:24:26 2015 UDPv4 link local (bound): [undef]
Fri Aug 07 15:24:26 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Fri Aug 07 15:24:26 2015 MANAGEMENT: >STATE:1438953866,WAIT,,,
Fri Aug 07 15:24:26 2015 MANAGEMENT: >STATE:1438953866,AUTH,,,
Fri Aug 07 15:24:26 2015 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=0c336cdb ede393a4
Fri Aug 07 15:24:26 2015 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Fri Aug 07 15:24:26 2015 VERIFY OK: depth=1, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerCA
Fri Aug 07 15:24:26 2015 VERIFY OK: nsCertType=SERVER
Fri Aug 07 15:24:26 2015 VERIFY X509NAME OK: C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:24:26 2015 VERIFY OK: depth=0, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:24:27 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:24:27 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:24:27 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:24:27 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:24:27 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 07 15:24:27 2015 [customerSRVCA] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Fri Aug 07 15:24:28 2015 MANAGEMENT: >STATE:1438953868,GET_CONFIG,,,
Fri Aug 07 15:24:29 2015 SENT CONTROL [customerSRVCA]: 'PUSH_REQUEST' (status=1)
Fri Aug 07 15:24:29 2015 PUSH: Received control message: 'PUSH_REPLY,route 10.220.14.0 255.255.255.0,dhcp-option DOMAIN local.customer.be,dhcp-option DNS 10.220.14.82,register-dns,route 10.221.14.1,topology net30,ping 10,ping-restart 60,ifconfig 10.221.14.18 10.221.14.17'
Fri Aug 07 15:24:29 2015 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 07 15:24:29 2015 OPTIONS IMPORT: –ifconfig/up options modified
Fri Aug 07 15:24:29 2015 OPTIONS IMPORT: route options modified
Fri Aug 07 15:24:29 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 07 15:24:29 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Aug 07 15:24:29 2015 MANAGEMENT: >STATE:1438953869,ASSIGN_IP,,10.221.14.18,
Fri Aug 07 15:24:29 2015 open_tun, tt->ipv6=0
Fri Aug 07 15:24:29 2015 CreateFile failed on TAP device: \.\Global{353A93BA-8379-4D62-8B41-DE5074EBF35B}.tap
Fri Aug 07 15:24:29 2015 TAP-WIN32 device [Ethernet 5] opened: \.\Global{AC9A0F90-355F-4C45-A9BA-44B5D2136902}.tap
Fri Aug 07 15:24:29 2015 TAP-Windows Driver Version 9.21
Fri Aug 07 15:24:29 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.221.14.18/255.255.255.252 on interface {AC9A0F90-355F-4C45-A9BA-44B5D2136902} [DHCP-serv: 10.221.14.17, lease-time: 31536000]
Fri Aug 07 15:24:29 2015 Successful ARP Flush on interface [46] {AC9A0F90-355F-4C45-A9BA-44B5D2136902}
Fri Aug 07 15:24:34 2015 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Aug 07 15:24:34 2015 MANAGEMENT: >STATE:1438953874,ADD_ROUTES,,,
Fri Aug 07 15:24:34 2015 C:\WINDOWS\system32\route.exe ADD 10.220.14.0 MASK 255.255.255.0 10.221.14.17
Fri Aug 07 15:24:34 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Aug 07 15:24:34 2015 Route addition via IPAPI succeeded [adaptive]
Fri Aug 07 15:24:34 2015 C:\WINDOWS\system32\route.exe ADD 10.221.14.1 MASK 255.255.255.255 10.221.14.17
Fri Aug 07 15:24:34 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri Aug 07 15:24:34 2015 Route addition via IPAPI succeeded [adaptive]
Fri Aug 07 15:24:34 2015 Initialization Sequence Completed
Fri Aug 07 15:24:34 2015 MANAGEMENT: >STATE:1438953874,CONNECTED,SUCCESS,10.221.14.18,x.x.x.x
Fri Aug 07 15:24:34 2015 Start net commands…
Fri Aug 07 15:24:34 2015 C:\WINDOWS\system32\net.exe stop dnscache
Fri Aug 07 15:24:34 2015 MANAGEMENT: CMD 'hold off'
Fri Aug 07 15:24:42 2015 C:\WINDOWS\system32\net.exe start dnscache
Fri Aug 07 15:24:42 2015 ERROR: Windows ipconfig command failed: returned error code 2
Fri Aug 07 15:24:42 2015 C:\WINDOWS\system32\ipconfig.exe /flushdns
Fri Aug 07 15:24:42 2015 C:\WINDOWS\system32\ipconfig.exe /registerdns
Fri Aug 07 15:24:45 2015 End net commands...
Fri Aug 07 15:35:01 2015 [customerSRVCA] Inactivity timeout (–ping-restart), restarting
Fri Aug 07 15:35:01 2015 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 07 15:35:01 2015 MANAGEMENT: >STATE:1438954501,RECONNECTING,ping-restart,,
Fri Aug 07 15:35:01 2015 Restart pause, 2 second(s)
Fri Aug 07 15:35:03 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Aug 07 15:35:03 2015 UDPv4 link local (bound): [undef]
Fri Aug 07 15:35:03 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Fri Aug 07 15:35:03 2015 MANAGEMENT: >STATE:1438954503,WAIT,,,
Fri Aug 07 15:35:03 2015 MANAGEMENT: >STATE:1438954503,AUTH,,,
Fri Aug 07 15:35:03 2015 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=29ab0447 8f5d7882
Fri Aug 07 15:35:03 2015 VERIFY OK: depth=1, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerCA
Fri Aug 07 15:35:03 2015 VERIFY OK: nsCertType=SERVER
Fri Aug 07 15:35:03 2015 VERIFY X509NAME OK: C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:35:03 2015 VERIFY OK: depth=0, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:35:05 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:35:05 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:35:05 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:35:05 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:35:05 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 07 15:35:05 2015 [customerSRVCA] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Fri Aug 07 15:35:06 2015 MANAGEMENT: >STATE:1438954506,GET_CONFIG,,,
Fri Aug 07 15:35:07 2015 SENT CONTROL [customerSRVCA]: 'PUSH_REQUEST' (status=1)
Fri Aug 07 15:35:07 2015 PUSH: Received control message: 'PUSH_REPLY,route 10.220.14.0 255.255.255.0,dhcp-option DOMAIN local.customer.be,dhcp-option DNS 10.220.14.82,register-dns,route 10.221.14.1,topology net30,ping 10,ping-restart 60,ifconfig 10.221.14.18 10.221.14.17'
Fri Aug 07 15:35:07 2015 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 07 15:35:07 2015 OPTIONS IMPORT: –ifconfig/up options modified
Fri Aug 07 15:35:07 2015 OPTIONS IMPORT: route options modified
Fri Aug 07 15:35:07 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 07 15:35:07 2015 Preserving previous TUN/TAP instance: Ethernet 5
Fri Aug 07 15:35:07 2015 Initialization Sequence Completed
Fri Aug 07 15:35:07 2015 MANAGEMENT: >STATE:1438954507,CONNECTED,SUCCESS,10.221.14.18,x.x.x.x
Fri Aug 07 15:35:07 2015 Start net commands...
Fri Aug 07 15:35:07 2015 C:\WINDOWS\system32\net.exe stop dnscache
Fri Aug 07 15:35:07 2015 MANAGEMENT: CMD 'hold off'
Fri Aug 07 15:35:09 2015 C:\WINDOWS\system32\net.exe start dnscache
Fri Aug 07 15:35:09 2015 ERROR: Windows ipconfig command failed: returned error code 2
Fri Aug 07 15:35:09 2015 C:\WINDOWS\system32\ipconfig.exe /flushdns
Fri Aug 07 15:35:09 2015 C:\WINDOWS\system32\ipconfig.exe /registerdns
**Fri Aug 07 15:35:12 2015 End net commands…
Fri Aug 07 15:40:36 2015 [customerSRVCA] Inactivity timeout (–ping-restart), restarting
Fri Aug 07 15:40:36 2015 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 07 15:40:36 2015 MANAGEMENT: >STATE:1438954836,RECONNECTING,ping-restart,,
Fri Aug 07 15:40:36 2015 Restart pause, 2 second(s)
Fri Aug 07 15:40:38 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Aug 07 15:40:38 2015 UDPv4 link local (bound): [undef]
Fri Aug 07 15:40:38 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Fri Aug 07 15:40:38 2015 MANAGEMENT: >STATE:1438954838,WAIT,,,
Fri Aug 07 15:40:38 2015 MANAGEMENT: >STATE:1438954838,AUTH,,,
Fri Aug 07 15:40:38 2015 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=78ce85ee a73e7eed
Fri Aug 07 15:40:38 2015 VERIFY OK: depth=1, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerCA
Fri Aug 07 15:40:38 2015 VERIFY OK: nsCertType=SERVER
Fri Aug 07 15:40:38 2015 VERIFY X509NAME OK: C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:40:38 2015 VERIFY OK: depth=0, C=BE, ST=Antwerp, L=Antwerp, O=customer, emailAddress=info@me.be, CN=customerSRVCA
Fri Aug 07 15:40:39 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:40:39 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:40:39 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Aug 07 15:40:39 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 07 15:40:39 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 07 15:40:39 2015 [customerSRVCA] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Fri Aug 07 15:40:40 2015 MANAGEMENT: >STATE:1438954840,GET_CONFIG,,,
Fri Aug 07 15:40:41 2015 SENT CONTROL [customerSRVCA]: 'PUSH_REQUEST' (status=1)
Fri Aug 07 15:40:41 2015 PUSH: Received control message: 'PUSH_REPLY,route 10.220.14.0 255.255.255.0,dhcp-option DOMAIN local.customer.be,dhcp-option DNS 10.220.14.82,register-dns,route 10.221.14.1,topology net30,ping 10,ping-restart 60,ifconfig 10.221.14.18 10.221.14.17'
Fri Aug 07 15:40:41 2015 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 07 15:40:41 2015 OPTIONS IMPORT: –ifconfig/up options modified
Fri Aug 07 15:40:41 2015 OPTIONS IMPORT: route options modified
Fri Aug 07 15:40:41 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 07 15:40:41 2015 Preserving previous TUN/TAP instance: Ethernet 5
Fri Aug 07 15:40:41 2015 Initialization Sequence Completed
Fri Aug 07 15:40:41 2015 MANAGEMENT: >STATE:1438954841,CONNECTED,SUCCESS,10.221.14.18,x.x.x.x
Fri Aug 07 15:40:41 2015 Start net commands...
Fri Aug 07 15:40:41 2015 C:\WINDOWS\system32\net.exe stop dnscache
Fri Aug 07 15:40:41 2015 MANAGEMENT: CMD 'hold off'
Fri Aug 07 15:40:43 2015 C:\WINDOWS\system32\net.exe start dnscache
Fri Aug 07 15:40:45 2015 C:\WINDOWS\system32\ipconfig.exe /flushdns
Fri Aug 07 15:40:45 2015 C:\WINDOWS\system32\ipconfig.exe /registerdns

Serverlog:
Aug 7 15:41:22 openvpn[13517]: me/x.x.x.x:2811 send_push_reply(): safe_cap=940
Aug 7 15:41:20 openvpn[13517]: MULTI_sva: pool returned IPv4=10.221.14.18, IPv6=(Not enabled)
Aug 7 15:41:20 openvpn[13517]: x.x.x.x:2811 Peer Connection Initiated with [AF_INET]x.x.x.x:2811
Aug 7 15:41:20 openvpn: user 'me' authenticated
Aug 7 15:35:48 openvpn[13517]: me/x.x.x.x:47793 send_push_reply(): safe_cap=940
Aug 7 15:35:46 openvpn[13517]: MULTI_sva: pool returned IPv4=10.221.14.18, IPv6=(Not enabled)
Aug 7 15:35:46 openvpn[13517]: x.x.x.x:47793 Peer Connection Initiated with [AF_INET]x.x.x.x:47793
Aug 7 15:35:46 openvpn: user 'me' authenticated**

Guest

Fri Aug 07 15:40:36 2015 [customerSRVCA] Inactivity timeout (–ping-restart), restarting

Could it be that you should shorten the lease time of this connection or that this connection is not
interrupted after xxx minutes of being idle?

CM350

@BlueKobold:

Fri Aug 07 15:40:36 2015 [customerSRVCA] Inactivity timeout (–ping-restart), restarting

Could it be that you should shorten the lease time of this connection or that this connection is not
interrupted after xxx minutes of being idle?

You mean the keep alive command???

To be honest, it is our first time that so much users, use the VPN. Normally it is 2-3 users, now it are 5-15 users who randomly logon to the VPN.

Guest

now it are 5-15 users who randomly logon to the VPN.

Perhaps the hardware is not capable of more users?

CM350

It's a new server, so it should be capable of doing that. If I look at the stats, cpu usage is 1-10% and memory is 23% so it is not in full load :-)

Do you need more information?

CM350

I checked it again today and found this:
Jul 30 09:30:58 php-fpm[77172]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WANGW.

I guess it started here, but don't know what it means?

Guest

Jul 30 09:30:58    php-fpm[77172]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WANGW.

I think that this VPN endpoints got a new IP address by or from their ISPs!
They have dynamic IPs and no static (fixed) ones or a DynDNS account!  :-\

I guess it started here, but don't know what it means?

For setting up VPNs you should be sure that both endpoints of a VPN connection are
sorted with static IP addresses or DynDNS accounts. If this will be so called road worrier
set ups or the VPN endpoints will be mobile clients this might be not worse and is running
smooth but if the VPN endpoints are also pfSense firewalls or VPN Servers this will be then
a problem.  :o

CM350

@BlueKobold:

Jul 30 09:30:58    php-fpm[77172]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WANGW.

I think that this VPN endpoints got a new IP address by or from their ISPs!
They have dynamic IPs and no static (fixed) ones or a DynDNS account!  :-\

I guess it started here, but don't know what it means?

For setting up VPNs you should be sure that both endpoints of a VPN connection are
sorted with static IP addresses or DynDNS accounts. If this will be so called road worrier
set ups or the VPN endpoints will be mobile clients this might be not worse and is running
smooth but if the VPN endpoints are also pfSense firewalls or VPN Servers this will be then
a problem.  :o

The pfsense (OpenVPN Server) is connected to a modem which has a static WAN IP.

The clients are indeed laptops/desktops with the OpenVPN application with a dynamic ip. But I can't imagine they change ip every 5 minutes :).

Yesterday I got sick of it and rebooted the pfsense. After this the VPNclients stayed connected for over an hour (maybe 2). But now it's back to reconnecting like every 5 minutes :(.

Guest

But now it's back to reconnecting like every 5 minutes

You can have a closer look to the OpenVPN settings and search the lease time for the
given internal IP, after connecting to the OpenVPN server. But not on the client side.

CM350

you mean the vpn ip? I have no idea how I should do that?

here is my server.conf file

dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.200.2
tls-server
server 10.221.14.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'CustomerSRVCA' 1 "
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 10.220.14.0 255.255.255.0"
push "dhcp-option DOMAIN local.customer.be"
push "dhcp-option DNS 10.220.14.82"
push "register-dns"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo no
persist-remote-ip
float
topology subnet

CM350

Okay, did some more testing.

Created a new OpenVPN server, changed it to TCP port 1195.

Looks like a breakthrough, now it is connected for almost 3 hours without a disconnect.

It doesn't make sense though…

I'll keep you posted

CM350

After hours of testing it looks solved.

We are slowly going to update the clients their vpn files to the new port.

Can someone tell me this is even possible? Is this solution even recommended?

divsys

Well using a port other than the default 1194 is definitely possible and if it solves your problem, I'd say it's advisable…

I often use ports other than 1194 for OpenVPN if only to avoid conflicts/blocking/port spying/etc.

Just a guess on my part but your scenario could easily involve ISP "managing" OpenVPN traffic or possibly some DOS/malware/spying trying out your OpenVPN port.

CM350

@divsys:

Well using a port other than the default 1194 is definitely possible and if it solves your problem, I'd say it's advisable…

I often use ports other than 1194 for OpenVPN if only to avoid conflicts/blocking/port spying/etc.

Just a guess on my part but your scenario could easily involve ISP "managing" OpenVPN traffic or possibly some DOS/malware/spying trying out your OpenVPN port.

A possibility yes. But not sure.

I've putted the 2 mac clients on another server, maybe it's them (don't have a lot of experience with MAC clients)

But it still works like a train, so client is happy and we are happy ;-) !

Thanks all!

billsecond

@CM350 Changing from UDP to TCP also worked for me. Same port is fine. But I think the ISP may have been have been having issues with UDP.