VPN client times out, can't reconnect. Requires service restart.
-
My solution is not the most elegant, but it seems to be working. I run this script every 10 minutes via cron.
#!/bin/sh #updated 2016-02-05 if ping -c3 XXX.XXX.XXX.XXX; then #do nothing else #log time touch /root/timestamps.txt date "+%Y-%m-%d %H:%M:%S" >> /root/timestamps.txt #restart vpn clients for i in `seq 30` do /usr/local/sbin/pfSsh.php playback svc restart openvpn client $i done fi exit 0
XXX.XXX.XXX.XXX = an internal IP address only accessible through the VPN. For example, if your VPN provider has an internal DNS server with a static IP or always uses 172.16.0.1 as the gateway.
If you only use one VPN client, you can get rid of the for loop and just run the command with $i replaced by your client number. I use multiple client connections and don't want to hardcode numbers in the script. As far as I can tell, there is no way to restart only active clients.
echo "" | php -q
The above command will restart running clients and servers. It worked on the command line but didn't work for me via cron/scripting. Maybe it was something as simple as needing the full path for php. I probably won't bother to investigate farther unless my solution stops working.
-
My solution is not the most elegant, but it seems to be working. I run this script every 10 minutes via cron.
#!/bin/sh if ping -c3 XXX.XXX.XXX.XXX; then #do nothing else #restart vpn clients for i in `seq 30` do /usr/local/sbin/pfSsh.php playback svc restart openvpn client $i done fi exit 0
XXX.XXX.XXX.XXX = an internal IP address only accessible through the VPN. For example, if your VPN provider has an internal DNS server with a static IP or always uses 172.16.0.1 as the gateway.
If you only use one VPN client, you can get rid of the for loop and just run the command with $i replaced by your client number. I use multiple client connections and don't want to hardcode numbers in the script. As far as I can tell, there is no way to restart only active clients.
echo "" | php -q
The above command will restart running clients and servers. It worked on the command line but didn't work for me via cron/scripting. Maybe it was something as simple as needing the full path for php. I probably won't bother to investigate farther unless my solution stops working.
Even though it is a nice work around, it's no option for me, as it will also kill running connections (uploads, downloads, ssh) …
I really wonder why this started happening... :-\
-
@[NUT:
link=topic=104699.msg586805#msg586805 date=1452746063]
Even though it is a nice work around, it's no option for me, as it will also kill running connections (uploads, downloads, ssh) …I really wonder why this started happening... :-\
If you're having the same problem that I have, you don't have any connection through the VPN anyway, so there's nothing left to kill with a restart. Everything has timed out by the time 1-10 minutes pass and the script kicks in. Obviously you can run it more frequently if needed.
The script only resets VPN clients, and you can specify which ones if you don't want to reset everything. You can even direct pings through specific interfaces and then reset VPN clients on a per-connection basis. I didn't need that for my situation, so I did all or nothing.
for i in `ifconfig | cut -d: -f1 | grep ovpnc` do #ping address through interface $i #restart $i if ping fails done
Maybe that would be more useful for you.
-
My solution is not the most elegant, but it seems to be working. I run this script every 10 minutes via cron.
#!/bin/sh if ping -c3 XXX.XXX.XXX.XXX; then #do nothing else #restart vpn clients for i in `seq 30` do /usr/local/sbin/pfSsh.php playback svc restart openvpn client $i done fi exit 0
XXX.XXX.XXX.XXX = an internal IP address only accessible through the VPN. For example, if your VPN provider has an internal DNS server with a static IP or always uses 172.16.0.1 as the gateway.
If you only use one VPN client, you can get rid of the for loop and just run the command with $i replaced by your client number. I use multiple client connections and don't want to hardcode numbers in the script. As far as I can tell, there is no way to restart only active clients.
echo "" | php -q
The above command will restart running clients and servers. It worked on the command line but didn't work for me via cron/scripting. Maybe it was something as simple as needing the full path for php. I probably won't bother to investigate farther unless my solution stops working.
Yea same thing happens to me and this looks like a pretty cool work around. Ill give it a whirl when i can get back in town and reset my openvpn interface as im currently locked out now.
Thx#
-
Since I only have one VPN client, it should probably look something like this correct??
#!/bin/sh if ping -c3 XXX.XXX.XXX.XXX; then #do nothing else #restart vpn clients /usr/local/sbin/pfSsh.php playback svc restart openvpn client $i fi exit 0
Also, is there a way to track how many/often it restarts your VPN
-
Since I only have one VPN client, it should probably look something like this correct??
#!/bin/sh if ping -c3 XXX.XXX.XXX.XXX; then #do nothing else #restart vpn clients /usr/local/sbin/pfSsh.php playback svc restart openvpn client $i fi exit 0
Also, is there a way to track how many/often it restarts your VPN
Just replace $i with your client number (probably 1) and you should be good to go.
If you look at Status > OpenVPN in pfSense, you can see the last restart time (connected since …). You can also check the OpenVPN log files for restarts. Depending on what your verbosity level is set at and how long between restarts, you will probably see at least 1-2 restarts in there. It will also show in the System > General logs. Look for "pfSsh.php: OpenVPN ID client## PID #### still running, killing."
You could modify the script to increment a counter and write it to a file every time it restarts the VPN. You could even have it put in a time stamp. ...Actually, I like this idea. I may implement it myself. A long enough series of time stamps may help me track down my problem.
EDIT: I added this below the "else" in my script. EDIT 2: note that I have already added this to the script posted above.
#log time touch /root/timestamps.txt date "+%Y-%m-%d %H:%M:%S" >> /root/timestamps.txt
You could run "wc -l /root/timestamps.txt" to get a count.
-
Sweet! I really like that timestamp addition to the script. And yea, I would like to have some kind of way to monitor it and make sure it doesnt cause probs or conflict with anything.
Also, would it be something you would have to manually check from time to time, or is there a way the script could notify you by email or something when it restarts? Not that important really, just brainstorming here. It would be nice.
-
Sweet! I really like that timestamp addition to the script. And yea, I would like to have some kind of way to monitor it and make sure it doesnt cause probs or conflict with anything.
Also, would it be something you would have to manually check from time to time, or is there a way the script could notify you by email or something when it restarts? Not that important really, just brainstorming here. It would be nice.
As is, it would have to be checked periodically. You can definitely send e-mails via script. You may even be able to use the e-mail notification function built into pfSense, rather than scripting it all manually.
The difficulty I have is that I don't have access to a trustworthy SMTP server to test with. This isn't something I'm familiar with, so I wouldn't be able to whip out a script and say "fill in the blanks." I'd have to experiment and learn as I go.
-
Yea I hear ya, just curious really. Ill use it as an educational opportunity and look into it myself as well.
Anyways, thanks again!
-
You could run "wc -l /path/to/timestamp/file" to get a count.
Where do I run this? On the CLI in putty? When I did I got "no such file name exists blah, blah, blah"
Is it because it has yet to report an OpenVPN restart yet?
-
You could run "wc -l /path/to/timestamp/file" to get a count.
Where do I run this? On the CLI in putty? When I did I got "no such file name exists blah, blah, blah"
Is it because it has yet to report an OpenVPN restart yet?
You run that on the command line using putty or through the pfSense web interface. I assume you're putting the full path to wherever you have the timestamp file. When I used the relative path, like in the script I posted, it put the file at /var/log/timestamps.txt (which is not the location I expected). If you're not sure where it is, you can run this to find the absolute path:
find / -name "timestamps.txt"
In light of the above issue, I would recommend editing the script and changing "./timestamps.txt" to "/root/timestamps.txt" or some other absolute path so there is no question as to where it is. I will go back and change what I posted earlier.
If the script hasn't kicked in and restarted your VPN yet, the file won't exist. If you want to see what the file will look like, run this from the command line:```
date "+%Y-%m-%d %H:%M:%S" >> /absolute/path/to/timestamps.txtThat will create the file, insert a timestamp, and then you should be able to run the "wc" command (with absolute path) successfully with a result of 1. * I'm not sure how much you know about this stuff, so I apologize if the absolute/relative path comments are unnecessary.