OpenVPN Client dropping every second state
-
On the states page, do not filter by interface. Instead, search for your local client IP address or the targer (e.g.
1.1.1.1
). Maybe it's not leaving the interface you expect.Also check the output of
netstat -rnW
, maybe somehow you have two interfaces trying to use10.33.10.5
as a gateway or some other overlap. -
This shows the failed connection leaving
PIA_VPN
which is expected:Here the established connection which also uses
PIA_VPN
:
Doesn't appear to be an overlap:
Routing tables Internet: Destination Gateway Flags Use Mtu Netif Expire default 10.20.25.94 UGS 1451581 1492 pppoe0 10.0.10.1 10.33.10.5 UGHS 35305 1500 ovpnc1 10.1.1.0/24 link#1 U 47727506 1500 em0 10.1.1.1 link#1 UHS 473 16384 lo0 10.1.10.0/24 link#7 U 81380177 1500 em0.10 10.1.10.254 link#7 UHS 449 16384 lo0 10.1.20.0/24 link#8 U 544311 1500 em0.20 10.1.20.254 link#8 UHS 342 16384 lo0 10.1.30.0/24 link#9 U 299944 1500 em0.30 10.1.30.254 link#9 UHS 342 16384 lo0 10.1.40.0/24 link#10 U 0 1500 em0.40 10.1.40.254 link#10 UHS 418 16384 lo0 10.1.50.0/24 link#11 U 20793343 1500 em0.50 10.1.50.254 link#11 UHS 418 16384 lo0 10.1.60.0/24 link#14 U 108474 1500 em0.60 10.1.60.254 link#14 UHS 200 16384 lo0 10.1.70.0/24 link#15 U 0 1500 em0.70 10.1.70.1 link#16 UHS 0 16384 lo0 10.1.70.2 link#16 UH 15800 1500 ovpns2 10.1.70.254 link#15 UHS 418 16384 lo0 10.1.250.0/30 link#17 U 131423 1500 em0.250 10.1.250.2 link#17 UHS 347 16384 lo0 10.20.25.94 link#12 UH 332337 1492 pppoe0 10.33.10.5 link#13 UH 6 1500 ovpnc1 10.33.10.6 link#13 UHS 0 16384 lo0 110.174.116.92 link#12 UHS 1 16384 lo0 127.0.0.1 link#2 UH 244147684 16384 lo0
-
From the states, it looks like the traffic is exiting the firewall OK. The issue could be with PIA. Do you have two clients connected to the same account? They may be trying to load balance return traffic if your account has a static IP address and two active connections.
-
I highly doubt there is another client, but I've changed the account credentials to ensure that any device I may have had connected is removed. This hasn't fixed it so I think I may need to speak to their support in case they're familiar with this problem. I'll update this thread if I solve the problem. Thanks for your time!
-
So PIA support noticed that the Failed connections' source was 10.1.70.1 which is my OpenVPN server's network. Disabling the server fixed the issue. Now I need to determine why this is happening so I can re enable the Server. They suggested I use manual outbound NAT rather than hybrid NAT but that hasn't changed anything.
-
@ooimo said in OpenVPN Client dropping every second state:
10.1.70.0/24 link#15 U 0 1500 em0.70 10.1.70.1 link#16 UHS 0 16384 lo0 10.1.70.2 link#16 UH 15800 1500 ovpns2 10.1.70.254 link#15 UHS 418 16384 lo0
For starters, it looks like you are using the same network as a tunnel network and the numbering on em0.70.
They must be different.
-
I see, do I specify the PIA client's tunnel network in the client configuration?
-
That is on an OpenVPN server, not a client.
-
I think I solved it by changing the outbound NAT from "OpenVPN Address" to "PIA_VPN Address".
This is what the states now look like:
And this is the output of
netstat -rnW
:Routing tables Internet: Destination Gateway Flags Use Mtu Netif Expire default 10.20.25.96 UGS 13372704 1492 pppoe0 10.0.10.1 10.88.10.5 UGHS 17379 1500 ovpnc1 10.1.1.0/24 link#1 U 51920099 1500 em0 10.1.1.1 link#1 UHS 473 16384 lo0 10.1.10.0/24 link#7 U 96185720 1500 em0.10 10.1.10.254 link#7 UHS 449 16384 lo0 10.1.20.0/24 link#8 U 1623465 1500 em0.20 10.1.20.254 link#8 UHS 342 16384 lo0 10.1.30.0/24 link#9 U 319811 1500 em0.30 10.1.30.254 link#9 UHS 342 16384 lo0 10.1.40.0/24 link#10 U 0 1500 em0.40 10.1.40.254 link#10 UHS 418 16384 lo0 10.1.50.0/24 link#11 U 26192375 1500 em0.50 10.1.50.254 link#11 UHS 418 16384 lo0 10.1.60.0/24 link#14 U 23111437 1500 em0.60 10.1.60.254 link#14 UHS 200 16384 lo0 10.1.70.0/24 link#15 U 0 1500 em0.70 10.1.70.1 link#16 UHS 0 16384 lo0 10.1.70.2 link#16 UH 0 1500 ovpns2 10.1.70.254 link#15 UHS 0 16384 lo0 10.1.250.0/30 link#17 U 184733 1500 em0.250 10.1.250.2 link#17 UHS 347 16384 lo0 10.20.25.96 link#12 UH 274490 1492 pppoe0 10.88.10.5 link#13 UH 6 1500 ovpnc1 10.88.10.6 link#13 UHS 0 16384 lo0 27.33.144.81 link#12 UHS 2 16384 lo0 127.0.0.1 link#2 UH 269295168 16384 lo0
I couldn't see anything about this in the tutorial. Thanks for your help :)
-
10.1.70.0/24 still looks wrong.
-
That's the OpenVPN server's tunnel network. Clients that are connected get put in that range. What's the correct way to do it?
-
It's in the same subnet as em0.70. It shouldn't be.
-
I wasn't looking at the 10.1.70.x but yeah that does overlap.
Also "OpenVPN" is an interface group not an interface, so using it as a NAT destination may not always do what you expect, especially for outbound NAT since it would effectively round-robin in that way for outbound.
-
@jimp said in OpenVPN Client dropping every second state:
Also "OpenVPN" is an interface group not an interface, so using it as a NAT destination may not always do what you expect, especially for outbound NAT since it would effectively round-robin in that way for outbound.
Yeah I didn't realise it would round robin like that but now I do.
@derelict said in OpenVPN Client dropping every second state:
10.1.70.0/24 still looks wrong.
I removed that em0.70 interface and configured the server properly, Now that route isn't there which is good.