Restarting OpenVPN interrupts non-VPN traffic

mig

I run an OpenVPN client connection to GhostVPN server(s) on 2.4.4-RELEASE-p3. It worked well for over a year but I had to rebuild my pfSense (after system "Halt" it looped on reboot stating that it was not shut down properly; booting from USB and fixing with fsck did not help so I had to reinstall). Anyway, rebuilt it with the old config but since then I am having two odd and related VPN problems.

As you can see OpenVPN client connects fine to the server (and logs look fine too):

The first problem is that for some reason VPN gets no "Monitor IP" responses (as a matter of fact - no incoming packets of any kind) so it disconnects with "Inactivity timeout (--ping-restart), restarting". If anyone has ideas what can be wrong or how to debug it - please help. Even that fails:

ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xe
        inet 10.203.1.151 --> 10.203.1.1 netmask 0xffffff00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun openvpn
        Opened by PID 99100
[2.4.4-RELEASE][admin@Firewall.localdomain]: traceroute -i ovpnc2 10.203.1.151
traceroute to 10.203.1.151 (10.203.1.151), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
...

Second problem, rather weird, is that each OpenVPN client restart (every few minutes due to periodic "ping-restart") causes all LAN clients which do not use VPN at all to briefly lose connection (pings to the Internet go to >500ms, SSH/HTTPS sessions drop, streaming stops). I disabled all VPN-related rules (including NAT) and it appears that merely starting openvpn client causes this interruption. Any ideas what may be going on and/or how to avoid this interference?

mig

I am guessing this problem is as puzzling for everybody as it is for me...

Anyway - a question: how can I disable "ping-restart 60" in pfSense to avoid the VPN tunnel constantly going up and down? Need this to debug the connectivity issues without constant VPN reconnects. I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts (seems that the parameter --ping-restart 60 is supplied to OpenVPN in the command line and this overrides the config file).

mig

Still need help... OK, let me post some screenshots, maybe someone will have an idea.

Firstly, OpenVPN has no trouble connecting (so, I guess, no point in posting conf files here) and I see in the logs "Initialization Sequence Completed":

Mar 2 19:39:01	openvpn	73818	SENT CONTROL [84.247.48.2-1580253440]: 'PUSH_REQUEST' (status=1)
Mar 2 19:39:01	openvpn	73818	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.101.0.243,route-gateway 10.203.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.203.2.215 255.255.255.0,peer-id 16'
Mar 2 19:39:01	openvpn	73818	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Mar 2 19:39:01	openvpn	73818	Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Mar 2 19:39:01	openvpn	73818	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: timers and/or timeouts modified
Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: --ifconfig/up options modified
Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: route-related options modified
Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: peer-id set
Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: adjusting link_mtu to 1625
Mar 2 19:39:01	openvpn	73818	Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Mar 2 19:39:01	openvpn	73818	Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 2 19:39:01	openvpn	73818	Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 2 19:39:01	openvpn	73818	Preserving previous TUN/TAP instance: ovpnc2
Mar 2 19:39:01	openvpn	73818	Initialization Sequence Completed

However, it soon disconnects and tries to reconnect because there is no ping-reply from the Monitor IP (I tried many IPs just in case, none works):

Mar 2 19:37:50	openvpn	73818	Initialization Sequence Completed
Mar 2 19:38:00	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
Mar 2 19:38:10	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
Mar 2 19:38:20	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
Mar 2 19:38:30	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
Mar 2 19:38:40	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
Mar 2 19:38:50	openvpn	73818	[84.247.48.2-1580253440] Inactivity timeout (--ping-restart), restarting
Mar 2 19:38:50	openvpn	73818	TCP/UDP: Closing socket
Mar 2 19:38:50	openvpn	73818	SIGUSR1[soft,ping-restart] received, process restarting
Mar 2 19:38:50	openvpn	73818	Restart pause, 10 second(s)

OpenVPN goes as a yo-yo up and down and it's hard to debug anything because random IPs are being assigned (that's why I really would love to know how to turn off "ping-restart" for debugging).

Output of ifconfig:

ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xd
        inet 10.203.2.215 --> 10.203.2.1 netmask 0xffffff00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun openvpn
        Opened by PID 73818

Routing table (removed IPv6 as it's off):

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            cpc119588-heme14-2 UGS        igb5
dns9.quad9.net     cpc119588-heme14-2 UGHS       igb5
10.203.2.0/24      10.203.2.1         UGS      ovpnc2
10.203.2.1         link#13            UH       ovpnc2
10.203.2.215       link#13            UHS         lo0
82.22.94.0/24      link#6             U          igb5
cpc119588-heme14-2 link#6             UHS         lo0
84.247.48.18       10.203.2.215       UGHS        lo0
unicast.censurfrid cpc119588-heme14-2 UGHS       igb5
localhost          link#8             UH          lo0
192.168.0.0/23     link#12            U       bridge0
192.168.1.1        link#12            UHS         lo0

Packet capture for "ping 84.247.48.18":

19:33:30.890347 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 872, length 8
19:33:31.403928 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 873, length 8
19:33:31.911709 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 874, length 8
19:33:32.443954 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 875, length 8
19:33:32.976210 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 876, length 8
19:33:33.482622 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 877, length 8
19:33:33.988983 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 878, length 8
19:33:34.521237 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 879, length 8
19:33:35.053494 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 880, length 8
19:33:35.555600 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 881, length 8

Output of "traceroute -i ovpnc2 1.1.1.1":

[2.4.4-RELEASE][admin@Firewall.localdomain]/root: traceroute -i ovpnc2 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
^C

Any ideas? Pretty please!

RHLinux

@mig

I have this exact same issue... it seems that openVPN clients that go down affect other non-related openVPN clients and LAN gateways to go down... Not all gateways, but certain ones. At first I though it might be related to having gateway groups setup, but when disabling all of those I still have the issue.

I sure would like to know why they are inter-linked....

RHLinux

mig

FWIW I never figured out why OpenVPN restarts interfere with traffic over other interfaces. I was able to resolve my OpenVPN connectivity problem and when the tunnel is stable (like it should be and like it is in majority of cases), naturally, there is no interference.

To summarise:

I do believe that there is a bug (when OpenVPN starts at least some connections on other interfaces drop) which manifests itself only rarely because properly configured OpenVPN does not do "yo-yo" restarts.
It appears impossible to disable 60-second "ping-restart" which is not good when one needs to debug an OpenVPN connectivity problems.

Derelict

Impossible?

Screen Shot 2020-03-14 at 2.11.15 PM.png

mig

Thanks but I cannot find "Ping settings" anywhere in the menus. Please tell me where it is.

Derelict

OpenVPN Server.

mig

I only run the client and I have no control of the server - it's a commercial VPN provider.

To clarify the problem - is it possible to avoid pfSense's OpenVPN client from automatically reconnecting when there is no ping reply? It makes debugging a connection nearly impossible (one typically only has <60 seconds before the client drops the connection and attempts to reconnect).

Derelict

Then in the client, but the server will still have its own ping/keepalive times.

They are generally necessary. If it dies for a minute you want to reestablish the connection anyway.

If you rebuilt with the old config it will be working the same way and any difference can be attributed to something else, perhaps misperception or misblame, but not that.

Everything there is to know is here:

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

See Also: ping, ping-restart, and the keepalive helper to manage them both.

Rico

"Ping settings" are available in both, Open VPN Server and Client, but in 2.4.5-RC not 2.4.4-RELEASE-p3.

-Rico

Derelict

Ah. You'll have to use the keywords in advanced options in 2.4.4-p3 I guess. Thanks. Still not "impossible."

mig

@mig said in Restarting OpenVPN interrupts non-VPN traffic:

I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts

Www.pelispedia.cloud

This post is deleted!