Restarting OpenVPN interrupts non-VPN traffic
-
I run an OpenVPN client connection to GhostVPN server(s) on 2.4.4-RELEASE-p3. It worked well for over a year but I had to rebuild my pfSense (after system "Halt" it looped on reboot stating that it was not shut down properly; booting from USB and fixing with fsck did not help so I had to reinstall). Anyway, rebuilt it with the old config but since then I am having two odd and related VPN problems.
As you can see OpenVPN client connects fine to the server (and logs look fine too):
The first problem is that for some reason VPN gets no "Monitor IP" responses (as a matter of fact - no incoming packets of any kind) so it disconnects with "
Inactivity timeout (--ping-restart), restarting
". If anyone has ideas what can be wrong or how to debug it - please help. Even that fails:ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xe inet 10.203.1.151 --> 10.203.1.1 netmask 0xffffff00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: tun openvpn Opened by PID 99100 [2.4.4-RELEASE][admin@Firewall.localdomain]: traceroute -i ovpnc2 10.203.1.151 traceroute to 10.203.1.151 (10.203.1.151), 64 hops max, 40 byte packets 1 * * * 2 * * * ...
Second problem, rather weird, is that each OpenVPN client restart (every few minutes due to periodic "ping-restart") causes all LAN clients which do not use VPN at all to briefly lose connection (pings to the Internet go to >500ms, SSH/HTTPS sessions drop, streaming stops). I disabled all VPN-related rules (including NAT) and it appears that merely starting openvpn client causes this interruption. Any ideas what may be going on and/or how to avoid this interference?
-
I am guessing this problem is as puzzling for everybody as it is for me...
Anyway - a question: how can I disable "ping-restart 60" in pfSense to avoid the VPN tunnel constantly going up and down? Need this to debug the connectivity issues without constant VPN reconnects. I tried to add
ping-restart 0
to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts (seems that the parameter--ping-restart 60
is supplied to OpenVPN in the command line and this overrides the config file). -
Still need help... OK, let me post some screenshots, maybe someone will have an idea.
Firstly, OpenVPN has no trouble connecting (so, I guess, no point in posting conf files here) and I see in the logs "Initialization Sequence Completed":
Mar 2 19:39:01 openvpn 73818 SENT CONTROL [84.247.48.2-1580253440]: 'PUSH_REQUEST' (status=1) Mar 2 19:39:01 openvpn 73818 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.101.0.243,route-gateway 10.203.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.203.2.215 255.255.255.0,peer-id 16' Mar 2 19:39:01 openvpn 73818 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Mar 2 19:39:01 openvpn 73818 Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS]) Mar 2 19:39:01 openvpn 73818 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Mar 2 19:39:01 openvpn 73818 OPTIONS IMPORT: timers and/or timeouts modified Mar 2 19:39:01 openvpn 73818 OPTIONS IMPORT: --ifconfig/up options modified Mar 2 19:39:01 openvpn 73818 OPTIONS IMPORT: route-related options modified Mar 2 19:39:01 openvpn 73818 OPTIONS IMPORT: peer-id set Mar 2 19:39:01 openvpn 73818 OPTIONS IMPORT: adjusting link_mtu to 1625 Mar 2 19:39:01 openvpn 73818 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ] Mar 2 19:39:01 openvpn 73818 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Mar 2 19:39:01 openvpn 73818 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key Mar 2 19:39:01 openvpn 73818 Preserving previous TUN/TAP instance: ovpnc2 Mar 2 19:39:01 openvpn 73818 Initialization Sequence Completed
However, it soon disconnects and tries to reconnect because there is no ping-reply from the Monitor IP (I tried many IPs just in case, none works):
Mar 2 19:37:50 openvpn 73818 Initialization Sequence Completed Mar 2 19:38:00 openvpn 73818 Bad compression stub (swap) decompression header byte: 42 Mar 2 19:38:10 openvpn 73818 Bad compression stub (swap) decompression header byte: 42 Mar 2 19:38:20 openvpn 73818 Bad compression stub (swap) decompression header byte: 42 Mar 2 19:38:30 openvpn 73818 Bad compression stub (swap) decompression header byte: 42 Mar 2 19:38:40 openvpn 73818 Bad compression stub (swap) decompression header byte: 42 Mar 2 19:38:50 openvpn 73818 [84.247.48.2-1580253440] Inactivity timeout (--ping-restart), restarting Mar 2 19:38:50 openvpn 73818 TCP/UDP: Closing socket Mar 2 19:38:50 openvpn 73818 SIGUSR1[soft,ping-restart] received, process restarting Mar 2 19:38:50 openvpn 73818 Restart pause, 10 second(s)
OpenVPN goes as a yo-yo up and down and it's hard to debug anything because random IPs are being assigned (that's why I really would love to know how to turn off "ping-restart" for debugging).
Output of ifconfig:
ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xd inet 10.203.2.215 --> 10.203.2.1 netmask 0xffffff00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: tun openvpn Opened by PID 73818
Routing table (removed IPv6 as it's off):
Routing tables Internet: Destination Gateway Flags Netif Expire default cpc119588-heme14-2 UGS igb5 dns9.quad9.net cpc119588-heme14-2 UGHS igb5 10.203.2.0/24 10.203.2.1 UGS ovpnc2 10.203.2.1 link#13 UH ovpnc2 10.203.2.215 link#13 UHS lo0 82.22.94.0/24 link#6 U igb5 cpc119588-heme14-2 link#6 UHS lo0 84.247.48.18 10.203.2.215 UGHS lo0 unicast.censurfrid cpc119588-heme14-2 UGHS igb5 localhost link#8 UH lo0 192.168.0.0/23 link#12 U bridge0 192.168.1.1 link#12 UHS lo0
Packet capture for "ping 84.247.48.18":
19:33:30.890347 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 872, length 8 19:33:31.403928 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 873, length 8 19:33:31.911709 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 874, length 8 19:33:32.443954 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 875, length 8 19:33:32.976210 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 876, length 8 19:33:33.482622 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 877, length 8 19:33:33.988983 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 878, length 8 19:33:34.521237 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 879, length 8 19:33:35.053494 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 880, length 8 19:33:35.555600 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 881, length 8
Output of "traceroute -i ovpnc2 1.1.1.1":
[2.4.4-RELEASE][admin@Firewall.localdomain]/root: traceroute -i ovpnc2 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * ^C
Any ideas? Pretty please!
-
I have this exact same issue... it seems that openVPN clients that go down affect other non-related openVPN clients and LAN gateways to go down... Not all gateways, but certain ones. At first I though it might be related to having gateway groups setup, but when disabling all of those I still have the issue.
I sure would like to know why they are inter-linked....
RHLinux
-
FWIW I never figured out why OpenVPN restarts interfere with traffic over other interfaces. I was able to resolve my OpenVPN connectivity problem and when the tunnel is stable (like it should be and like it is in majority of cases), naturally, there is no interference.
To summarise:
- I do believe that there is a bug (when OpenVPN starts at least some connections on other interfaces drop) which manifests itself only rarely because properly configured OpenVPN does not do "yo-yo" restarts.
- It appears impossible to disable 60-second "ping-restart" which is not good when one needs to debug an OpenVPN connectivity problems.
-
Impossible?
-
Thanks but I cannot find "Ping settings" anywhere in the menus. Please tell me where it is.
-
OpenVPN Server.
-
I only run the client and I have no control of the server - it's a commercial VPN provider.
To clarify the problem - is it possible to avoid pfSense's OpenVPN client from automatically reconnecting when there is no ping reply? It makes debugging a connection nearly impossible (one typically only has <60 seconds before the client drops the connection and attempts to reconnect).
-
Then in the client, but the server will still have its own ping/keepalive times.
They are generally necessary. If it dies for a minute you want to reestablish the connection anyway.
If you rebuilt with the old config it will be working the same way and any difference can be attributed to something else, perhaps misperception or misblame, but not that.
Everything there is to know is here:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
See Also: ping, ping-restart, and the keepalive helper to manage them both.
-
"Ping settings" are available in both, Open VPN Server and Client, but in 2.4.5-RC not 2.4.4-RELEASE-p3.
-Rico
-
Ah. You'll have to use the keywords in advanced options in 2.4.4-p3 I guess. Thanks. Still not "impossible."
-
@mig said in Restarting OpenVPN interrupts non-VPN traffic:
I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts
-
This post is deleted!