Random Dropped Connections In OpenVPN Gateway Group

dma_pf

I am having an issue with a gateway group that I have created where members of the group are randomly disconnecting from different openvpn servers. I'm on 2.4.4-RELEASE-p3.

The gateway group has 3 different interfaces. All 3 of the interfaces are openvpn connections that connect to 3 different geographically located openvpn servers. All the settings in the interface settings are blank or unckecked except for enabling the interface and the interface name.

I have checked the configuration for the openvpn client settings and have confirmed that they are configured exactly as recommended by the vpn provider as per the instructions here: https://www.ivpn.net/setup/router-pfsense.html

I can connect to the openvpn without issue. But I am getting random disconnects 3-6 total times per day. The disconnects can happen on any of the 3 interfaces in the gateway group and I don't think I've noticed more than 1 interface being down at the same time. I'm not able to figure out what might be misconfigured or how to resolve it.

I should note that I also have a openvpn server running on the pFsense box that is connected to an offsite office. This openvpn is completely stable.

Here are some System Logs from when one of the interfaces went down:

Jun 16 08:40:12 	php_pfb 		[pfBlockerNG] filterlog daemon started
Jun 16 08:40:12 	php_pfb 		[pfBlockerNG] filterlog daemon started
Jun 16 08:40:12 	php 		[pfBlockerNG] DNSBL parser daemon started
Jun 16 08:40:12 	php-fpm 		[pfBlockerNG] Restarting firewall filter daemon
Jun 16 08:40:12 	check_reload_status 		Reloading filter
Jun 16 08:40:12 	check_reload_status 		Syncing firewall
Jun 16 08:40:10 	php-fpm 		/rc.start_packages: Restarting/Starting all packages.
Jun 16 08:40:09 	check_reload_status 		Starting packages
Jun 16 08:40:09 	php-fpm 		/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 10.12.16.7 -> 10.12.48.15 - Restarting packages.
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: Creating rrd update script
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:07 	php-fpm 		/rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source
Jun 16 08:40:04 	php-fpm 		/rc.newwanip: 33010MONITOR: IVPN_NY1 is available now, adding to routing group IVPN_Group 10.12.48.1|10.12.48.15|IVPN_NY1|8.494ms|0.774ms|0.0%|none
Jun 16 08:39:57 	php-fpm 		/rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
Jun 16 08:39:52 	php-fpm 		/rc.newwanip: IP Address has changed, killing states on former IP Address 10.12.16.7.
Jun 16 08:39:52 	php-fpm 		/rc.newwanip: rc.newwanip: on (IP address: 10.12.48.15) (interface: IVPN_NY1[opt7]) (real interface: ovpnc4).
Jun 16 08:39:52 	php-fpm 		/rc.newwanip: rc.newwanip: Info: starting on ovpnc4.
Jun 16 08:39:51 	check_reload_status 		rc.newwanip starting ovpnc4
Jun 16 08:39:51 	kernel 		ovpnc4: link state changed to UP
Jun 16 08:39:50 	check_reload_status 		Reloading filter
Jun 16 08:39:50 	kernel 		ovpnc4: link state changed to DOWN
Jun 16 08:38:55 	php-fpm 		/rc.dyndns.update: MONITOR: IVPN_NY1 is down, omitting from routing group IVPN_Group 10.12.16.1|10.12.16.7|IVPN_NY1|11.917ms|5.887ms|23%|down
Jun 16 08:38:55 	php-fpm 		/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use IVPN_NY1.
Jun 16 08:38:55 	php-fpm 		/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
Jun 16 08:38:54 	check_reload_status 		Reloading filter
Jun 16 08:38:54 	check_reload_status 		Restarting OpenVPN tunnels/interfaces
Jun 16 08:38:54 	check_reload_status 		Restarting ipsec tunnels
Jun 16 08:38:54 	check_reload_status 		updating dyndns IVPN_NY1
Jun 16 08:38:54 	rc.gateway_alarm 	5655 	>>> Gateway alarm: IVPN_NY1 (Addr:10.12.16.1 Alarm:1 RTT:11.853ms RTTsd:5.801ms Loss:21%)
Jun 16 08:12:56 	php 		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload 

And here are the OpenVPN logs from the same timeframe:

Jun 16 08:39:51 	openvpn 	27878 	Initialization Sequence Completed
Jun 16 08:39:51 	openvpn 	27878 	/sbin/route add -net 128.0.0.0 10.12.48.1 128.0.0.0
Jun 16 08:39:51 	openvpn 	27878 	/sbin/route add -net 0.0.0.0 10.12.48.1 128.0.0.0
Jun 16 08:39:51 	openvpn 	27878 	/sbin/route add -net 64.120.44.114 96.244.82.1 255.255.255.255
Jun 16 08:39:51 	openvpn 	27878 	/usr/local/sbin/ovpn-linkup ovpnc4 1500 1553 10.12.48.15 255.255.252.0 init
Jun 16 08:39:51 	openvpn 	27878 	/sbin/route add -net 10.12.48.0 10.12.48.1 255.255.252.0
Jun 16 08:39:51 	openvpn 	27878 	/sbin/ifconfig ovpnc4 10.12.48.15 10.12.48.1 mtu 1500 netmask 255.255.252.0 up
Jun 16 08:39:51 	openvpn 	27878 	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jun 16 08:39:51 	openvpn 	27878 	TUN/TAP device /dev/tun4 opened
Jun 16 08:39:51 	openvpn 	27878 	TUN/TAP device ovpnc4 exists previously, keep at program end
Jun 16 08:39:51 	openvpn 	27878 	ROUTE_GATEWAY 96.244.82.1/255.255.255.0 IFACE=em0 HWADDR=00:1c:c4:47:6d:1d
Jun 16 08:39:50 	openvpn 	27878 	/usr/local/sbin/ovpn-linkdown ovpnc4 1500 1553 10.12.16.7 255.255.252.0 init
Jun 16 08:39:50 	openvpn 	27878 	Closing TUN/TAP interface
Jun 16 08:39:50 	openvpn 	27878 	/sbin/route delete -net 128.0.0.0 10.12.16.1 128.0.0.0
Jun 16 08:39:50 	openvpn 	27878 	/sbin/route delete -net 0.0.0.0 10.12.16.1 128.0.0.0
Jun 16 08:39:50 	openvpn 	27878 	/sbin/route delete -net 64.120.44.114 96.244.82.1 255.255.255.255
Jun 16 08:39:50 	openvpn 	27878 	NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Jun 16 08:39:50 	openvpn 	27878 	Preserving previous TUN/TAP instance: ovpnc4
Jun 16 08:39:50 	openvpn 	27878 	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 16 08:39:50 	openvpn 	27878 	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: data channel crypto options modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: adjusting link_mtu to 1625
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: peer-id set
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: route-related options modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: route options modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: --ifconfig/up options modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: compression parms modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: explicit notify parm(s) modified
Jun 16 08:39:50 	openvpn 	27878 	OPTIONS IMPORT: timers and/or timeouts modified
Jun 16 08:39:50 	openvpn 	27878 	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,explicit-exit-notify 3,comp-lzo no,route-gateway 10.12.48.1,topology subnet,ping 10,ping-restart 60,dhcp-option DNS 10.12.48.1,ifconfig 10.12.48.15 255.255.252.0,peer-id 13,cipher AES-256-GCM'
Jun 16 08:39:50 	openvpn 	27878 	SENT CONTROL [us-ny1.gw.ivpn.net]: 'PUSH_REQUEST' (status=1)
Jun 16 08:39:49 	openvpn 	27878 	[us-ny1.gw.ivpn.net] Peer Connection Initiated with [AF_INET]64.120.44.114:2050
Jun 16 08:39:49 	openvpn 	27878 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 16 08:39:49 	openvpn 	27878 	WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Jun 16 08:39:49 	openvpn 	27878 	WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
Jun 16 08:39:49 	openvpn 	27878 	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1558'
Jun 16 08:39:49 	openvpn 	27878 	VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=IVPN.net, OU=IVPN, CN=us-ny1.gw.ivpn.net, emailAddress=support@ivpn.net
Jun 16 08:39:49 	openvpn 	27878 	VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=IVPN.net, OU=IVPN, CN=IVPN Root CA v2, emailAddress=support@ivpn.net
Jun 16 08:39:49 	openvpn 	27878 	VERIFY OK: depth=2, C=MT, ST=Malta, L=Malta, O=IVPN.net, CN=IVPN.net CA, emailAddress=support@ivpn.net
Jun 16 08:39:49 	openvpn 	27878 	TLS: Initial packet from [AF_INET]64.120.44.114:2050, sid=b9ee9ea0 d3ffc0c4
Jun 16 08:39:49 	openvpn 	27878 	UDPv4 link remote: [AF_INET]64.120.44.114:2050
Jun 16 08:39:49 	openvpn 	27878 	UDPv4 link local (bound): [AF_INET]96.244.82.174:0
Jun 16 08:39:49 	openvpn 	27878 	Socket Buffers: R=[42080->2097152] S=[57344->2097152]
Jun 16 08:39:49 	openvpn 	27878 	TCP/UDP: Preserving recently used remote address: [AF_INET]64.120.44.114:2050
Jun 16 08:39:49 	openvpn 	27878 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 08:39:49 	openvpn 	27878 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 16 08:39:39 	openvpn 	27878 	Restart pause, 10 second(s)
Jun 16 08:39:39 	openvpn 	27878 	SIGUSR1[soft,ping-restart] received, process restarting
Jun 16 08:39:39 	openvpn 	27878 	[us-ny1.gw.ivpn.net] Inactivity timeout (--ping-restart), restarting
Jun 16 08:39:20 	openvpn 	28934 	MANAGEMENT: Client disconnected 

Any help in figuring this out is greatly appreciated.