pfSense 2.5.0/OpenVPN reconnect failing
-
Hello,
After upgrading to pfSense 2.5.0 everything seemed to work fine, but after a day I got some complaints from OpenVPN users that the client showed 'Connected' but they couldn't connect to any of our services, and the connection reconnects every 120 seconds, but this never results in a working connection.
To get it working again I have to manually kill the client connection, reconnect, and then it works fine. Letting the client in the disconnected state for >2 minutes, and then reconnecting also works.
Just issuing a reconnect in the client breaks the connection until I insert a timeout of >2 minutes or kill the client connection manually.
This is just a typical setup using the OpenVPN wizard, I don't see anything shouting at me from the logfiles.
What to try next?
Greetings,
Emile -
Logs at verb 4 from both sides would probably help, but try this on the client side, add:
explicit-exit-notify 3and change
persist-tunto
#persist-tun -
the connection reconnects every 120 seconds
That sounds like there are two active connection attempts each knocking each other off.
Are you certain these users aren't running multiple instances?
-
Are you certain these users aren't running multiple instances?
There is only one account for this test instance, with only one connected user, the reconnect is inline with the timeout and ping values set in the service. (60x2 ping-restart = timeoutx2)
-
@steamerzone said in pfSense 2.5.0/OpenVPN reconnect failing:
After upgrading to pfSense 2.5.0 everything seemed to work fine, but after a day I got some complaints from OpenVPN users that the client showed 'Connected' but they couldn't connect to any of our services, and the connection reconnects every 120 seconds, but this never results in a working connection.
I see exactly the same problem today and the issue was an old chiper setting on the client site and enable "Enable Data Encryption Negotiation" on the server after the update.
Connection is up, but reconnect every two minutes (ping timeout) and it is not possible to use the VPN channel.
I learned today a lot about OpenVPN ;)
-
Connection is up, but reconnect every two minutes (ping timeout) and it is not possible to use the VPN channel.
I learned today a lot about OpenVPN ;)
Did the initial/first vpn connection work as expected, and only the reconnects fail?
-
@steamerzone said in pfSense 2.5.0/OpenVPN reconnect failing:
Did the initial/first vpn connection work as expected, and only the reconnects fail?
It look like it works (pfSense OpenVPN status connected) but the tunnel was not usable and reconnect every two minutes.
-
@slu Hi Slu.
I'm having the exact same issue as all of you.Could you please explain to me what cipher setting you went with?
I don't know if the cipher setting I'm using is out of date.BR,
Michael Boye -
christian.schneiderlast edited by christian.schneider Feb 25, 2021, 10:11 AM Feb 25, 2021, 10:10 AM
Yes same here.
Connecting after a while not connected works without problems.
Reconnecting doesn't work. Connection is up but no data is going through the vpn tunnel.
I also changed the Data Encryption Algorithms to GCM only but that also doesn't help.
-
@michaelboye
this depends on your setup!Easy way to find it out install the openvpn-client-export package and export the config.
Be carefully with the setting "Legacy Client Do not include OpenVPN 2.5 settings in the client configuration." -
@slu Thanks for the reply.
I'll have a look at it later, when the VPN isn't used as much. -
Hi. Did anyone resolve this?
I have tried with different settings on my Remote Access SSL/TLS VPN and I can't get it to work properly.
I have updated the Data Encryption, but I still can't connect right after I disconnected.
Here's my Data Encryption settings:
I have made a workaround with the "push "explicit-exit-notify 3" " in custom options, but I would love a more permanent solution.
Am I doing something wrong?
I hope you can assist :)BR,
Michael -
I have made a workaround with the "push "explicit-exit-notify 3" " in custom options, but I would love a more permanent solution.
Am I doing something wrong?
I hope you can assist :)BR,
MichaelI don't really think this is a workaround.
It does instruct the client to signal that it will disconnect.
However, in any abnormal disconnection, this won't happen.
So users trying to reconnect after a short outage will face the issue.This is definitely a show stopper for NOT upgrading to 2.5 if openvpnserver is used on pf.
-
What shows up in the logs on both sides when the reconnect fails like this?
I took a test client just now and reconnected it about 20 times in a row to a UDP server without a single failure. It doesn't have exit notify enabled either.
-
@jimp said in pfSense 2.5.0/OpenVPN reconnect failing:
What shows up in the logs on both sides when the reconnect fails like this?
I don't see any errors or differences in the log files for a working or non working connection.
Adding the 'nobind' option to the client config does seem to solve the issue for me.
This does need some further testing, and as far as I understand you can't push this setting.
https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately
Emile
-
@steamerzone said in pfSense 2.5.0/OpenVPN reconnect failing:
This does need some further testing, and as far as I understand you can't push this setting.
Correct, it can't be pushed since it's too late for it to have any effect -- the client is already sending traffic from its chosen port when it comes time to receive pushed settings.
Clients would need to be redeployed with a new config or edited in-place.
Since it appears to be a bug in OpenVPN it's something they'll need to address, but I'm not sure if anyone has reported it upstream yet.