Client timeouts and reconnections

pgb

I'm facing a disconnection / traffic issues with my OpenVPN server.

Whenever the client network changes (say a. notebook wakes from sleep), OpenVPN reconnects. However, sometimes, after the connection is done, no traffic can be routes through the VPN for a while (about 5 minutes?).

Could this be related to how the timeout is handled?

I can reproduce my issue pretty easily if I reconnect the WiFi on my laptop without disconnecting OpenVPN first.

Here's the log when I get disconnected:

Mar 7 11:23:22	openvpn	65729	user/ipaddress:1194 [user] Inactivity timeout (--ping-restart), restarting

This is the server config file:

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
ping 60
push "ping 60"
ping-restart 80
push "ping-restart 80"
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.16.10
tls-server
server 192.168.32.0 255.255.254.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user VlBOIExEQVAsTG9jYWwgRGF0YWJhc2U= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Netgate+VPN+Server' 1"
lport 1194
management /var/etc/openvpn/server1/sock unix
push "route 192.168.16.0 255.255.255.0"
push "route 192.168.17.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 192.168.17.10"
push "dhcp-option WINS 192.168.17.11"
duplicate-cn
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1/tls-auth 0
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC
data-ciphers-fallback AES-128-CBC
allow-compression asym
persist-remote-ip
float
topology net30
explicit-exit-notify 1

and the client's config file (without the certificates):

dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 udp
auth-user-pass
remote-cert-tls server

I don't mind the reconnections, but it's a problem that after a reconnection the client can't route traffic for some minutes.

I've tried different combinations of the "Ping" setting in pfSense's UI with no luck, and tried using keep alive as well, also with no luck.

Any idea would be appreciated.

dyener

When you say the client reconnects but no traffic is routed, it reminds me of these recent threads:

• https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately
• https://forum.netgate.com/topic/161300/pfsense-2-5-0-openvpn-reconnect-failing

There are a few simple suggestions for client-side config changes; do any of them work for you?

pgb

@dyener thank you for the pointer!
Adding lport 0 to the client config fixed my issues.