Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN is not working if client is reconnected immediately

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 9 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apant @jimp
      last edited by

      @jimp the connection is always succeed but traffic is not passing through VPN if you do not wait 2-3 minutes (without explicit-exit-notify) before reconnection. There is no error.

      jimpJ 1 Reply Last reply Reply Quote 1
      • jimpJ
        jimp Rebel Alliance Developer Netgate @apant
        last edited by

        @apant said in OpenVPN is not working if client is reconnected immediately:

        @jimp the connection is always succeed but traffic is not passing through VPN if you do not wait 2-3 minutes (without explicit-exit-notify) before reconnection. There is no error.

        I was finally able to reproduce this given that bit of info and narrow it down a little:

        • It does appear to be related to the remote port being the same when reconnecting.
          • If I set the client config to have lport 0 so it randomizes its own local port, then each reconnect can pass traffic.
          • This is better behavior anyhow, I'm not sure why we don't add this into the exported configs by default.
        • It is not related to pf/firewall states
          • Clearing the states doesn't affect whether or not the later reconnections can pass traffic when the client port is reused, so it appears to be internal in OpenVPN itself.

        Still need to see if there is anything else server side that might affect it but that at least narrows the focus and identifies another potential workaround. That's assuming I'm hitting the same conditions others are, though.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        C 1 Reply Last reply Reply Quote 3
        • PippinP
          Pippin
          last edited by

          From memory, for client side it is advised to use --nobind (without --lport)
          --nobind is included in NetworkManager (Linux) by default.

          Will try to find the posts by OpenVPN devs...

          1 Reply Last reply Reply Quote 2
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            nobind also works, likely for much the same reason.

            That would be viable for remote access clients but if this same issue also affects site-to-site then that wouldn't be enough to work around it.

            None of the changes in the log for OpenVPN 2.5.1 appear to be related but I'm curious if it makes a difference.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              I added an issue to track the upstream problem since there isn't much we can do locally (clients in pfSense already default to lport 0)
              https://redmine.pfsense.org/issues/11575

              I also added an issue to have the export package automatically add nobind with an option to opt out.
              https://redmine.pfsense.org/issues/11574

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              E 1 Reply Last reply Reply Quote 2
              • C
                christian.schneider @jimp
                last edited by christian.schneider

                @jimp lport 0 works perfect for me, thank you!

                PippinP 1 Reply Last reply Reply Quote 2
                • PippinP
                  Pippin @christian.schneider
                  last edited by Pippin

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • PippinP
                    Pippin
                    last edited by

                    @pippin said in OpenVPN is not working if client is reconnected immediately:

                    Will try to find the posts by OpenVPN devs...

                    Please see my remark:
                    https://redmine.pfsense.org/issues/11575

                    1 Reply Last reply Reply Quote 0
                    • E
                      Elrick75 @jimp
                      last edited by

                      @jimp Hi, I noticed that nobind or lport 0 both work but it is not possible to have both in the configuration file.
                      Which one should be chosen between the two please? which one is better?

                      1 Reply Last reply Reply Quote 0
                      • PippinP
                        Pippin
                        last edited by

                        The recommendation by OpenVPN is --nobind.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Generally speaking, nobind is better.

                          You would only need lport 0 if you had to bind to a specific IP address on the client, but wanted a random source port. Otherwise, nobind is better since it lets to OS pick the most appropriate source IP address and port.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          J 1 Reply Last reply Reply Quote 1
                          • J
                            jeff3820 @jimp
                            last edited by

                            @jimp Is this change coming to the client export package or has it already been implemented?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              You can already get lport 0 by setting the option to randomize the local port, though I can't recall off the top of my head if that is the default. I don't think it has a way to set nobind.

                              If it doesn't set that by default, we should probably update the package to work that way and use nobind.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.