OpenVPN keep alive?



  • Just installed PIA VPN via OpenVPN on 2.3.1, and the OpenVPN connection is dropping or failing regularly.  On the dashboard it continues to show that it has an IP address, but no traffic passes.  If I restart the OpenVPN service, in less than a second, the connection comes right back up.  I have cron jobs set up right now to restart the OpenVPN service every 12 hours, but this is just a band aid.  I VPN into this network from afar, and if the connection goes down, I won't be able to get in.  In addition, I am the only one inside the network who knows how to restart the service (home network, wife isn't a computer person) so if I'm at work and the network goes down, no internet for wifey and that is very bad.

    How can I begin troubleshooting this, and/or is there a keepalive setting somewhere for the connection that I am missing?  I had PIA running a year or so ago on an older release, and this happened from time to time, although right now it seems like its happening every few hours, possible more frequently.

    I should mention that there are several 24/7 machines on this network that reach out to various hosts on the internet every few minutes, so there should be pretty continuous traffic going through the PIA VPN.  Not sure why its dropping.

    Thanks



  • OpenVPN has a built-in keepalive. It sounds like you're getting dropped server-side, not the outer part of the VPN as OpenVPN would ping-restart in that case, but PIA is losing routing to you. I'd see if you can ping the gateway IP you're being assigned when connecting when it doesn't function (first make sure it replies when it is functioning). If you get that far, try to traceroute out of it and see what that looks like when it's working vs. not.

    What type of setup do you have where you can't VPN in without the PIA VPN connected? Your external VPN access should be direct to your public IP, outside and unrelated to the PIA VPN.



  • Not working.  Can't VPN in, pf is telling my dynamic dns service to use the PIA VPN's IP address.

    Came home this morning and internet was down again, restarted OpenVPN service and all is well, for now.

    I only really need the VPN service for a couple of hosts, but I am having trouble with the particulars in terms of how to go about adding static routes, etc.  I followed a tutorial in getting this set up, and a lot of this stuff is beyond me at the moment.  I haven't worn my network admin hat in almost 15 years, and even back then the firewalls we used were very very simple.

    All of the hosts that I need to use the VPN are Windows-based, I may just install the PIA VPN client on each host and return pf to a vanilla config.  Which seems a shame and double-redundant.



  • I'm having the same issue with Nord.  Would be nice if I could configure pfsense to send me an email when the service goes down.  Or maybe need to setup some monitoring service.  How do we view the log to see why it went down?



  • Also having this issue with NordVPN.  It started maybe a week or 2 ago.  I am trying to find a way to monitor and auto-restart this via a cron job.  Related thread over here



  • Do you run snort?

    I've found these instances and it typically happens when I use the TCP and TCP Strong/4096 configs, on a OpenVPN client PC, and the connection to PIA would drop.  On the regular IP config file, connection to PIA can and have lasted for weeks.

    I ask about snort because I'm noticing this alerts/blocks…which I believe may be related to a "keep alive" from the server or more likely, client side [?]  Please pardon my ignorance as a hobbyist.

    These are alerts/blocks from snort on the LAN side.

    209.222.18.222  53 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
    209.222.18.218  53 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query
    209.222.18.51  502 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)

    Suppressing or even disabling these rules are easy enough but I'd like to know what I'm disabling first.