OpenVPN tunnel allways reconnects
-
Hi People,
Please HELP, need urgent suggestion!!!
In Tashkent city (Uzbekistan) we have Pfsense 2.3.3.1 with 8 Openvpn services. One of them binded to 443 UDP in TUN Peer-to-Peer SSL/TLS and Public IP.
In Beijing city (China) we also have Pfsense 2.3.3.1 with Openvpn acting as client over ISP NAT router.
The client succesfully connects to the server , seems everything is working. Ping is here, we can see all devices on remote sites.
The problem is that every N-time (5-10-30 minutes, each time different), the connection loss and client restarts tunnel. This time allways on-demand service can't work.
How to fugure the issue?By the way, in this OpenVpn tunnel we can't ping IP of tunnels, although on the others one we can.
Both sites have according Rules/Openvpn where source=Local NETs + Tunnel Net pass all traffic to all destination.
Server Conf /var/etc/openvpn/server5.conf:
dev ovpns5 verb 4 dev-type tun tun-ipv6 dev-node /dev/tun5 writepid /var/run/openvpn_server5.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 195.158.х.х tls-server server 10.0.100.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server5 ifconfig 10.0.100.1 10.0.100.2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn-server.mfa.uz' 1" lport 443 management /var/etc/openvpn/server5.sock unix push "route 172.30.30.176 255.255.255.240" push "route 192.168.1.0 255.255.255.0" route 192.168.45.0 255.255.255.0 route 192.168.46.0 255.255.255.0 ca /var/etc/openvpn/server5.ca cert /var/etc/openvpn/server5.cert key /var/etc/openvpn/server5.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server5.crl-verify tls-auth /var/etc/openvpn/server5.tls-auth 0 persist-remote-ip float topology subnet
Client override /var/etc/openvpn-csc/server5
iroute 192.168.45.0 255.255.255.0
Client Conf /var/etc/openvpn/client1.conf:
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.200.199 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote 195.158.х.х 443 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 resolv-retry infinite remote-cert-tls server
**Client LOGS:
May 3 15:04:56 openvpn 94536 Initialization Sequence Completed May 3 15:04:56 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1 May 3 15:04:54 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443 May 3 15:04:38 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 15:04:38 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 15:04:38 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 15:04:35 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 15:04:35 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 15:03:35 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 15:03:35 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 15:03:35 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 15:03:33 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 15:03:33 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 15:02:33 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 15:02:33 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 15:02:33 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 15:02:31 openvpn 94536 SIGUSR1[soft,tls-error] received, process restarting May 3 15:02:31 openvpn 94536 TLS Error: TLS handshake failed May 3 15:02:31 openvpn 94536 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) May 3 15:01:37 openvpn 94536 TLS Error: Unroutable control packet received from [AF_INET]195.158.х.х:443 (si=3 op=P_ACK_V1) May 3 15:01:31 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 15:01:31 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 15:01:31 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 15:01:29 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 15:01:29 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 15:00:29 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 15:00:29 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 15:00:29 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 15:00:27 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 15:00:27 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:59:27 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:59:27 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:59:27 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:59:25 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:59:25 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting May 3 14:58:25 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443 May 3 14:58:11 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:58:11 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:58:11 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:58:09 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:58:09 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:57:09 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:57:09 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:57:09 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:57:07 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:57:07 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:56:07 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:56:07 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:56:07 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:56:05 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:56:05 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting May 3 14:34:33 openvpn 94536 Initialization Sequence Completed May 3 14:34:33 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1 May 3 14:34:31 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443 May 3 14:34:27 openvpn 94536 TLS Error: Unroutable control packet received from [AF_INET]195.158.х.х:443 (si=3 op=P_ACK_V1) May 3 14:34:13 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:34:13 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:34:13 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:34:11 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:34:11 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:33:11 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:33:11 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:33:11 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:33:09 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:33:09 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:32:09 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:32:09 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:32:09 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:32:07 openvpn 94536 SIGUSR1[soft,tls-error] received, process restarting May 3 14:32:07 openvpn 94536 TLS Error: TLS handshake failed May 3 14:32:07 openvpn 94536 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) May 3 14:31:07 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:31:07 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:31:07 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:31:05 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:31:05 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:30:05 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:30:05 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:30:05 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:30:03 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:30:03 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:29:03 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:29:03 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:29:03 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:29:01 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:29:01 openvpn 94536 [vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting May 3 14:21:39 openvpn 94536 Initialization Sequence Completed May 3 14:21:39 openvpn 94536 Preserving previous TUN/TAP instance: ovpnc1 May 3 14:21:36 openvpn 94536 [vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443 May 3 14:21:28 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:21:28 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:21:28 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:21:26 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:21:26 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:20:26 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443 May 3 14:20:26 openvpn 94536 UDPv4 link local (bound): [AF_INET]192.168.200.199 May 3 14:20:26 openvpn 94536 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 3 14:20:24 openvpn 94536 SIGUSR1[soft,ping-restart] received, process restarting May 3 14:20:24 openvpn 94536 [UNDEF] Inactivity timeout (--ping-restart), restarting May 3 14:19:23 openvpn 94536 UDPv4 link remote: [AF_INET]195.158.х.х:443
Server LOGS:
May 3 12:14:21 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [7/9931] May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598 May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594 May 3 12:14:21 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740 May 3 12:14:21 openvpn 33468 SCHEDULE: schedule_find_least wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2071388902 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 SCHEDULE: schedule_add_modify wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2042523469 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 RANDOM USEC=58507 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef] May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=3e08c98b 0f86ddcb, stored-sid=00000000 00000000, stored-ip=[undef] May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: timeout set to 1096 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_send_timeout 604800 [6] May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_can_send active=0 current=0 : [6] May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 STATE S_NORMAL_OP May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: chg=0 ks=S_NORMAL_OP lame=S_NORMAL_OP to_link->len=0 wakeup=1096 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=0 state=S_NORMAL_OP, mysid=0f678122 b7f33cc8, stored-sid=af61d163 b797e3aa, stored-ip=[AF_INET]84.54.112.26:64383 May 3 12:14:21 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TIMER: coarse timer wakeup 7 seconds May 3 12:14:21 openvpn 33468 MULTI: REAP range 144 -> 160 May 3 12:14:21 openvpn 33468 I/O WAIT status=0x0020 May 3 12:14:21 openvpn 33468 event_wait returned 0 May 3 12:14:18 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [3/104880] May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598 May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594 May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740 May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 UDPv4 write returned 165 May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 UDPv4 WRITE [165] to [AF_INET]84.54.112.26:64383: P_DATA_V1 kid=2 DATA 6a49b95a 47d31a9e caa0eb92 df3bd156 c39da98a 884fd3ab 99dd6e71 2af1916[more...] May 3 12:14:18 openvpn 33468 I/O WAIT status=0x0002 May 3 12:14:18 openvpn 33468 event_wait returned 1 May 3 12:14:18 openvpn 33468 PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x00694740 May 3 12:14:18 openvpn 33468 I/O WAIT Tr|Tw|Sr|SW [3/104880] May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598 May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0000 ev=7 arg=0x00693594 May 3 12:14:18 openvpn 33468 PO_CTL rwflags=0x0002 ev=6 arg=0x00694740 May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT TO: 884fd3ab 99dd6e71 2af1916b 62e91d17 50555648 b6a0102c b45f3ca5 4d564e2[more...] May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT FROM: 0000011a 45000077 bc520000 3f11d545 ac1e1ebe 0a001502 0035edf2 00633e5[more...] May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT IV: 884fd3ab 99dd6e71 2af1916b 62e91d17 May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_pre_encrypt: key_id=2 May 3 12:14:18 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TUN READ [119] May 3 12:14:18 openvpn 33468 GET INST BY VIRT: 10.0.21.2 -> kayumov.mfa.uz/84.54.112.26:64383 via 10.0.21.2 May 3 12:14:18 openvpn 33468 read from TUN/TAP returned 119 May 3 12:14:18 openvpn 33468 MULTI: REAP range 128 -> 144 May 3 12:14:18 openvpn 33468 I/O WAIT status=0x0004 May 3 12:14:18 openvpn 33468 event_wait returned 1 May 3 12:14:18 openvpn 33468 PO_WAIT[1,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00693594 May 3 12:14:17 openvpn 33468 I/O WAIT TR|Tw|SR|Sw [4/104880] May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=5 arg=0x00693598 May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=7 arg=0x00693594 May 3 12:14:17 openvpn 33468 PO_CTL rwflags=0x0001 ev=6 arg=0x00694740 May 3 12:14:17 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 write to TUN/TAP returned 72 May 3 12:14:17 openvpn 33468 kayumov.mfa.uz/84.54.112.26:64383 TUN WRITE [72] May 3 12:14:17 openvpn 33468 I/O WAIT status=0x0008 ```**
-
Sounds to me like an ISP firewall issue.
You may have to perform some form of header re-writing to get past DPI firewalls. -
Hi Everyone!
Im from Brazil and i have a some problem.
My CA restart in 30 minutes.sent error in my client :
"Thu May 18 17:43:19 2017 [server-certificado] Inactivity timeout (–ping-restart), restarting
Thu May 18 17:43:19 2017 SIGUSR1[soft,ping-restart] received, process restarting
Thu May 18 17:43:19 2017 Restart pause, 2 second(s)
Thu May 18 17:43:21 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 18 17:43:21 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
"