OpenVPN often do not connect - ping-restart and TLS handshake error



  • Hi, I use my pfSense box to connect to my VPN provider.

    This is my topology:

    INTERNET –----------- ISP ROUTER/GATEWAY (NAT)
                                                  |                              |
                                                  |                              |
                                                  |                              |
                                        PFSENSE BOX          LAN 1
                                                  |
                                                  |
                                              LAN 2

    Obviously, only LAN2 reaches the Internet through my VPN provider and the pfSense box is used as VPN gateway.

    My ISP ROUTER/GATEWAY (Technicolor TG582n) performs NAT between my Local Net and the Internet. I have a public address on the Internet interface and my local net is on 192.168.0.0/24 net.
    The WAN interface of pfSense box is in the LAN 1 192.168.0.0/24 net, the LAN interface is on 192.168.1.0/24 net.

    I configured my pfSense box following these instructions and sometimes the connection is OK. But very often my pfSense box do not succeed in connection and in my logs I have continually the ping-restart error.
    Other times the connection is OK, but it hangs a lot of times and in my log I have a lot of ping-restart errors and TLS hankshake failed too.

    Here is my last log, in which the connection started after a lot of ping-restart errors, then the connection hanged out and I had a lot of TLS handshake error before the connection started again. I want to emphasize that very often the connection fails without ever reconnecting.

    May 28 13:50:23	openvpn	6881	Initialization Sequence Completed
    May 28 13:50:23	openvpn	6881	Preserving previous TUN/TAP instance: ovpnc1
    May 28 13:50:21	openvpn	6881	[vpnarea] Peer Connection Initiated with [AF_INET](VPNSERVER-IP)
    May 28 13:50:13	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:50:13	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:50:13	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:50:11	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:50:11	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:50:11	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:49:11	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:49:11	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:49:11	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:49:09	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:49:09	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:49:09	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:48:09	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:48:09	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:48:09	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:48:07	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:48:07	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:48:07	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:47:07	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:47:07	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:47:07	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:47:05	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:47:05	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:47:05	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:46:05	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:46:05	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:46:05	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:46:03	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:46:03	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:46:03	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:45:03	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:45:03	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:45:03	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:45:01	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:45:01	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:45:01	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:44:01	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:44:01	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:44:01	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:43:59	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:43:59	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:43:59	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:42:59	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:42:59	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:42:59	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:42:57	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:42:57	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:42:57	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:41:57	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:41:57	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:41:57	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:41:55	openvpn	6881	SIGUSR1[soft,tls-error] received, process restarting
    May 28 13:41:55	openvpn	6881	TLS Error: TLS handshake failed
    May 28 13:41:55	openvpn	6881	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 28 13:40:55	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:40:55	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:40:55	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:40:53	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:40:53	openvpn	6881	[vpnarea] Inactivity timeout (--ping-restart), restarting
    May 28 13:15:25	openvpn	6881	Initialization Sequence Completed
    May 28 13:15:25	openvpn	6881	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.186.35.14 10.186.35.13 init
    May 28 13:15:25	openvpn	6881	/sbin/ifconfig ovpnc1 10.186.35.14 10.186.35.13 mtu 1500 netmask 255.255.255.255 up
    May 28 13:15:25	openvpn	6881	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    May 28 13:15:25	openvpn	6881	ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    May 28 13:15:25	openvpn	6881	TUN/TAP device /dev/tun1 opened
    May 28 13:15:25	openvpn	6881	TUN/TAP device ovpnc1 exists previously, keep at program end
    May 28 13:15:22	openvpn	6881	[vpnarea] Peer Connection Initiated with [AF_INET](VPNSERVER-IP)
    May 28 13:15:22	openvpn	6881	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    May 28 13:14:52	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:14:52	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:14:52	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:14:50	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:14:50	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:13:50	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:13:50	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:13:50	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:13:48	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:13:48	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:12:47	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:12:47	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:12:47	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:12:45	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:12:45	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:11:45	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:11:45	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:11:45	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:11:43	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:11:43	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:10:43	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:10:43	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:10:43	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:10:41	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:10:41	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:09:41	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:09:41	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:09:41	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:09:39	openvpn	6881	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 13:09:39	openvpn	6881	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 13:08:39	openvpn	6881	write UDPv4: No route to host (code=65)
    May 28 13:08:39	openvpn	6881	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 13:08:39	openvpn	6881	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 13:08:39	openvpn	6881	Initializing OpenSSL support for engine 'cryptodev'
    May 28 13:08:39	openvpn	6881	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 13:08:39	openvpn	6678	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    May 28 13:08:39	openvpn	6678	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
    May 28 13:08:39	openvpn	6678	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 3 2017
    May 28 12:54:57	openvpn	6838	Initialization Sequence Completed
    May 28 12:54:57	openvpn	6838	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1570 10.186.35.10 10.186.35.9 init
    May 28 12:54:57	openvpn	6838	/sbin/ifconfig ovpnc1 10.186.35.10 10.186.35.9 mtu 1500 netmask 255.255.255.255 up
    May 28 12:54:57	openvpn	6838	do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    May 28 12:54:57	openvpn	6838	ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    May 28 12:54:57	openvpn	6838	TUN/TAP device /dev/tun1 opened
    May 28 12:54:57	openvpn	6838	TUN/TAP device ovpnc1 exists previously, keep at program end
    May 28 12:54:55	openvpn	6838	[vpnarea] Peer Connection Initiated with [AF_INET](VPNSERVER-IP)
    May 28 12:54:54	openvpn	6838	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    May 28 12:54:54	openvpn	6838	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 12:54:54	openvpn	6838	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 12:54:54	openvpn	6838	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 12:54:52	openvpn	6838	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 12:54:52	openvpn	6838	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 12:53:52	openvpn	6838	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 12:53:52	openvpn	6838	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 12:53:52	openvpn	6838	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 12:53:50	openvpn	6838	SIGUSR1[soft,ping-restart] received, process restarting
    May 28 12:53:50	openvpn	6838	[UNDEF] Inactivity timeout (--ping-restart), restarting
    May 28 12:52:50	openvpn	6838	write UDPv4: No route to host (code=65)
    May 28 12:52:50	openvpn	6838	UDPv4 link remote: [AF_INET](VPNSERVER-IP)
    May 28 12:52:50	openvpn	6838	UDPv4 link local (bound): [AF_INET]192.168.0.10
    May 28 12:52:50	openvpn	6838	Initializing OpenSSL support for engine 'cryptodev'
    May 28 12:52:50	openvpn	6838	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 28 12:52:50	openvpn	6723	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    May 28 12:52:50	openvpn	6723	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
    May 28 12:52:50	openvpn	6723	OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 3 2017
    

    I tried to set the "keepalive 10 600" statement in OpenVPN client options, but I didn't resolve the problem.

    Someone can help me? Do you have any ideas?
    Please treat me as a pfSense newbie (which I am).

    Thanks a lot folks! :)