OpenVPN Client disconnects every few seconds - ExpressVPN



  • Hey!

    I have a problem with my OpenVPN client on my pfSense 2.4.1-RELEASE firewall, running on an Up Squared. The client (seemingly successful) connects to some ExpressVPN server, but disconnects every few seconds ending in huge packet losses etc.

    Log:

    Nov 11 01:18:19 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x00000004 [scalable]
    Nov 11 01:18:19 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:19 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=7 arg=0x00000004
    Nov 11 01:18:19 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00000004 [scalable]
    Nov 11 01:18:19 	openvpn 	49480 	MANAGEMENT: CMD 'status 2'
    Nov 11 01:18:19 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:19 	openvpn 	49480 	PO_CTL rwflags=0x0002 ev=7 arg=0x00000004
    Nov 11 01:18:19 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x00000004 [scalable]
    Nov 11 01:18:19 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:19 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=7 arg=0x00000004
    Nov 11 01:18:19 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000011 rwflags=0x0001 arg=0x00000004 [scalable]
    Nov 11 01:18:19 	openvpn 	49480 	PO_DEL ev=7
    Nov 11 01:18:19 	openvpn 	49480 	MANAGEMENT: Client disconnected
    Nov 11 01:18:19 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:19 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=4 arg=0x00000004
    Nov 11 01:18:19 	openvpn 	6074 	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Nov 11 01:18:19 	openvpn 	6074 	MANAGEMENT: CMD 'state 1'
    Nov 11 01:18:19 	openvpn 	6074 	MANAGEMENT: CMD 'status 2'
    Nov 11 01:18:19 	openvpn 	6074 	MANAGEMENT: Client disconnected
    Nov 11 01:18:20 	openvpn 	49480 	PO_WAIT[2,0] fd=4 rev=0x00000001 rwflags=0x0001 arg=0x00000004 [scalable]
    Nov 11 01:18:20 	openvpn 	49480 	MULTI: REAP range 160 -> 176
    Nov 11 01:18:20 	openvpn 	49480 	MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Nov 11 01:18:20 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:20 	openvpn 	49480 	PO_CTL rwflags=0x0002 ev=7 arg=0x00000004
    Nov 11 01:18:20 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x00000004 [scalable]
    Nov 11 01:18:20 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:20 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=7 arg=0x00000004
    Nov 11 01:18:20 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00000004 [scalable]
    Nov 11 01:18:20 	openvpn 	49480 	MANAGEMENT: CMD 'status 2'
    Nov 11 01:18:20 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:20 	openvpn 	49480 	PO_CTL rwflags=0x0002 ev=7 arg=0x00000004
    Nov 11 01:18:20 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x00000004 [scalable]
    Nov 11 01:18:20 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:20 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=7 arg=0x00000004
    Nov 11 01:18:20 	openvpn 	49480 	PO_WAIT[3,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00000004 [scalable]
    Nov 11 01:18:20 	openvpn 	49480 	MANAGEMENT: CMD 'quit'
    Nov 11 01:18:20 	openvpn 	49480 	PO_DEL ev=7
    Nov 11 01:18:20 	openvpn 	49480 	MANAGEMENT: Client disconnected
    Nov 11 01:18:20 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:20 	openvpn 	49480 	PO_CTL rwflags=0x0001 ev=4 arg=0x00000004
    Nov 11 01:18:30 	openvpn 	49480 	MULTI: REAP range 176 -> 192
    Nov 11 01:18:30 	openvpn 	49480 	MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
    Nov 11 01:18:30 	openvpn 	49480 	MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
    Nov 11 01:18:30 	openvpn 	49480 	MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
    Nov 11 01:18:30 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL
    Nov 11 01:18:41 	openvpn 	49480 	MULTI: REAP range 192 -> 208
    Nov 11 01:18:41 	openvpn 	49480 	MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
    Nov 11 01:18:41 	openvpn 	49480 	MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
    Nov 11 01:18:41 	openvpn 	49480 	MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
    Nov 11 01:18:41 	openvpn 	49480 	SCHEDULE: schedule_find_least NULL 
    

    It is not a problem of my internet connection - when I use the config of ExpressVPN on a computer in the network (with disabled VPN client on my pfSense firewall), there are no disconnects.

    /var/etc/openvpn/client2.conf:

    dev ovpnc2
    verb 3
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.0.17
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
    auth-user-pass /var/etc/openvpn/client2.up
    auth-retry nointeract
    ca /var/etc/openvpn/client2.ca 
    cert /var/etc/openvpn/client2.cert 
    key /var/etc/openvpn/client2.key 
    tls-auth /var/etc/openvpn/client2.tls-auth 1
    ncp-ciphers AES-256-GCM:AES-128-GCM
    comp-lzo adaptive
    resolv-retry infinite
    route-nopull
    fast-io
    persist-key
    persist-tun
    remote-random
    pull
    tls-client
    verify-x509-name Server name-prefix
    ns-cert-type server
    key-direction 1
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    verb 3
    sndbuf 524288
    rcvbuf 524288
    
    

    OVPN from ExpressVPN:

    dev tun
    fast-io
    persist-key
    persist-tun
    nobind
    remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
    
    remote-random
    pull
    comp-lzo
    tls-client
    verify-x509-name Server name-prefix
    ns-cert-type server
    key-direction 1
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    verb 3
    cipher AES-256-CBC
    keysize 256
    auth SHA512
    sndbuf 524288
    rcvbuf 524288
    auth-user-pass
    

    Guide I followed for setting the stuff up:
    https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

    What else do you need?

    Thanks in advance

    dvs23



  • I'm having the exact same problem. ExpressVPN directed me to the pfSense forum.. so they have no idea. They said their setup guide was written by one of their customers.



  • Someone any idea how to solve this? Or at least what's the problem here?


  • Rebel Alliance Developer Netgate

    Nov 11 01:18:20 	openvpn 	49480 	MANAGEMENT: Client disconnected
    

    That does not mean openvpn disconnected. That means that the GUI status page or widget probed the openvpn service and then disconnected from the management interface. Your logs are probably too verbose to see what's actually happening. Turn down the logging to verb 3 or 4, and ignore any line with MANAGEMENT in it.

    I know your config claims it's only using verb 3 but that looks like a lot higher log detail than 3.



  • @dvs23:

    Someone any idea how to solve this? Or at least what's the problem here?

    I had similar issues from 2.3 versions, I also had disconnects from my computer. not with expressvpn but with another provider.

    The disconnects disappeared when I disabled gateway monitoring both at my default gateway and the VPN gateway.

    Login to your pfSense and visit System/Routing/Gateways. Click the edit button at your default gateway and at your VPN gateway and put a tick on "Disable Gateway Monitoring" and "Disable Gateway Monitoring Action" . Save your settings and reboot your router in order to make sure that they are applied.



  • Wow! That's it! Previously I had huge packet loss rates (50% and more), nor everything seems to be fine (means not a single packet lost after 100 pings :))) Thank you!!
    I will send ExpressVPN a link to this thread so they know it's not really their fault :)


Log in to reply