Automatic Restart for VPN Client

guardian

I have an OpenVPN client running on my network and for some reason it keeps going down (may be inactivity timeout, or may be connectivity issues - for some reason I get momentary disconnections-that's for another thread).

Is there a way to have the server restart itself when the connection goes down?

At the moment, I have to do this manually which is very inconvenient.

Thanks and advance for any suggestions/advice.

Derelict

That depends on why it is failing.

Look in System > Logs, OpenVPN.

An authentication failure (the remote side says, "your password/key/etc is incorrect.") is treated as a hard failure and the client exits. Current pfSense versions include auth-retry nointeract; in the default configuration which changes this behavior. It can be overridden, causing a hard failure, by checking the Auth-Retry checkbox in the client configuration.

Older versions default to a hard failure in this case which can be overridden by placing auth-retry nointeract; in the custom options of the client configuration.

There also appear to be some changes as VPN providers continue to experience growing pains. I found this interesting:

https://forum.pfsense.org/index.php?topic=137438.msg754714#msg754714

guardian

Thanks for this… I suspect that maybe changing the custom parameters as per that post might help... I'll need to experiment.

(Is there any way to comment out items in the custom settings box i.e. put # in front of a command or something similar?)

It's certainly not credentials as I stay logged in for hours and sometimes days.

I did check the log at Status / System Logs / OpenVPN as you suggested and found tons of entries like this:

Time	Process	PID	Message
Dec 15 22:04:06	openvpn	38704	MANAGEMENT: Client disconnected
Dec 15 22:04:06	openvpn	38704	MANAGEMENT: CMD 'quit'
Dec 15 22:04:06	openvpn	38704	MANAGEMENT: CMD 'status 2'
Dec 15 22:04:06	openvpn	38704	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
Dec 15 22:03:03	openvpn	38704	MANAGEMENT: Client disconnected
Dec 15 22:03:03	openvpn	38704	MANAGEMENT: CMD 'quit'
Dec 15 22:03:03	openvpn	38704	MANAGEMENT: CMD 'status 2'
Dec 15 22:03:03	openvpn	38704	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
Dec 15 22:02:00	openvpn	38704	MANAGEMENT: Client disconnected
Dec 15 22:02:00	openvpn	38704	MANAGEMENT: CMD 'quit'
Dec 15 22:02:00	openvpn	38704	MANAGEMENT: CMD 'status 2'
Dec 15 22:02:00	openvpn	38704	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
Dec 15 22:00:58	openvpn	38704	MANAGEMENT: Client disconnected
Dec 15 22:00:58	openvpn	38704	MANAGEMENT: CMD 'quit'
Dec 15 22:00:58	openvpn	38704	MANAGEMENT: CMD 'status 2'
Dec 15 22:00:57	openvpn	38704	MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock

The connection is up, and seems to be working - no problems with speed or anything.  Any ideas as to what is happening?  Looks like I have some time of configuration or hardware problem, but I don't have a clue where to start with this.

~~Maybe I need to upgrade?

2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19

If so 2.3.x or 2.4.x?~~

Took a deep breath and jumped feet first…

2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6

fortunately the upgrade went smoothly.

Derelict

Those log messages are recording the fact that the Status > OpenVPN page or the OpenVPN widget connected, collected the status it needed to display, and disconnected again. They have nothing to do with the actual VPN connections.

Derelict

I would just remove the entries you do not want there.

–config file
    Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed.

If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file

Note that configuration files can be nested to a reasonable depth.

Double quotation or single quotation characters ("", '') can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments.

Note that OpenVPN 2.0 and higher performs backslash-based shell escaping for characters not in single quotations, so the following mappings should be observed:

\      Maps to a single backslash character ().
    "      Pass a literal doublequote character ("), don't
            interpret it as enclosing a parameter.
    [SPACE] Pass a literal space or tab character, don't
            interpret it as a parameter delimiter.

For example on Windows, use double backslashes to represent pathnames:

secret "c:\OpenVPN\secret.key"

For examples of configuration files, see http://openvpn.net/examples.html

Here is an example configuration file:

#
    # Sample OpenVPN configuration file for
    # using a pre-shared static key.
    #
    # '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
    dev tun

# Our remote peer
    remote mypeer.mydomain

# 10.1.0.1 is our local VPN endpoint
    # 10.1.0.2 is our remote VPN endpoint
    ifconfig 10.1.0.1 10.1.0.2

# Our pre-shared static key
    secret static.key

I have never tried embedding comment there. You are welcome to try, of course. The generated config file will be in /var/etc/openvpn.

guardian

@Derelict:

Those log messages are recording the fact that the Status > OpenVPN page or the OpenVPN widget connected, collected the status it needed to display, and disconnected again. They have nothing to do with the actual VPN connections.

Thanks @Derelict for the insight… (So I assume then that a line starting with ; or # is a comment.)

These messages are creating a lot crap in the log files.  Is there any reason those messages need to be there (i.e. can I get rid of them without missing something important)?  I have the log level set tot the default.

UPDATE: The VPN server hasn't gone down since the upgrade (about 12 hours, but that doesn't really mean much since it could be good for a week and then go out every 4-6 hours for a day or so.  I think the issue is either instability in the cable network, the ISP provided gateway (or possibly the pfSense box…. maybe caused by plugins or firewall rules, or even a flaky NIC port (supposed to be intel, but it's a little box from China, so quality may be an issue).  I have a custom script that pings my web server every 5 minutes to log load stats and response time.

To make sure that a "no answer" is really a "No Answer" caused by my server I attempt to connect to 8.8.8.8, 209.244.0.3, 64.6.64.6 on port 53 with  socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect((host, port)) and timeout=.4 - if all three attempts fail, then I consider the connection down/too slow for testing.  I get between 2 and 20 of these conditions per day, with the average being about 6-8.

Any clues as to how to troubleshoot/narrow down why the tunnel keeps dropping (or more importantly how to make it restart quickly) would be much appreciated.

Derelict

YOU ARE FREE TO TRY SETTING THE LOG DETAIL DOWN AND SEEING IF IT REMOVES ANYTHING IMPORTANT TO YOU!

Else log to something else and grep out or search for what is important to you.

I have zero idea what is important to you.

guardian

@Derelict:

YOU ARE FREE TO TRY SETTING THE LOG DETAIL DOWN AND SEEING IF IT REMOVES ANYTHING IMPORTANT TO YOU!

Else log to something else and grep out or search for what is important to you.

I have zero idea what is important to you.

Sorry I should have been specific - Under normal circumstances I only want logs to give me information to alert me to things that require action - i.e. software/hardware errors or security issues such as unauthorised login attempts etc.

guardian

@Derelict:

I would just remove the entries you do not want there.

Double quotation or single quotation characters ("", '') can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments.
–-
I have never tried embedding comment there. You are welcome to try, of course. The generated config file will be in /var/etc/openvpn.

For the benefit of anyone who might actually care comments SORT OF work.

VALID COMMENT

;VAILID COMMENT
;SCREWS UP;
#SCREWS UP;

Don't know if this is a bug, or if this is the way it is supposed to work, but it makes it difficult to comment out/document things for test purposes.  Two semi-colons on a like cause the parser to chuck it's cookies and OpenVPN client won't start due to a syntax error in the config file.

As an aside… with no changes, I haven't had a problem for several days... don't know if this is because of the pfSense Update, or if the conditions for failure haven't yet occurred.

I just put in the changes as per the post recommended here:

@Derelict:

There also appear to be some changes as VPN providers continue to experience growing pains. I found this interesting:

https://forum.pfsense.org/index.php?topic=137438.msg754714#msg754714

If I have more problems, I'll post again, and if I remenber, I'll post an update, but no news can be considered to be good news.