OpenVPN keeps disconnecting randomly



  • I have 3 machines at various locations over the Internet connecting via OpenVPN to my pfsense. Two of my machines are Linux and the other is Windows 10 Pro. Each one has a unique certificate, user, etc. However, it seems to randomly restart the VPN (every 5 - 40 mins). I don't think its due to my internet connection since I'm able to chrome remote in with no delay or lag. I scoured the logs for anything that could indicate what is causing the issue. There were too many logs so I set my log setting to default (4).

    I keep seeing

    openvpn1/123.123.123.123:48484 [openvpn1] Inactivity timeout (--ping-restart), restarting 
    

    or

    openvpn1/123.123.123.123:9795 GET INST BY VIRT: 192.168.12.61 [failed]
    openvpn1/123.123.123.123:9795 GET INST BY VIRT: 10.2.0.3 -> openvpn1/123.123.123.123:48484:9795 via 10.2.0.3 
    

    for each machine.

    My client config is

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 121.121.121.121 1194 udp
    lport 0
    verify-x509-name "www.somewebsite.com" name
    auth-user-pass
    pkcs12 test-udp-1194-openvpn1.p12
    tls-auth test-udp-1194-openvpn1-tls.key 1
    remote-cert-tls server
    comp-lzo adaptive
    

    I'm not sure how to output my server config but its

    Server Mode: Remote Access (SSL/TLS + User Auth)
    Protocol: UDP
    Device mode: tun
    Interface: WAN
    Local Port: 1194
    Enabled auth of TLS packets
    DH Parameter length: 2048
    Auth digest algo: SHA1 (160-bit)
    Certificate Depth: (Client + Server)

    Tunnel Settings:
    IPv4 Tunnel: 10.0.2.0/24
    IPv4 Local: 192.168.12.0/24
    Concurrent connections: 10
    Compression: Enabled with Adaptive Compression
    Inter-client comm: Allowed communication between clients connected this server.

    Client settings:
    Dynamic IP: Allowed connected clients to retain their connections if their IP address changes
    Address Pool: Provided a virtual adapter IP address to clients

    Advance Client Settings:
    DNS Server enabled with an another computer directed as the DNS server

    Verbosity level: default

    I'm on pfsense version 2.3.2, which I believe means I'm on OpenVPN 2.3.

    I been working on this for over a week and have not be able to make sense of the problem. Please help.



  • In case my firewall rules are important
    Firewall / Rules / WAN

    Protocol: IPv4 UDP - Source: 123.123.123.123 - Port:* - Destination: WAN address - Port:1194 (OpenVPN) - Gateway: * - Queue: none - Schedule: "" - Description: OpenVPN1Rule

    (I have a similar rule for each external ip address that I want to allow in)

    Firewall / Rules / OpenVPN

    Protocol: IPv4 TCP/UDP - Source: * - Port: * - Destination: 192.168.12.61 - Port: 3389 (MS RDP) - Gateway: * - Queue: none - Schedule:"" - Description: SomeRDPServer

    I'm not sure how keepalive works but does it need ICMP to be active?



  • I started looking at my pfsense system logs. For one of the "disconnects", the system logged the following:

    nginx: 2018/02/16 13:27:09 [error] 29525#100071: send() failed (54: Connection reset by peer)

    Not sure what is sending this. Why does this cause all OpenVPN clients to crash. For testing, I disabled all users and disabled the firewall rules except one user and 2 firewall rules for my testing site / rdp server. Also, could squid be causing this issue?



  • I've confirmed its due to the pfsense router. How do I check if the keepalive signal is transmitted?



  • In case someone else faces a similar problem, it seems the advanced configuration can override prior settings like keepalive (this fact was not found in the pfsense manual… ). After adjusting keepalive's parameters, I no longer face the numerous random disconnects.



  • @TriStarGod what did u adjust


Log in to reply