Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN setup everyday connection issues

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 762 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ilias.lo
      last edited by ilias.lo

      Good morning fellas,

      I would like to share my problem with you as I couldn't think anything else to resolve it.

      Description of my problem:
      We have a pfsense device setup version 2.4.3. Our VPN Provider is VPNUK. Our configuration in pfsense is as follows

      OpenVPN client account with creds and dns. An interface for the VPNUK and then an interface for linking ovpn interface to our gateway. VPN client indeed creates the tunnel. We get the specific IP assigned to our account.

      My issue is that everyday the connection is stuck. I have to restart all relative interfaces, gateways and VPN service to have the connection UP again. Currently we have a cron job to restart the VPN service but this doesn't seem to resolve the issue as I have to manually re-do them everyday. Any suggestions?

      Contacted the VPNUK to check why our account has everyday client disconnections and they told me that we had many trapped sessions (user shutdowns the machine before disconnecting) possibly its that but I had share with you and check if anyone else faces anything similar.

      Thank you in advance for your help

      Kind regards,
      ILIAS

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @ilias.lo
        last edited by

        @ilias-lo Please post relevant openvpn logs.
        And what do you mean by user shuts down the machine before disconnecting?
        What user? what machine? what shutdown..

        1 Reply Last reply Reply Quote 0
        • I
          ilias.lo
          last edited by

          Netblues first of all thank you for your prompt reply

          Below are the logs till the initialization completed

          Dec 12 11:19:10	openvpn	65024	Initialization Sequence Completed
          Dec 12 11:19:10	openvpn	65024	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.252 255.0.0.0 init
          Dec 12 11:19:10	openvpn	65024	ERROR: FreeBSD route add command failed: external program exited with error status: 1
          Dec 12 11:19:10	openvpn	65024	/sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0
          Dec 12 11:19:10	openvpn	65024	/sbin/ifconfig ovpnc1 10.****.252 10.0.0.1 mtu 1500 netmask 255.0.0.0 up
          Dec 12 11:19:10	openvpn	65024	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
          Dec 12 11:19:10	openvpn	65024	TUN/TAP device /dev/tun1 opened
          Dec 12 11:19:10	openvpn	65024	TUN/TAP device ovpnc1 exists previously, keep at program end
          Dec 12 11:19:10	openvpn	65024	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
          Dec 12 11:19:10	openvpn	65024	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
          Dec 12 11:19:10	openvpn	65024	Data Channel: using negotiated cipher 'AES-256-GCM'
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: data channel crypto options modified
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: adjusting link_mtu to 1625
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: peer-id set
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: route-related options modified
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: --ifconfig/up options modified
          Dec 12 11:19:10	openvpn	65024	Socket Buffers: R=[42080->393216] S=[57344->393216]
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: compression parms modified
          Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: timers and/or timeouts modified
          Dec 12 11:19:10	openvpn	65024	Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.4.4)
          Dec 12 11:19:10	openvpn	65024	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
          Dec 12 11:19:10	openvpn	65024	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
          Dec 12 11:19:10	openvpn	65024	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
          Dec 12 11:19:10	openvpn	65024	PUSH: Received control message: 'PUSH_REPLY,dhcp-option NTP 10.10.11.1,dhcp-option DNS 10.10.11.1,ping-timer-rem,redirect-gateway def1 bypass-dhcp,register-dns,comp-lzo no,sndbuf 393216,rcvbuf 393216,route-gateway 10.10.11.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.****.252 255.0.0.0,peer-id 5,cipher AES-256-GCM'
          Dec 12 11:19:10	openvpn	65024	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
          Dec 12 11:19:09	openvpn	65024	[server] Peer Connection Initiated with [AF_INET]87.****.3:1194
          Dec 12 11:19:09	openvpn	65024	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
          Dec 12 11:19:09	openvpn	65024	VERIFY OK: depth=0, C=GB, ST=GB, L=London, O=VPNUK, CN=server, emailAddress=support@vpnuk.info
          Dec 12 11:19:09	openvpn	65024	VERIFY OK: depth=1, C=GB, ST=GB, L=London, O=VPNUK, CN=VPNUK CA, emailAddress=support@vpnuk.info
          Dec 12 11:19:09	openvpn	65024	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
          Dec 12 11:19:09	openvpn	65024	TLS: Initial packet from [AF_INET]87.****.3:1194, sid=de26c21b 6f0de777
          Dec 12 11:19:09	openvpn	65024	UDPv4 link remote: [AF_INET]87.****.3:1194
          Dec 12 11:19:09	openvpn	65024	UDPv4 link local (bound): [AF_INET]192.168.1.26:0
          Dec 12 11:19:09	openvpn	65024	Socket Buffers: R=[42080->42080] S=[57344->57344]
          Dec 12 11:19:09	openvpn	65024	TCP/UDP: Preserving recently used remote address: [AF_INET]87.****.3:1194
          Dec 12 11:19:09	openvpn	65024	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
          Dec 12 11:19:09	openvpn	65024	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
          Dec 12 11:19:09	openvpn	65024	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          Dec 12 11:19:09	openvpn	65024	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
          Dec 12 11:19:09	openvpn	65024	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
          Dec 12 11:19:09	openvpn	64967	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
          Dec 12 11:19:09	openvpn	64967	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
          Dec 12 11:19:09	openvpn	64967	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
          Dec 12 11:19:08	openvpn	78138	SIGTERM[hard,] received, process exiting
          Dec 12 11:19:08	openvpn	78138	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.230.27.251 255.0.0.0 init
          Dec 12 11:19:08	openvpn	78138	Closing TUN/TAP interface
          Dec 12 11:19:08	openvpn	78138	event_wait : Interrupted system call (code=4)
          Dec 12 11:18:26	openvpn	27622	MANAGEMENT: Client disconnected
          Dec 12 11:18:26	openvpn	27622	MANAGEMENT: CMD 'status 2'
          Dec 12 11:18:26	openvpn	27622	MANAGEMENT: CMD 'state 1'
          Dec 12 11:18:26	openvpn	27622	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
          Dec 12 11:18:26	openvpn	78138	MANAGEMENT: Client disconnected
          Dec 12 11:18:26	openvpn	78138	MANAGEMENT: CMD 'status 2'
          Dec 12 11:18:26	openvpn	78138	MANAGEMENT: CMD 'state 1'
          Dec 12 11:18:26	openvpn	78138	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
          Dec 12 11:15:04	openvpn	27622	MANAGEMENT: Client disconnected
          Dec 12 11:15:04	openvpn	27622	MANAGEMENT: CMD 'status 2'
          Dec 12 11:15:04	openvpn	27622	MANAGEMENT: CMD 'state 1'
          Dec 12 11:15:04	openvpn	27622	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
          Dec 12 11:15:04	openvpn	78138	MANAGEMENT: Client disconnected
          Dec 12 11:15:04	openvpn	78138	MANAGEMENT: CMD 'status 2'
          Dec 12 11:15:04	openvpn	78138	MANAGEMENT: CMD 'state 1'
          Dec 12 11:15:04	openvpn	78138	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
          Dec 12 11:15:01	openvpn	78138	Initialization Sequence Completed
          Dec 12 11:15:01	openvpn	78138	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.251 255.0.0.0 init
          Dec 12 11:15:01	openvpn	78138	ERROR: FreeBSD route add command failed: external program exited with error status: 1
          Dec 12 11:15:01	openvpn	78138	/sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0
          Dec 12 11:15:01	openvpn	78138	/sbin/ifconfig ovpnc1 10.****.251 10.0.0.1 mtu 1500 netmask 255.0.0.0 up
          Dec 12 11:15:01	openvpn	78138	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
          Dec 12 11:15:01	openvpn	78138	ioctl(TUNSIFMODE): Device busy (errno=16)
          Dec 12 11:15:01	openvpn	78138	TUN/TAP device /dev/tun1 opened
          

          Regarding the user shuts down the machine before disconnecting is the cause of trapped sessions as VPNUK support mentioned when referred to them for investigation of my issue (client disconnects from VPN) they assume that a VPN Client connects with his physical pc to their service and they mean that the hypothetical user has shutdown the machine before he disconnected the VPN Client. I believe that applies to our infrastructure using pfsense. I guess that if we restart the VPN service before the interface/gateway is disabled (that will cause the disconnect) then we might cause a trapped session which will cause a client connection issue (as VPN support mentioned).

          I am not quite sure if that is correct cause restarting the OpenVPN service will drop the connection and initialise back again. That's why I posted my issue here.

          Thank you in advance,
          ILIAS

          N 1 Reply Last reply Reply Quote 0
          • N
            netblues @ilias.lo
            last edited by

            @ilias-lo No need to mask 10.x addresses. They are already private 🐷
            Do you by any chance have the same configuration running somewhere else?
            Looks like you get a remote disconnect at 11:18
            As for trapped sessions, sorry but this is utterly bullshit from their part.
            If your connection is flaky, openvpn will do hundreds of reconnects.
            This should be acceptable.

            I can assure you than openvpn on pf runs for months with no need to restart whatsoever.
            (on the specific version that you are).
            Disable the cron restart job and we need logs when the connection stalls.
            Can you ping the ovpn server normally?
            Can you ping it when stalled from inside pf?
            can you ping the vpn tunnel remote ip when working?
            When stalled?
            Logs at the specific moment.
            And while we are at it, how about another vpn connection to another vpn provider, as a test?
            Easy peasy.

            1 Reply Last reply Reply Quote 0
            • I
              ilias.lo
              last edited by

              netblues thank you very much! I will disable the temporary account that most probably has the same setup and disable the cronjobs as well.

              If tomorrow we face the same issue will try all your suggestions regarding connection tests.

              Thank you for your crystal clear advices

              Cheers ILIAS

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Your log is full of configuration errors, fix them.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                I 1 Reply Last reply Reply Quote 0
                • I
                  ilias.lo @Pippin
                  last edited by

                  @pippin thanks for the advise. I haven't set up this particular pfsense myself. I needed to stabilise the VPN and I will build a clean one with the first chance. There are too many crap stuff in there too many changes have been made inside there from people who didn't actually know how to configure it properly. Will do my study before I make a clean one.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.