OpenVPN setup everyday connection issues

ilias.lo

Good morning fellas,

I would like to share my problem with you as I couldn't think anything else to resolve it.

Description of my problem:
We have a pfsense device setup version 2.4.3. Our VPN Provider is VPNUK. Our configuration in pfsense is as follows

OpenVPN client account with creds and dns. An interface for the VPNUK and then an interface for linking ovpn interface to our gateway. VPN client indeed creates the tunnel. We get the specific IP assigned to our account.

My issue is that everyday the connection is stuck. I have to restart all relative interfaces, gateways and VPN service to have the connection UP again. Currently we have a cron job to restart the VPN service but this doesn't seem to resolve the issue as I have to manually re-do them everyday. Any suggestions?

Contacted the VPNUK to check why our account has everyday client disconnections and they told me that we had many trapped sessions (user shutdowns the machine before disconnecting) possibly its that but I had share with you and check if anyone else faces anything similar.

Thank you in advance for your help

Kind regards,
ILIAS

netblues

@ilias-lo Please post relevant openvpn logs.
And what do you mean by user shuts down the machine before disconnecting?
What user? what machine? what shutdown..

ilias.lo

Netblues first of all thank you for your prompt reply

Below are the logs till the initialization completed

Dec 12 11:19:10	openvpn	65024	Initialization Sequence Completed
Dec 12 11:19:10	openvpn	65024	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.252 255.0.0.0 init
Dec 12 11:19:10	openvpn	65024	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 12 11:19:10	openvpn	65024	/sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0
Dec 12 11:19:10	openvpn	65024	/sbin/ifconfig ovpnc1 10.****.252 10.0.0.1 mtu 1500 netmask 255.0.0.0 up
Dec 12 11:19:10	openvpn	65024	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 12 11:19:10	openvpn	65024	TUN/TAP device /dev/tun1 opened
Dec 12 11:19:10	openvpn	65024	TUN/TAP device ovpnc1 exists previously, keep at program end
Dec 12 11:19:10	openvpn	65024	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 12 11:19:10	openvpn	65024	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 12 11:19:10	openvpn	65024	Data Channel: using negotiated cipher 'AES-256-GCM'
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: data channel crypto options modified
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: adjusting link_mtu to 1625
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: peer-id set
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: route-related options modified
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: --ifconfig/up options modified
Dec 12 11:19:10	openvpn	65024	Socket Buffers: R=[42080->393216] S=[57344->393216]
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: compression parms modified
Dec 12 11:19:10	openvpn	65024	OPTIONS IMPORT: timers and/or timeouts modified
Dec 12 11:19:10	openvpn	65024	Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.4.4)
Dec 12 11:19:10	openvpn	65024	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Dec 12 11:19:10	openvpn	65024	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Dec 12 11:19:10	openvpn	65024	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Dec 12 11:19:10	openvpn	65024	PUSH: Received control message: 'PUSH_REPLY,dhcp-option NTP 10.10.11.1,dhcp-option DNS 10.10.11.1,ping-timer-rem,redirect-gateway def1 bypass-dhcp,register-dns,comp-lzo no,sndbuf 393216,rcvbuf 393216,route-gateway 10.10.11.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.****.252 255.0.0.0,peer-id 5,cipher AES-256-GCM'
Dec 12 11:19:10	openvpn	65024	SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec 12 11:19:09	openvpn	65024	[server] Peer Connection Initiated with [AF_INET]87.****.3:1194
Dec 12 11:19:09	openvpn	65024	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Dec 12 11:19:09	openvpn	65024	VERIFY OK: depth=0, C=GB, ST=GB, L=London, O=VPNUK, CN=server, emailAddress=support@vpnuk.info
Dec 12 11:19:09	openvpn	65024	VERIFY OK: depth=1, C=GB, ST=GB, L=London, O=VPNUK, CN=VPNUK CA, emailAddress=support@vpnuk.info
Dec 12 11:19:09	openvpn	65024	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 12 11:19:09	openvpn	65024	TLS: Initial packet from [AF_INET]87.****.3:1194, sid=de26c21b 6f0de777
Dec 12 11:19:09	openvpn	65024	UDPv4 link remote: [AF_INET]87.****.3:1194
Dec 12 11:19:09	openvpn	65024	UDPv4 link local (bound): [AF_INET]192.168.1.26:0
Dec 12 11:19:09	openvpn	65024	Socket Buffers: R=[42080->42080] S=[57344->57344]
Dec 12 11:19:09	openvpn	65024	TCP/UDP: Preserving recently used remote address: [AF_INET]87.****.3:1194
Dec 12 11:19:09	openvpn	65024	Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 12 11:19:09	openvpn	65024	Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 12 11:19:09	openvpn	65024	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 12 11:19:09	openvpn	65024	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 12 11:19:09	openvpn	65024	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Dec 12 11:19:09	openvpn	64967	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 12 11:19:09	openvpn	64967	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Dec 12 11:19:09	openvpn	64967	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Dec 12 11:19:08	openvpn	78138	SIGTERM[hard,] received, process exiting
Dec 12 11:19:08	openvpn	78138	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.230.27.251 255.0.0.0 init
Dec 12 11:19:08	openvpn	78138	Closing TUN/TAP interface
Dec 12 11:19:08	openvpn	78138	event_wait : Interrupted system call (code=4)
Dec 12 11:18:26	openvpn	27622	MANAGEMENT: Client disconnected
Dec 12 11:18:26	openvpn	27622	MANAGEMENT: CMD 'status 2'
Dec 12 11:18:26	openvpn	27622	MANAGEMENT: CMD 'state 1'
Dec 12 11:18:26	openvpn	27622	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Dec 12 11:18:26	openvpn	78138	MANAGEMENT: Client disconnected
Dec 12 11:18:26	openvpn	78138	MANAGEMENT: CMD 'status 2'
Dec 12 11:18:26	openvpn	78138	MANAGEMENT: CMD 'state 1'
Dec 12 11:18:26	openvpn	78138	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 12 11:15:04	openvpn	27622	MANAGEMENT: Client disconnected
Dec 12 11:15:04	openvpn	27622	MANAGEMENT: CMD 'status 2'
Dec 12 11:15:04	openvpn	27622	MANAGEMENT: CMD 'state 1'
Dec 12 11:15:04	openvpn	27622	MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Dec 12 11:15:04	openvpn	78138	MANAGEMENT: Client disconnected
Dec 12 11:15:04	openvpn	78138	MANAGEMENT: CMD 'status 2'
Dec 12 11:15:04	openvpn	78138	MANAGEMENT: CMD 'state 1'
Dec 12 11:15:04	openvpn	78138	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Dec 12 11:15:01	openvpn	78138	Initialization Sequence Completed
Dec 12 11:15:01	openvpn	78138	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.251 255.0.0.0 init
Dec 12 11:15:01	openvpn	78138	ERROR: FreeBSD route add command failed: external program exited with error status: 1
Dec 12 11:15:01	openvpn	78138	/sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0
Dec 12 11:15:01	openvpn	78138	/sbin/ifconfig ovpnc1 10.****.251 10.0.0.1 mtu 1500 netmask 255.0.0.0 up
Dec 12 11:15:01	openvpn	78138	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 12 11:15:01	openvpn	78138	ioctl(TUNSIFMODE): Device busy (errno=16)
Dec 12 11:15:01	openvpn	78138	TUN/TAP device /dev/tun1 opened

Regarding the user shuts down the machine before disconnecting is the cause of trapped sessions as VPNUK support mentioned when referred to them for investigation of my issue (client disconnects from VPN) they assume that a VPN Client connects with his physical pc to their service and they mean that the hypothetical user has shutdown the machine before he disconnected the VPN Client. I believe that applies to our infrastructure using pfsense. I guess that if we restart the VPN service before the interface/gateway is disabled (that will cause the disconnect) then we might cause a trapped session which will cause a client connection issue (as VPN support mentioned).

I am not quite sure if that is correct cause restarting the OpenVPN service will drop the connection and initialise back again. That's why I posted my issue here.

Thank you in advance,
ILIAS

netblues

@ilias-lo No need to mask 10.x addresses. They are already private
Do you by any chance have the same configuration running somewhere else?
Looks like you get a remote disconnect at 11:18
As for trapped sessions, sorry but this is utterly bullshit from their part.
If your connection is flaky, openvpn will do hundreds of reconnects.
This should be acceptable.

I can assure you than openvpn on pf runs for months with no need to restart whatsoever.
(on the specific version that you are).
Disable the cron restart job and we need logs when the connection stalls.
Can you ping the ovpn server normally?
Can you ping it when stalled from inside pf?
can you ping the vpn tunnel remote ip when working?
When stalled?
Logs at the specific moment.
And while we are at it, how about another vpn connection to another vpn provider, as a test?
Easy peasy.

ilias.lo

netblues thank you very much! I will disable the temporary account that most probably has the same setup and disable the cronjobs as well.

If tomorrow we face the same issue will try all your suggestions regarding connection tests.

Thank you for your crystal clear advices

Cheers ILIAS

Pippin

Your log is full of configuration errors, fix them.

ilias.lo

@pippin thanks for the advise. I haven't set up this particular pfsense myself. I needed to stabilise the VPN and I will build a clean one with the first chance. There are too many crap stuff in there too many changes have been made inside there from people who didn't actually know how to configure it properly. Will do my study before I make a clean one.