OpenVPN setup everyday connection issues
-
Good morning fellas,
I would like to share my problem with you as I couldn't think anything else to resolve it.
Description of my problem:
We have a pfsense device setup version 2.4.3. Our VPN Provider is VPNUK. Our configuration in pfsense is as followsOpenVPN client account with creds and dns. An interface for the VPNUK and then an interface for linking ovpn interface to our gateway. VPN client indeed creates the tunnel. We get the specific IP assigned to our account.
My issue is that everyday the connection is stuck. I have to restart all relative interfaces, gateways and VPN service to have the connection UP again. Currently we have a cron job to restart the VPN service but this doesn't seem to resolve the issue as I have to manually re-do them everyday. Any suggestions?
Contacted the VPNUK to check why our account has everyday client disconnections and they told me that we had many trapped sessions (user shutdowns the machine before disconnecting) possibly its that but I had share with you and check if anyone else faces anything similar.
Thank you in advance for your help
Kind regards,
ILIAS -
@ilias-lo Please post relevant openvpn logs.
And what do you mean by user shuts down the machine before disconnecting?
What user? what machine? what shutdown.. -
Netblues first of all thank you for your prompt reply
Below are the logs till the initialization completed
Dec 12 11:19:10 openvpn 65024 Initialization Sequence Completed Dec 12 11:19:10 openvpn 65024 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.252 255.0.0.0 init Dec 12 11:19:10 openvpn 65024 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Dec 12 11:19:10 openvpn 65024 /sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0 Dec 12 11:19:10 openvpn 65024 /sbin/ifconfig ovpnc1 10.****.252 10.0.0.1 mtu 1500 netmask 255.0.0.0 up Dec 12 11:19:10 openvpn 65024 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Dec 12 11:19:10 openvpn 65024 TUN/TAP device /dev/tun1 opened Dec 12 11:19:10 openvpn 65024 TUN/TAP device ovpnc1 exists previously, keep at program end Dec 12 11:19:10 openvpn 65024 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Dec 12 11:19:10 openvpn 65024 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Dec 12 11:19:10 openvpn 65024 Data Channel: using negotiated cipher 'AES-256-GCM' Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: data channel crypto options modified Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: adjusting link_mtu to 1625 Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: peer-id set Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: route-related options modified Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: --ifconfig/up options modified Dec 12 11:19:10 openvpn 65024 Socket Buffers: R=[42080->393216] S=[57344->393216] Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: compression parms modified Dec 12 11:19:10 openvpn 65024 OPTIONS IMPORT: timers and/or timeouts modified Dec 12 11:19:10 openvpn 65024 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.4.4) Dec 12 11:19:10 openvpn 65024 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Dec 12 11:19:10 openvpn 65024 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Dec 12 11:19:10 openvpn 65024 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Dec 12 11:19:10 openvpn 65024 PUSH: Received control message: 'PUSH_REPLY,dhcp-option NTP 10.10.11.1,dhcp-option DNS 10.10.11.1,ping-timer-rem,redirect-gateway def1 bypass-dhcp,register-dns,comp-lzo no,sndbuf 393216,rcvbuf 393216,route-gateway 10.10.11.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.****.252 255.0.0.0,peer-id 5,cipher AES-256-GCM' Dec 12 11:19:10 openvpn 65024 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Dec 12 11:19:09 openvpn 65024 [server] Peer Connection Initiated with [AF_INET]87.****.3:1194 Dec 12 11:19:09 openvpn 65024 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA Dec 12 11:19:09 openvpn 65024 VERIFY OK: depth=0, C=GB, ST=GB, L=London, O=VPNUK, CN=server, emailAddress=support@vpnuk.info Dec 12 11:19:09 openvpn 65024 VERIFY OK: depth=1, C=GB, ST=GB, L=London, O=VPNUK, CN=VPNUK CA, emailAddress=support@vpnuk.info Dec 12 11:19:09 openvpn 65024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Dec 12 11:19:09 openvpn 65024 TLS: Initial packet from [AF_INET]87.****.3:1194, sid=de26c21b 6f0de777 Dec 12 11:19:09 openvpn 65024 UDPv4 link remote: [AF_INET]87.****.3:1194 Dec 12 11:19:09 openvpn 65024 UDPv4 link local (bound): [AF_INET]192.168.1.26:0 Dec 12 11:19:09 openvpn 65024 Socket Buffers: R=[42080->42080] S=[57344->57344] Dec 12 11:19:09 openvpn 65024 TCP/UDP: Preserving recently used remote address: [AF_INET]87.****.3:1194 Dec 12 11:19:09 openvpn 65024 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 12 11:19:09 openvpn 65024 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Dec 12 11:19:09 openvpn 65024 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 12 11:19:09 openvpn 65024 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Dec 12 11:19:09 openvpn 65024 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Dec 12 11:19:09 openvpn 64967 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Dec 12 11:19:09 openvpn 64967 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018 Dec 12 11:19:09 openvpn 64967 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Dec 12 11:19:08 openvpn 78138 SIGTERM[hard,] received, process exiting Dec 12 11:19:08 openvpn 78138 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1553 10.230.27.251 255.0.0.0 init Dec 12 11:19:08 openvpn 78138 Closing TUN/TAP interface Dec 12 11:19:08 openvpn 78138 event_wait : Interrupted system call (code=4) Dec 12 11:18:26 openvpn 27622 MANAGEMENT: Client disconnected Dec 12 11:18:26 openvpn 27622 MANAGEMENT: CMD 'status 2' Dec 12 11:18:26 openvpn 27622 MANAGEMENT: CMD 'state 1' Dec 12 11:18:26 openvpn 27622 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Dec 12 11:18:26 openvpn 78138 MANAGEMENT: Client disconnected Dec 12 11:18:26 openvpn 78138 MANAGEMENT: CMD 'status 2' Dec 12 11:18:26 openvpn 78138 MANAGEMENT: CMD 'state 1' Dec 12 11:18:26 openvpn 78138 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Dec 12 11:15:04 openvpn 27622 MANAGEMENT: Client disconnected Dec 12 11:15:04 openvpn 27622 MANAGEMENT: CMD 'status 2' Dec 12 11:15:04 openvpn 27622 MANAGEMENT: CMD 'state 1' Dec 12 11:15:04 openvpn 27622 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Dec 12 11:15:04 openvpn 78138 MANAGEMENT: Client disconnected Dec 12 11:15:04 openvpn 78138 MANAGEMENT: CMD 'status 2' Dec 12 11:15:04 openvpn 78138 MANAGEMENT: CMD 'state 1' Dec 12 11:15:04 openvpn 78138 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Dec 12 11:15:01 openvpn 78138 Initialization Sequence Completed Dec 12 11:15:01 openvpn 78138 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.****.251 255.0.0.0 init Dec 12 11:15:01 openvpn 78138 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Dec 12 11:15:01 openvpn 78138 /sbin/route add -net 10.0.0.0 10.0.0.1 255.0.0.0 Dec 12 11:15:01 openvpn 78138 /sbin/ifconfig ovpnc1 10.****.251 10.0.0.1 mtu 1500 netmask 255.0.0.0 up Dec 12 11:15:01 openvpn 78138 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Dec 12 11:15:01 openvpn 78138 ioctl(TUNSIFMODE): Device busy (errno=16) Dec 12 11:15:01 openvpn 78138 TUN/TAP device /dev/tun1 opened
Regarding the user shuts down the machine before disconnecting is the cause of trapped sessions as VPNUK support mentioned when referred to them for investigation of my issue (client disconnects from VPN) they assume that a VPN Client connects with his physical pc to their service and they mean that the hypothetical user has shutdown the machine before he disconnected the VPN Client. I believe that applies to our infrastructure using pfsense. I guess that if we restart the VPN service before the interface/gateway is disabled (that will cause the disconnect) then we might cause a trapped session which will cause a client connection issue (as VPN support mentioned).
I am not quite sure if that is correct cause restarting the OpenVPN service will drop the connection and initialise back again. That's why I posted my issue here.
Thank you in advance,
ILIAS -
@ilias-lo No need to mask 10.x addresses. They are already private
Do you by any chance have the same configuration running somewhere else?
Looks like you get a remote disconnect at 11:18
As for trapped sessions, sorry but this is utterly bullshit from their part.
If your connection is flaky, openvpn will do hundreds of reconnects.
This should be acceptable.I can assure you than openvpn on pf runs for months with no need to restart whatsoever.
(on the specific version that you are).
Disable the cron restart job and we need logs when the connection stalls.
Can you ping the ovpn server normally?
Can you ping it when stalled from inside pf?
can you ping the vpn tunnel remote ip when working?
When stalled?
Logs at the specific moment.
And while we are at it, how about another vpn connection to another vpn provider, as a test?
Easy peasy. -
netblues thank you very much! I will disable the temporary account that most probably has the same setup and disable the cronjobs as well.
If tomorrow we face the same issue will try all your suggestions regarding connection tests.
Thank you for your crystal clear advices
Cheers ILIAS
-
Your log is full of configuration errors, fix them.
-
@pippin thanks for the advise. I haven't set up this particular pfsense myself. I needed to stabilise the VPN and I will build a clean one with the first chance. There are too many crap stuff in there too many changes have been made inside there from people who didn't actually know how to configure it properly. Will do my study before I make a clean one.