Open VPN clients disconnecting and cannot connect



  • Dear Guys,
    Hello. New to openvpn, so i would appreciate your help.
    We have implemented our new openvpn servers with radius and ldap auth,.
    We have configured 5 openvpn servers, so that each department has its own subnet and its own firewall policies.
    Everything seemed ok at first. Suddenly (without any change) our clients (linux mac and windows OS) started to disconnect randomly, after 10 min - 2 hours.
    After that, the icon turned yellow (for win clients) and no one could reconnect again, unless if the connection was closed manually. Also sometimes even though, the connection was closed manually, some clients couldn't establish new connection. Probably the connection was not closed from the server side.
    This is strange because server allows concurrent connections with the same common name.
    I checked the log and saw two strange things.

    1. the openvpn port just went from down state to up without any reason
    Dec 21 13:15:32 demovpn kernel: ovpns9: link state changed to DOWN
    Dec 21 13:15:35 demovpn kernel: tun9: changing name to 'ovpns9'
    Dec 21 13:15:36 demovpn kernel: ovpns9: link state changed to UP
    Dec 21 13:15:36 demovpn check_reload_status: rc.newwanip starting ovpns9
    Dec 21 13:15:37 demovpn php-fpm[321]: /rc.newwanip: rc.newwanip: Info: starting on ovpns9.
    Dec 21 13:15:37 demovpn php-fpm[321]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.46.1) (interface: []) (real interface: ovpns9).
    

    2)something changed in our WAN connection, but the ip that shows is from the openvpn subnet.

    demovpn php-fpm[321]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection -  ->  192.168.47.1 - Restarting packages.
    

    The WAN connection has 10.0.110.11 IP

    Version 2.4.4_p1
    Firewall with port forward to our DMZ vlan and permission to any

    Open vpn server conf:

    dev ovpns9
    verb 5
    dev-type tun
    dev-node /dev/tun9
    writepid /var/run/openvpn_server9.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 10.0.110.11
    tls-server
    server 192.168.46.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server9
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user UmFkaXVzX09yY2E= true server9 1202
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn-int-ca' 1"
    lport 1202
    management /var/etc/openvpn/server9.sock unix
    push "route x.x.x.x"
    push "route x.x.x.x"
    push "route x.x.x.x"
    push "dhcp-option DOMAIN xxxxxxx"
    push "dhcp-option DNS x.x.x.x"
    push "dhcp-option DNS x.x.x.x"
    push "block-outside-dns"
    duplicate-cn
    ca /var/etc/openvpn/server9.ca
    cert /var/etc/openvpn/server9.cert
    key /var/etc/openvpn/server9.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server9.tls-auth 0
    ncp-disable
    persist-remote-ip
    float
    topology subnet
    #for windows
    tun-mtu 1500
    fragment 1300
    mssfix
    

    the config of client

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-disable
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x.x 1199 udp
    verify-x509-name "secret" name
    auth-user-pass
    pkcs12 demovpn-UDP4-1199-secret.p12
    tls-auth demovpn-UDP4-1199-secret-tls.key 1
    remote-cert-tls server
    tun-mtu 1400
    fragment 1300
    mssfix
    ping 10
    ping-restart 30
    
    

    logs from server:

    Dec 21 15:15:32 demovpn openvpn[911]: user /x.x.x.x:61972 TLS: new session incoming connection from [AF_INET]x.x.x.x:61972
    Dec 21 15:16:33 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 21 15:16:33 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS handshake failed
    Dec 21 15:16:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS: new session incoming connection from [AF_INET]x.x.x.x:61972
    Dec 21 15:17:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 21 15:17:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS handshake failed
    Dec 21 15:20:52 demovpn openvpn[911]: user /x.x.x.x:61972 [user ] Inactivity timeout (--ping-restart), restarting
    Dec 21 15:20:52 demovpn openvpn[911]: user /x.x.x.x:61972 SIGUSR1[soft,ping-restart] received, client-instance restarting
    

    a client's log
    This i a random log but is the same on everyone's disconnection

    Thu Dec 20 08:05:30 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Dec 20 08:05:30 2018 TLS Error: TLS handshake failed
    Thu Dec 20 08:05:30 2018 Unblocking outside dns using service succeeded.
    Thu Dec 20 08:05:30 2018 SIGUSR1[soft,tls-error] received, process restarting
    Thu Dec 20 08:05:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1199
    Thu Dec 20 08:05:35 2018 UDP link local (bound): [AF_INET][undef]:1194
    Thu Dec 20 08:05:35 2018 UDP link remote: [AF_INET]x.x.x.x:1199
    

    i noticed that on local link uses openvpn port (1194) which is beeing used on another server that i have configured.

    thank you guys!!


  • LAYER 8 Netgate

    It looks like you are showing a client configured to connect to 1199 and a server configured to listen on 1202



  • Yes that's true. My mistake. I print the config of the wrong client. But the config is the same to all the other clients, except the local ports!! So, if there is a mistake on this clients, there is the same to all the others.


  • LAYER 8 Netgate

    Still can only evaluate what you provide.



  • You are right. let me print the config of the correct client

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    ncp-disable
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x 1202 udp
    verify-x509-name "openvpn-int-ca" name
    auth-user-pass
    pkcs12 demovpn-UDP4-1202-secret.p12
    tls-auth demovpn-UDP4-1202-secret-tls.key 1
    remote-cert-tls server
    tun-mtu 1400
    fragment 1300
    mssfix
    ping 10
    ping-restart 30
    
    


  • server log

    Dec 22 12:12:21 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS handshake failed
    Dec 22 12:12:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
    Dec 22 12:13:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 22 12:13:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS handshake failed
    Dec 22 12:13:33 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
    

  • LAYER 8 Netgate

    Looks like the TLS key doesn't match.

    Now you're posting logs for 1194 not 1202.



  • Nope. that's the weird thing i was talking about. the client secret is connected to the server with port 1202 but when i print the log on the server (cat /var/log/openvpn.log |grep secret) it prints the above.
    Hope not doing something wrong.


Log in to reply