Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN clients disconnecting and cannot connect

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 476 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dgeorgilakis
      last edited by

      Dear Guys,
      Hello. New to openvpn, so i would appreciate your help.
      We have implemented our new openvpn servers with radius and ldap auth,.
      We have configured 5 openvpn servers, so that each department has its own subnet and its own firewall policies.
      Everything seemed ok at first. Suddenly (without any change) our clients (linux mac and windows OS) started to disconnect randomly, after 10 min - 2 hours.
      After that, the icon turned yellow (for win clients) and no one could reconnect again, unless if the connection was closed manually. Also sometimes even though, the connection was closed manually, some clients couldn't establish new connection. Probably the connection was not closed from the server side.
      This is strange because server allows concurrent connections with the same common name.
      I checked the log and saw two strange things.

      1. the openvpn port just went from down state to up without any reason
      Dec 21 13:15:32 demovpn kernel: ovpns9: link state changed to DOWN
Dec 21 13:15:35 demovpn kernel: tun9: changing name to 'ovpns9'
Dec 21 13:15:36 demovpn kernel: ovpns9: link state changed to UP
Dec 21 13:15:36 demovpn check_reload_status: rc.newwanip starting ovpns9
Dec 21 13:15:37 demovpn php-fpm[321]: /rc.newwanip: rc.newwanip: Info: starting on ovpns9.
Dec 21 13:15:37 demovpn php-fpm[321]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.46.1) (interface: []) (real interface: ovpns9).

      2)something changed in our WAN connection, but the ip that shows is from the openvpn subnet.

      demovpn php-fpm[321]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection -  ->  192.168.47.1 - Restarting packages.

      The WAN connection has 10.0.110.11 IP

      Version 2.4.4_p1
      Firewall with port forward to our DMZ vlan and permission to any

      Open vpn server conf:

      dev ovpns9
verb 5
dev-type tun
dev-node /dev/tun9
writepid /var/run/openvpn_server9.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 10.0.110.11
tls-server
server 192.168.46.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server9
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user UmFkaXVzX09yY2E= true server9 1202
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn-int-ca' 1"
lport 1202
management /var/etc/openvpn/server9.sock unix
push "route x.x.x.x"
push "route x.x.x.x"
push "route x.x.x.x"
push "dhcp-option DOMAIN xxxxxxx"
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS x.x.x.x"
push "block-outside-dns"
duplicate-cn
ca /var/etc/openvpn/server9.ca
cert /var/etc/openvpn/server9.cert
key /var/etc/openvpn/server9.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server9.tls-auth 0
ncp-disable
persist-remote-ip
float
topology subnet
#for windows
tun-mtu 1500
fragment 1300
mssfix

      the config of client

      dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x.x 1199 udp
verify-x509-name "secret" name
auth-user-pass
pkcs12 demovpn-UDP4-1199-secret.p12
tls-auth demovpn-UDP4-1199-secret-tls.key 1
remote-cert-tls server
tun-mtu 1400
fragment 1300
mssfix
ping 10
ping-restart 30

      logs from server:

      Dec 21 15:15:32 demovpn openvpn[911]: user /x.x.x.x:61972 TLS: new session incoming connection from [AF_INET]x.x.x.x:61972
Dec 21 15:16:33 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 21 15:16:33 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS handshake failed
Dec 21 15:16:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS: new session incoming connection from [AF_INET]x.x.x.x:61972
Dec 21 15:17:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 21 15:17:37 demovpn openvpn[911]: user /x.x.x.x:61972 TLS Error: TLS handshake failed
Dec 21 15:20:52 demovpn openvpn[911]: user /x.x.x.x:61972 [user ] Inactivity timeout (--ping-restart), restarting
Dec 21 15:20:52 demovpn openvpn[911]: user /x.x.x.x:61972 SIGUSR1[soft,ping-restart] received, client-instance restarting

      a client's log
      This i a random log but is the same on everyone's disconnection

      Thu Dec 20 08:05:30 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec 20 08:05:30 2018 TLS Error: TLS handshake failed
Thu Dec 20 08:05:30 2018 Unblocking outside dns using service succeeded.
Thu Dec 20 08:05:30 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Dec 20 08:05:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1199
Thu Dec 20 08:05:35 2018 UDP link local (bound): [AF_INET][undef]:1194
Thu Dec 20 08:05:35 2018 UDP link remote: [AF_INET]x.x.x.x:1199

      i noticed that on local link uses openvpn port (1194) which is beeing used on another server that i have configured.

      thank you guys!!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It looks like you are showing a client configured to connect to 1199 and a server configured to listen on 1202

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          dgeorgilakis
          last edited by dgeorgilakis

          Yes that's true. My mistake. I print the config of the wrong client. But the config is the same to all the other clients, except the local ports!! So, if there is a mistake on this clients, there is the same to all the others.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Still can only evaluate what you provide.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              dgeorgilakis
              last edited by

              You are right. let me print the config of the correct client

              dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x 1202 udp
verify-x509-name "openvpn-int-ca" name
auth-user-pass
pkcs12 demovpn-UDP4-1202-secret.p12
tls-auth demovpn-UDP4-1202-secret-tls.key 1
remote-cert-tls server
tun-mtu 1400
fragment 1300
mssfix
ping 10
ping-restart 30
              1 Reply Last reply Reply Quote 0
              • D
                dgeorgilakis
                last edited by

                server log

                Dec 22 12:12:21 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS handshake failed
Dec 22 12:12:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
Dec 22 12:13:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 22 12:13:27 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS Error: TLS handshake failed
Dec 22 12:13:33 demovpn openvpn[67472]: secret/x.x.x.x:1194 TLS: new session incoming connection from [AF_INET]x.x.x.x:1194
                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Looks like the TLS key doesn't match.

                  Now you're posting logs for 1194 not 1202.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • D
                    dgeorgilakis
                    last edited by

                    Nope. that's the weird thing i was talking about. the client secret is connected to the server with port 1202 but when i print the log on the server (cat /var/log/openvpn.log |grep secret) it prints the above.
                    Hope not doing something wrong.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.