• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with Openvpn Reconnect?

Scheduled Pinned Locked Moved OpenVPN
15 Posts 3 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    killmasta93
    last edited by Feb 12, 2019, 1:47 AM

    Hi,
    i was wondering if someone knows how to add the keep alive on the advance? Many users complain about disconnections, which i thought might of been the internet, but before the company had sophos firewall running the client VPN and they claim that they never had an issue.
    i was maybe thinking to add this?

    tun-mtu 48000;fragment 0;mssfix;keepalive 10 120
    

    These are the logs

    inactivity timeout (--ping-restart), restarting
    

    and a few of these

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #62184 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    

    Thank you

    Tutorials:

    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

    1 Reply Last reply Reply Quote 0
    • R
      Rico LAYER 8 Rebel Alliance
      last edited by Feb 12, 2019, 9:24 AM

      Post all of your settings.
      Without any fancy stuff I have Users connected 12+ hours with no problems.

      -Rico

      1 Reply Last reply Reply Quote 0
      • K
        killmasta93
        last edited by Feb 12, 2019, 2:00 PM

        Thanks for the reply, im attaching pictures of my server OpenVPN
        4_1549979976536_Screenshot at 2019-02-12 08-36-37.png 3_1549979976536_Screenshot at 2019-02-12 08-37-23.png 2_1549979976536_Screenshot at 2019-02-12 08-37-50.png 1_1549979976535_Screenshot at 2019-02-12 08-37-07.png 0_1549979976535_Screenshot at 2019-02-12 08-37-36.png

        Tutorials:

        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

        1 Reply Last reply Reply Quote 0
        • R
          Rico LAYER 8 Rebel Alliance
          last edited by Feb 12, 2019, 2:15 PM

          You are sure your clients are not using the same OpenVPN account on different devices at the same time? This would bump off existing connections from this user with the Log entry you posted above.
          Maybe some flaky internet connection on your server (this would be very bad) or some clients? The problem occurs for ALL of your clients?

          -Rico

          1 Reply Last reply Reply Quote 0
          • K
            killmasta93
            last edited by Feb 12, 2019, 2:46 PM

            Thanks for the reply correct only have on the computer, maybe I would need to implement the keep alive option?

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            • R
              Rico LAYER 8 Rebel Alliance
              last edited by Feb 12, 2019, 2:57 PM

              Well keepalive 10 60 is the default and already set by pfSense.

              -Rico

              1 Reply Last reply Reply Quote 0
              • K
                killmasta93
                last edited by Feb 12, 2019, 4:08 PM

                hmm..so everything is good on my part? or how can i demonstrate the issue is not pfSense?

                Tutorials:

                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                1 Reply Last reply Reply Quote 0
                • R
                  Rico LAYER 8 Rebel Alliance
                  last edited by Feb 12, 2019, 4:40 PM

                  Please share your Client Config file.

                  -Rico

                  1 Reply Last reply Reply Quote 0
                  • K
                    killmasta93
                    last edited by killmasta93 Feb 12, 2019, 6:31 PM Feb 12, 2019, 6:28 PM

                    Thanks for the reply i download the bundled and the ovpn is this for the client

                    dev tun
                    persist-tun
                    persist-key
                    cipher AES-128-CBC
                    ncp-ciphers AES-128-GCM
                    auth SHA256
                    tls-client
                    client
                    resolv-retry infinite
                    remote 181.xx.xx.xx 1194 udp
                    verify-x509-name "pfSense OpenVPN" name
                    auth-user-pass
                    pkcs12 Olympus-UDP4-1194-test.p12
                    tls-auth Olympus-UDP4-1194-test-tls.key 1
                    remote-cert-tls server
                    

                    I was looking at the logs to see and got alots of this

                    Feb 12 13:26:29	openvpn	18543	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #101914 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
                    

                    Tutorials:

                    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                    1 Reply Last reply Reply Quote 0
                    • R
                      Rico LAYER 8 Rebel Alliance
                      last edited by Feb 12, 2019, 6:52 PM

                      Authenticate/Decrypt packet error could be the clock drifted off on one or both sides, wrong MTU or again, flaky internet connection. AGAIN the question, you have this issue with all your clients or only some?
                      You could also try to switch from UDP to TCP which is not recommended in general for OpenVPN, but can help with unstable connections.

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • K
                        killmasta93
                        last edited by Feb 12, 2019, 11:54 PM

                        Thanks for the reply, ill keep it right now UDP as for the encryption everything else is good?

                        Tutorials:

                        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                        1 Reply Last reply Reply Quote 0
                        • R
                          Rico LAYER 8 Rebel Alliance
                          last edited by Feb 14, 2019, 10:53 AM

                          Well you can‘t do much wrong with the encryption part, everything is fine as long both sides match.

                          -Rico

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz Feb 14, 2019, 11:25 AM Feb 14, 2019, 11:25 AM

                            While TCP for sure is not going to be as fast as UDP.. Huge advantage with it is works over proxies... And if you run it on standard 443 port.. You prob can access it from almost anywhere.. While standard port and UDP not so much..

                            I just run 2 instances, one on standard 1194 UDP, and than another on 443 TCP. If can not get to the UDP from where I am at - never had issue with getting to the tcp one.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • K
                              killmasta93
                              last edited by Feb 18, 2019, 10:44 PM

                              Thanks for the reply, so recommended to run UDP better?

                              Tutorials:

                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz Feb 19, 2019, 1:08 PM Feb 19, 2019, 1:07 PM

                                UDP should be better yeah - unless you can not get to it, then is useless ;)

                                Takes nothing more than some simple setup to run both. And if you configure the client settings correctly - it will first try your UDP connection, and if can not connect it will then try TCP.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received