Issue with Openvpn Reconnect?

killmasta93

Hi,
i was wondering if someone knows how to add the keep alive on the advance? Many users complain about disconnections, which i thought might of been the internet, but before the company had sophos firewall running the client VPN and they claim that they never had an issue.
i was maybe thinking to add this?

tun-mtu 48000;fragment 0;mssfix;keepalive 10 120

These are the logs

inactivity timeout (--ping-restart), restarting

and a few of these

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #62184 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Thank you

Rico

Post all of your settings.
Without any fancy stuff I have Users connected 12+ hours with no problems.

-Rico

killmasta93

Thanks for the reply, im attaching pictures of my server OpenVPN

Rico

You are sure your clients are not using the same OpenVPN account on different devices at the same time? This would bump off existing connections from this user with the Log entry you posted above.
Maybe some flaky internet connection on your server (this would be very bad) or some clients? The problem occurs for ALL of your clients?

-Rico

killmasta93

Thanks for the reply correct only have on the computer, maybe I would need to implement the keep alive option?

Rico

Well keepalive 10 60 is the default and already set by pfSense.

-Rico

killmasta93

hmm..so everything is good on my part? or how can i demonstrate the issue is not pfSense?

Rico

Please share your Client Config file.

-Rico

killmasta93

Thanks for the reply i download the bundled and the ovpn is this for the client

dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 181.xx.xx.xx 1194 udp
verify-x509-name "pfSense OpenVPN" name
auth-user-pass
pkcs12 Olympus-UDP4-1194-test.p12
tls-auth Olympus-UDP4-1194-test-tls.key 1
remote-cert-tls server

I was looking at the logs to see and got alots of this

Feb 12 13:26:29	openvpn	18543	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #101914 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Rico

Authenticate/Decrypt packet error could be the clock drifted off on one or both sides, wrong MTU or again, flaky internet connection. AGAIN the question, you have this issue with all your clients or only some?
You could also try to switch from UDP to TCP which is not recommended in general for OpenVPN, but can help with unstable connections.

-Rico

killmasta93

Thanks for the reply, ill keep it right now UDP as for the encryption everything else is good?

Rico

Well you can‘t do much wrong with the encryption part, everything is fine as long both sides match.

-Rico

johnpoz

While TCP for sure is not going to be as fast as UDP.. Huge advantage with it is works over proxies... And if you run it on standard 443 port.. You prob can access it from almost anywhere.. While standard port and UDP not so much..

I just run 2 instances, one on standard 1194 UDP, and than another on 443 TCP. If can not get to the UDP from where I am at - never had issue with getting to the tcp one.