OpenVPN: Connection reset, restarting [0]

Dimix971

Bonjour,

pfSense 2.4.4-RELEASE-p3 under Hyper-V
I have a problem with my OpenVPN servers present on pfSense. My problem is that regulary I have a « Connection reset, restarting [0] » on my clients (see screenshot) but I don’t know where my problem can come from.

Log client:

Mon Jul 29 15:50:32 2019 Connection reset, restarting [0]
Mon Jul 29 15:50:32 2019 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jul 29 15:50:37 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:5131
Mon Jul 29 15:50:37 2019 Attempting to establish TCP connection with [AF_INET]X.X.X.X:5131 [nonblock]
Mon Jul 29 15:50:38 2019 TCP connection established with [AF_INET]X.X.X.X:5131
Mon Jul 29 15:50:38 2019 TCP_CLIENT link local: (not bound)
Mon Jul 29 15:50:38 2019 TCP_CLIENT link remote: [AF_INET]X.X.X.X:5131
Mon Jul 29 15:50:38 2019 [vpn-Radius] Peer Connection Initiated with [AF_INET]X.X.X.X:5131
Mon Jul 29 15:50:39 2019 Preserving previous TUN/TAP instance: Ethernet 2
Mon Jul 29 15:50:39 2019 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon Jul 29 15:50:40 2019 open_tun
Mon Jul 29 15:50:40 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}.tap
Mon Jul 29 15:50:40 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.4.0/10.1.4.3/255.255.255.0 [SUCCEEDED]
Mon Jul 29 15:50:40 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.4.3/255.255.255.0 on interface {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF} [DHCP-serv: 10.1.4.254, lease-time: 31536000]
Mon Jul 29 15:50:40 2019 Successful ARP Flush on interface [19] {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}
Mon Jul 29 15:50:45 2019 Initialization Sequence Completed

Mon Jul 29 15:58:12 2019 Connection reset, restarting [0]
Mon Jul 29 15:58:12 2019 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jul 29 15:58:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:5131
Mon Jul 29 15:58:17 2019 Attempting to establish TCP connection with [AF_INET]X.X.X.X:5131 [nonblock]
Mon Jul 29 15:58:18 2019 TCP connection established with [AF_INET]X.X.X.X:5131
Mon Jul 29 15:58:18 2019 TCP_CLIENT link local: (not bound)
Mon Jul 29 15:58:18 2019 TCP_CLIENT link remote: [AF_INET]X.X.X.X:5131
Mon Jul 29 15:58:18 2019 [vpn-Radius] Peer Connection Initiated with [AF_INET]X.X.X.X:5131
Mon Jul 29 15:58:19 2019 Preserving previous TUN/TAP instance: Ethernet 2
Mon Jul 29 15:58:19 2019 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon Jul 29 15:58:20 2019 open_tun
Mon Jul 29 15:58:20 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}.tap
Mon Jul 29 15:58:20 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.4.0/10.1.4.2/255.255.255.0 [SUCCEEDED]
Mon Jul 29 15:58:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.4.2/255.255.255.0 on interface {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF} [DHCP-serv: 10.1.4.254, lease-time: 31536000]
Mon Jul 29 15:58:20 2019 Successful ARP Flush on interface [19] {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}
Mon Jul 29 15:58:25 2019 Initialization Sequence Completed

Configuration of one of the servers

Server mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: Radius
Protocol: TCP IPv4 and IPv6 on all interfaces
Interface: WAN
Local Port: 5131
TLS Key Usage Mode: TLS Authentication
DH Parameter Length: 2048 bit
Encryption Algorithm: ARS-256-CBC (256 bit key, 128 bit block)
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: One (Cient+Server)
Inter-client communication: Allow

Log OpenVPN on pfSense

Jul 29 15:58:12	openvpn	22545	Completel/X.X.X.X [Completel] Inactivity timeout (--ping-restart), restarting
Jul 29 15:54:38	openvpn	98731	TCP connection established with [AF_INET6]::ffff:X.X.X.X:58045
Jul 29 15:54:38	openvpn	98731	X.X.X.X TCP connection established with [AF_INET6]::ffff:X.X.X.X:59198
Jul 29 15:54:38	openvpn	98731	X.X.X.X TCP connection established with [AF_INET6]::ffff:X.X.X.X:37830
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_VER=2.4.7
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_PLAT=win
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_PROTO=2
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_NCP=2
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_LZ4=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_LZ4v2=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_LZO=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_COMP_STUB=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_COMP_STUBv2=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_TCPNL=1
Jul 29 15:54:39	openvpn	98731	X.X.X.X peer info: IV_GUI_VER=OpenVPN_GUI_11

Everything worked very well last Friday and nothing was changed in the meantime. Anyone have any idea what my problem is ?

Rico

Flappy connection between server and client?
Routing/peering issue?

-Rico

Dimix971

I am able to connect correctly to the different servers, just that every 10 minutes the connection restart.
Apart from the cut-off while the VPN reconnects, I have no problem routing.

I forgot to mention that ports 5130 5131 and 5132 are open in TCP on the WAN.

Sorry for my English, it's not my native language

renat_kaa

@Dimix971 please delete or comment ping-timer-rem parameter on client-side and check.

Pippin

Logs at --verb 4 can be more helpful ...

NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.

Did you alter the --keepalive or ping(-restart) setting client side?
If so, see --keepalive interval timeout in manual 2.4:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Dimix971

I don't have the line "ping-timer-rem" in the client-side. Here's what I have.

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote WAN 5131 tcp-client
lport 0
verify-x509-name "vpn-Radius" name
auth-user-pass
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
...

Here are the client-side log with verb 4

Tue Jul 30 10:25:34 2019 [vpn-Radius] Peer Connection Initiated with [AF_INET]X.X.X.X:5131
Tue Jul 30 10:25:41 2019 open_tun
Tue Jul 30 10:25:41 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}.tap
Tue Jul 30 10:25:41 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 10.1.4.0/10.1.4.3/255.255.255.0 [SUCCEEDED]
Tue Jul 30 10:25:41 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.4.3/255.255.255.0 on interface {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF} [DHCP-serv: 10.1.4.254, lease-time: 31536000]
Tue Jul 30 10:25:41 2019 Successful ARP Flush on interface [19] {F92A5ED8-E886-4DC3-BAD5-DA95A9A2EADF}
Tue Jul 30 10:25:46 2019 Initialization Sequence Completed
Tue Jul 30 10:44:51 2019 Connection reset, restarting [0]
Tue Jul 30 10:44:51 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Jul 30 10:44:56 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:5131
Tue Jul 30 10:44:56 2019 Attempting to establish TCP connection with [AF_INET]X.X.X.X:5131 [nonblock]
Tue Jul 30 10:44:57 2019 TCP connection established with [AF_INET]X.X.X.X:5131
Tue Jul 30 10:44:57 2019 TCP_CLIENT link local (bound): [AF_INET][undef]:0
Tue Jul 30 10:44:57 2019 TCP_CLIENT link remote: [AF_INET]X.X.X.X:5131
Tue Jul 30 10:44:57 2019 [vpn-Radius] Peer Connection Initiated with [AF_INET]X.X.X.X:5131
Tue Jul 30 10:44:58 2019 Preserving previous TUN/TAP instance: Ethernet 2
Tue Jul 30 10:44:58 2019 Initialization Sequence Completed
Tue Jul 30 10:53:15 2019 Connection reset, restarting [0]

I had not set up keepalive, so I tried with --keepalive 10 60 but still the same problem.

Dimix971

@Pippin NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. I didn’t quite understand what that means

Dimix971

No one would have a clue what my problem is ?