Wierd OpenVPN client behaviour causing disconnections
- What is going on in the logs seen in the below screenshot and what should I do about it?
- How do I decrease the "pause time" (first line in the log) for reconnecting to the VPN?
- Does the problem come from my end or the VPN provider's?
Pippin last edited by
Please see, --connect-retry n [max] and --connect-retry-max n in manual 2.4:
@Pippin Thank you, I set up a maximum, but could you please answer the other questions?
Why is this happening? who's fault is it? etc...
Is the remote a road warrior whose IP-address changes? OpenVPN can handle changing addresses when enabled, if not enabled it just times out.
But more info is needed...
I Have Problem With NordVpn, When I Try to Surf Online Shopping Mart , Its Not Accessible while other Websites Is Accessible such as Google And Youtube, May be due to same proxy or tunnel, Any One have Solution of why not accessible specific domain on Nord VPN.
@Grimeton The remote server never changes its own IP, but can dynamically change the IP of its clients - in this case my pfSense router. If I understood you correctly and this is what you meant than how do I enable that handling of IP changes?
EDIT: Just chatted with NordVPN's support team. They say that the problem is not on my end (pfSense router) and it's probably because UDP problems. They assume my ISP blocks UDP or something. So I asked them why does it happen only few times a day and they answered "because that's the way it is" ahhh Go figure....Sometimes they really useful and sometimes just giving me a headache. Anyway...if it's really not on my end than I don't care and I'll live with it because TCP if SLOW AF!!!
If anyone has a different idea than NordVPN's support team, by all means go ahead.
when you use UDP as the outer connection protocol of the VPN, then the VPN-Server can accept a changed client IP (OUTER) without killing the VPN connection. Obviously this is only possible via UDP.
From the OpenVPN manual:
Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if –remote is not used). –float when specified with –remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.Essentially, –float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the –remote option.
This has nothing to do with the stuff inside the connection/VPN only with the outer connection itself.
@Grimeton So you're saying it has nothing to do with my pfSense router. It's on the server's end?
@techtester-m you wrote:
The remote server never changes its own IP, but can dynamically change the IP of its clients - in this case my pfSense router.
So I clarified what I meant by that. I doubt the server is able to dynamically change your public IP-address.
@Grimeton Ohhh lol...of course not! I meant the virtual IP of the VPN client, for inner VPN purposes - 10.x.x.x etc.
EDIT: So...nobody knows why the disconnections?
Just as a tip on the side: When looking into connection issues and monitoring traffic via tools like tcpdump, ngrep or wireshark, always include ICMP packets and check the messages sent, because they usually contain a hint wtf is going on. Especially when it comes to UDP where you don't have RST or anything else.
@Grimeton So...nobody knows why the disconnections?
There aren't a lot of reasons here:
- Networking issues, followed by an ICMP package containing proto or port unreachable.
- Networking issues causing OpenVPNs internal timer to timeout and disconnect/reconnect.
Whatever it is, it's up to you to figure it out and when the disconnect comes from the other side, then you'd need the logs from there. No logs, no cookies.
I doubt your ISP is just randomly blocking UDP packets, unless they think it's some kind of flooding or something, then you should talk to them and make clear that it is not.
Networking issues, followed by an ICMP package containing proto or port unreachable.
ICMP package coming from me out to the server or vice versa?
Networking issues causing OpenVPNs internal timer to timeout and disconnect/reconnect.
What should I do in such case?
EDIT: I've noticed that it usually happens when one of the VPNs in the VPN group (of 2) is going down (for maintenance or whatever) and because both/all of them are marked as Tier1 it may cause such reconnection attempts...on the other hand that's why we have VPN groups and Tier priority LOL