Restarting OpenVPN interrupts non-VPN traffic



  • I run an OpenVPN client connection to GhostVPN server(s) on 2.4.4-RELEASE-p3. It worked well for over a year but I had to rebuild my pfSense (after system "Halt" it looped on reboot stating that it was not shut down properly; booting from USB and fixing with fsck did not help so I had to reinstall). Anyway, rebuilt it with the old config but since then I am having two odd and related VPN problems.

    As you can see OpenVPN client connects fine to the server (and logs look fine too):

    c6d64439-6b8a-4003-9a17-8cdf5264a85b-image.png

    The first problem is that for some reason VPN gets no "Monitor IP" responses (as a matter of fact - no incoming packets of any kind) so it disconnects with "Inactivity timeout (--ping-restart), restarting". If anyone has ideas what can be wrong or how to debug it - please help. Even that fails:

    ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
            options=80000<LINKSTATE>
            inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xe
            inet 10.203.1.151 --> 10.203.1.1 netmask 0xffffff00
            nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
            groups: tun openvpn
            Opened by PID 99100
    [2.4.4-RELEASE][admin@Firewall.localdomain]: traceroute -i ovpnc2 10.203.1.151
    traceroute to 10.203.1.151 (10.203.1.151), 64 hops max, 40 byte packets
     1  * * *
     2  * * *
    ...
    

    Second problem, rather weird, is that each OpenVPN client restart (every few minutes due to periodic "ping-restart") causes all LAN clients which do not use VPN at all to briefly lose connection (pings to the Internet go to >500ms, SSH/HTTPS sessions drop, streaming stops). I disabled all VPN-related rules (including NAT) and it appears that merely starting openvpn client causes this interruption. Any ideas what may be going on and/or how to avoid this interference?



  • I am guessing this problem is as puzzling for everybody as it is for me...

    Anyway - a question: how can I disable "ping-restart 60" in pfSense to avoid the VPN tunnel constantly going up and down? Need this to debug the connectivity issues without constant VPN reconnects. I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts (seems that the parameter --ping-restart 60 is supplied to OpenVPN in the command line and this overrides the config file).



  • Still need help... OK, let me post some screenshots, maybe someone will have an idea.

    Firstly, OpenVPN has no trouble connecting (so, I guess, no point in posting conf files here) and I see in the logs "Initialization Sequence Completed":

    Mar 2 19:39:01	openvpn	73818	SENT CONTROL [84.247.48.2-1580253440]: 'PUSH_REQUEST' (status=1)
    Mar 2 19:39:01	openvpn	73818	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.101.0.243,route-gateway 10.203.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.203.2.215 255.255.255.0,peer-id 16'
    Mar 2 19:39:01	openvpn	73818	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Mar 2 19:39:01	openvpn	73818	Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
    Mar 2 19:39:01	openvpn	73818	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: timers and/or timeouts modified
    Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: --ifconfig/up options modified
    Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: route-related options modified
    Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: peer-id set
    Mar 2 19:39:01	openvpn	73818	OPTIONS IMPORT: adjusting link_mtu to 1625
    Mar 2 19:39:01	openvpn	73818	Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
    Mar 2 19:39:01	openvpn	73818	Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Mar 2 19:39:01	openvpn	73818	Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
    Mar 2 19:39:01	openvpn	73818	Preserving previous TUN/TAP instance: ovpnc2
    Mar 2 19:39:01	openvpn	73818	Initialization Sequence Completed
    

    However, it soon disconnects and tries to reconnect because there is no ping-reply from the Monitor IP (I tried many IPs just in case, none works):

    Mar 2 19:37:50	openvpn	73818	Initialization Sequence Completed
    Mar 2 19:38:00	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
    Mar 2 19:38:10	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
    Mar 2 19:38:20	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
    Mar 2 19:38:30	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
    Mar 2 19:38:40	openvpn	73818	Bad compression stub (swap) decompression header byte: 42
    Mar 2 19:38:50	openvpn	73818	[84.247.48.2-1580253440] Inactivity timeout (--ping-restart), restarting
    Mar 2 19:38:50	openvpn	73818	TCP/UDP: Closing socket
    Mar 2 19:38:50	openvpn	73818	SIGUSR1[soft,ping-restart] received, process restarting
    Mar 2 19:38:50	openvpn	73818	Restart pause, 10 second(s)
    

    OpenVPN goes as a yo-yo up and down and it's hard to debug anything because random IPs are being assigned (that's why I really would love to know how to turn off "ping-restart" for debugging).

    Output of ifconfig:

    ovpnc2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
            options=80000<LINKSTATE>
            inet6 fe80::4262:31ff:fe02:cb65%ovpnc2 prefixlen 64 scopeid 0xd
            inet 10.203.2.215 --> 10.203.2.1 netmask 0xffffff00
            nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
            groups: tun openvpn
            Opened by PID 73818
    
    

    Routing table (removed IPv6 as it's off):

    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            cpc119588-heme14-2 UGS        igb5
    dns9.quad9.net     cpc119588-heme14-2 UGHS       igb5
    10.203.2.0/24      10.203.2.1         UGS      ovpnc2
    10.203.2.1         link#13            UH       ovpnc2
    10.203.2.215       link#13            UHS         lo0
    82.22.94.0/24      link#6             U          igb5
    cpc119588-heme14-2 link#6             UHS         lo0
    84.247.48.18       10.203.2.215       UGHS        lo0
    unicast.censurfrid cpc119588-heme14-2 UGHS       igb5
    localhost          link#8             UH          lo0
    192.168.0.0/23     link#12            U       bridge0
    192.168.1.1        link#12            UHS         lo0
    

    Packet capture for "ping 84.247.48.18":

    19:33:30.890347 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 872, length 8
    19:33:31.403928 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 873, length 8
    19:33:31.911709 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 874, length 8
    19:33:32.443954 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 875, length 8
    19:33:32.976210 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 876, length 8
    19:33:33.482622 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 877, length 8
    19:33:33.988983 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 878, length 8
    19:33:34.521237 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 879, length 8
    19:33:35.053494 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 880, length 8
    19:33:35.555600 IP 10.203.2.215 > 84.247.48.18: ICMP echo request, id 61403, seq 881, length 8
    

    Output of "traceroute -i ovpnc2 1.1.1.1":

    [2.4.4-RELEASE][admin@Firewall.localdomain]/root: traceroute -i ovpnc2 1.1.1.1
    traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
     1  * * *
     2  * * *
     3  * * *
     4  * * *
     5  * * *
     6  * * *
     7  * * *
     8  * * *
    ^C
    

    Any ideas? Pretty please!



  • @mig

    I have this exact same issue... it seems that openVPN clients that go down affect other non-related openVPN clients and LAN gateways to go down... Not all gateways, but certain ones. At first I though it might be related to having gateway groups setup, but when disabling all of those I still have the issue.

    I sure would like to know why they are inter-linked....

    RHLinux



  • FWIW I never figured out why OpenVPN restarts interfere with traffic over other interfaces. I was able to resolve my OpenVPN connectivity problem and when the tunnel is stable (like it should be and like it is in majority of cases), naturally, there is no interference.

    To summarise:

    • I do believe that there is a bug (when OpenVPN starts at least some connections on other interfaces drop) which manifests itself only rarely because properly configured OpenVPN does not do "yo-yo" restarts.
    • It appears impossible to disable 60-second "ping-restart" which is not good when one needs to debug an OpenVPN connectivity problems.

  • LAYER 8 Netgate

    Impossible?

    Screen Shot 2020-03-14 at 2.11.15 PM.png



  • Thanks but I cannot find "Ping settings" anywhere in the menus. Please tell me where it is.


  • LAYER 8 Netgate

    OpenVPN Server.



  • I only run the client and I have no control of the server - it's a commercial VPN provider.

    To clarify the problem - is it possible to avoid pfSense's OpenVPN client from automatically reconnecting when there is no ping reply? It makes debugging a connection nearly impossible (one typically only has <60 seconds before the client drops the connection and attempts to reconnect).


  • LAYER 8 Netgate

    Then in the client, but the server will still have its own ping/keepalive times.

    They are generally necessary. If it dies for a minute you want to reestablish the connection anyway.

    If you rebuilt with the old config it will be working the same way and any difference can be attributed to something else, perhaps misperception or misblame, but not that.

    Everything there is to know is here:

    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    See Also: ping, ping-restart, and the keepalive helper to manage them both.


  • LAYER 8 Rebel Alliance

    "Ping settings" are available in both, Open VPN Server and Client, but in 2.4.5-RC not 2.4.4-RELEASE-p3.

    -Rico


  • LAYER 8 Netgate

    Ah. You'll have to use the keywords in advanced options in 2.4.4-p3 I guess. Thanks. Still not "impossible."



  • @mig said in Restarting OpenVPN interrupts non-VPN traffic:

    I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts


  • Banned

    This post is deleted!

Log in to reply