Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client VPN is closing its connection randomly

    Scheduled Pinned Locked Moved OpenVPN
    35 Posts 3 Posters 9.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jonny.b74
      last edited by jonny.b74

      Hello

      I am using vpnunlimited as a client vpn on pfSense Openvpn, the connection is closed randomly in 3, 10, 30 mins.

      I have tried all for days now, vendor support is non-existence

      Tried different vpn provider servers,
      pfsense versions 2.4 , 2.5, 2.6
      diff options in custom,
      monitor ips, firewall settings, ICMP rules
      Used keepalive 10 60 , ping 5 30 etc
      Here is the log entries on level 11
      [openvpn2.vpnunlimitedapp.com] Inactivity timeout (--ping-exit), exiting
      SSL alert (write): warning: close notify

      Strangely what works is using Openvpn client software on my computer with their config file imported it works for hrs without dropping

      Here is their config
      dev tun
      reneg-sec 0
      persist-tun
      persist-key
      ping 5
      ping-exit 30
      nobind
      comp-lzo no
      remote-random
      remote-cert-tls server
      auth-nocache
      route-metric 1
      cipher AES-256-CBC
      auth sha512

      uses CA, CERT, and KEY .. no username password

      I am just stumped and dont know what to do as it works on my openvpn computer flawlessly but in pfsens openvpn connects for 5-30 mins in and then drops.

      Help please !

      M 2 Replies Last reply Reply Quote 0
      • M Away
        mcury Rebel Alliance @jonny.b74
        last edited by

        @jonny-b74 said in Clint VPN is closing its connection randomly:

        ping-exit 30

        Try to remove this line

        dead on arrival, nowhere to be found.

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          jonny.b74 @mcury
          last edited by

          @mcury
          makes no difference, with or without that ping settings line
          keepalive option too seems to not make a difference

          1 Reply Last reply Reply Quote 0
          • M Away
            mcury Rebel Alliance @jonny.b74
            last edited by

            @jonny-b74 said in Client VPN is closing its connection randomly:

            [openvpn2.vpnunlimitedapp.com] Inactivity timeout (--ping-exit), exiting
            SSL alert (write): warning: close notify

            What is the error you get without the ping settings line when the connection goes down?

            dead on arrival, nowhere to be found.

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jonny.b74 @mcury
              last edited by jonny.b74

              @mcury
              same message as before.. see the times 18:06 connected -18:22 disconnected
              Feb 15 18:22:56 openvpn 39332 [openvpn2.vpnunlimitedapp.com] Inactivity timeout (--ping-exit), exiting
              Feb 15 18:06:35 openvpn 39332 Initialization Sequence Completed

              And this happens while i am using the connection

              M 1 Reply Last reply Reply Quote 0
              • M Away
                mcury Rebel Alliance @jonny.b74
                last edited by mcury

                @jonny-b74 This problem happens if you have a client behind pfense constantly using the VPN?

                Connect the pfsense to the VPN again, and in a computer behind pfsense, keep pinging 8.8.8.8 or any other IP in the internet to confirm if the VPN will drop.

                The error is indicating inactivity timeout, which shouldn't be happening with the ping 5 value.
                I wonder if pfsense is pinging the server.. and which source IP would be using to do it..

                Did you create the openvpn interface? I suspect that this could be the problem..
                Can you capture packets in the openvpn interface to confirm if the ping 5 is working?

                Edit: If you didn't create the openvpn, here is a how to:
                https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/assign.html#figure-assign-openvpn-interface

                By the way, this is just a guess..

                dead on arrival, nowhere to be found.

                J 1 Reply Last reply Reply Quote 0
                • J Offline
                  jonny.b74 @mcury
                  last edited by jonny.b74

                  @mcury
                  Just tried that cannot ping 8.8.8.8 i can surf the web though

                  My gateway status
                  KEEPSOLID_US_VPNV4 10.200.0.45 8.8.8.8 38.059ms 3.084ms 0.0% Online Interface KEEPSOLID_US_VPNV4 Gateway

                  M 1 Reply Last reply Reply Quote 0
                  • M Away
                    mcury Rebel Alliance @jonny.b74
                    last edited by mcury

                    @jonny-b74 Google is probably blocking VPN known IP addresses..
                    Keep browsing the internet, this would achieve the same goal of the ping to Google..

                    Or find another IP that is accepting your ping requests and set a constant ping to it.. in Windows it would be ping IP -t

                    In Linux just ping IP

                    dead on arrival, nowhere to be found.

                    J 1 Reply Last reply Reply Quote 0
                    • J Offline
                      jonny.b74 @mcury
                      last edited by

                      @mcury

                      just dropped again
                      Feb 15 18:58:32 openvpn 40886 SIGTERM[soft,ping-exit] received, process exiting
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1625 10.200.0.46 10.200.0.45 init
                      Feb 15 18:58:32 openvpn 40886 Closing TUN/TAP interface
                      Feb 15 18:58:32 openvpn 40886 /sbin/route delete -net 128.0.0.0 10.200.0.45 128.0.0.0
                      Feb 15 18:58:32 openvpn 40886 /sbin/route delete -net 0.0.0.0 10.200.0.45 128.0.0.0
                      Feb 15 18:58:32 openvpn 40886 /sbin/route delete -net 66.23.205.226 99.227.40.1 255.255.255.255
                      Feb 15 18:58:32 openvpn 40886 /sbin/route delete -net 10.200.0.1 10.200.0.45 255.255.255.255
                      Feb 15 18:58:32 openvpn 40886 TCP/UDP: Closing socket
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 SSL alert (write): warning: close notify
                      Feb 15 18:58:32 openvpn 40886 PID packet_id_free
                      Feb 15 18:58:32 openvpn 40886 TIMER: coarse timer wakeup 30 seconds
                      Feb 15 18:58:32 openvpn 40886 [openvpn2.vpnunlimitedapp.com] Inactivity timeout (--ping-exit), exiting
                      Feb 15 18:58:32 openvpn 40886 ENCRYPT TO: 48000008 27bfd656 56a640ad 529d804c 5a1d8b5e 47e7e55b 03cba599 b459272[more...]

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        jonny.b74
                        last edited by jonny.b74

                        running a ping in the background now.. will test and report

                        M 1 Reply Last reply Reply Quote 0
                        • J Offline
                          jonny.b74
                          last edited by jonny.b74

                          Interface setting
                          7b420767-1692-4144-ba5d-a87605f2ea94-image.png

                          1 Reply Last reply Reply Quote 0
                          • M Away
                            mcury Rebel Alliance @jonny.b74
                            last edited by

                            @jonny-b74 said in Client VPN is closing its connection randomly:

                            running a ping in the background now.. will test and report

                            In theory, with the ping happening, the connection won't ping-exit anymore

                            https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

                            –inactive n [bytes]
                            Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet. The default value is 0 seconds, which disables this feature.If the optional bytes parameter is included, exit if less than bytes of combined in/out traffic are produced on the tun/tap device in n seconds.
                            In any case, OpenVPN’s internal ping packets (which are just keepalives) and TLS control packets are not considered “activity”, nor are they counted as traffic, as they are used internally by OpenVPN and are not an indication of actual user activity.
                            
                            –ping n
                            Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify –ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets). When used in one of OpenVPN’s secure modes (where –secret, –tls-server, or –tls-client is specified), the ping packet will be cryptographically secure.This option has two intended uses:
                            (1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out.
                            
                            (2) To provide a basis for the remote to test the existence of its peer using the –ping-exit option.
                            
                            –ping-exit n
                            Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with –inactive, –ping, and –ping-exit to create a two-tiered inactivity disconnect.For example,
                            openvpn [options…] –inactive 3600 –ping 10 –ping-exit 60
                            
                            when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged.
                            

                            dead on arrival, nowhere to be found.

                            J 1 Reply Last reply Reply Quote 0
                            • J Offline
                              jonny.b74 @mcury
                              last edited by

                              @mcury
                              here is my states table (1st line is 8.8.8.8 monitor ip, second line is my ping running)
                              14067598-57b8-4266-944d-b5887a1f84ba-image.png

                              connection is solid so far, let me stop the other 2nd line ping in the background

                              thanks for the link , I did read that man page, so what do i do to keep ping alive or why does the monitor ip ping not keep alive?

                              M 1 Reply Last reply Reply Quote 0
                              • M Away
                                mcury Rebel Alliance @jonny.b74
                                last edited by mcury

                                @jonny-b74 said in Client VPN is closing its connection randomly:

                                here is my states table (1st line is 8.8.8.8 monitor ip, second line is my ping running)

                                If Google is blocking pings from your VPN IP, I would change the VPN monitor IP, choose one that replies back.

                                thanks for the link , I did read that man page, so what do i do to keep ping alive or why does the monitor ip ping not keep alive?

                                Change your VPN monitor IP as per my comment above.
                                I suppose that the ping 5 setting needs an openvpn interface in pfsense, to source that ping.. I see that you created one, lets see how it goes.

                                dead on arrival, nowhere to be found.

                                J 1 Reply Last reply Reply Quote 0
                                • J Offline
                                  jonny.b74 @mcury
                                  last edited by

                                  @mcury

                                  Just to clarify , in my states image above it shows monitor ip icmp working, is that using my WAN interface to monitor the VPN? and hence it is not blocked

                                  not sure how to source a ping on the openvpn Interface and would you recommend that to run infinitely?

                                  i have tried a few monitor ip's 1.1.1.1 etc did not help keep connection alive

                                  M 1 Reply Last reply Reply Quote 0
                                  • J Offline
                                    jonny.b74
                                    last edited by jonny.b74

                                    do i need any firewall rules on my openvpn interface ?
                                    edit: did not make any difference adding any rules
                                    75bd8f29-b5ea-4229-9ba6-d699e1b81346-image.png

                                    I am using a vlans interface with gateway keepsolid_v4 and has allow all
                                    My computer is connected to the vlan and can surf the openvpn for that 10 mins

                                    1 Reply Last reply Reply Quote 0
                                    • M Away
                                      mcury Rebel Alliance @jonny.b74
                                      last edited by

                                      @jonny-b74 Your image is showing interface KEEPSOLID_US as the source, so how you have replies from 8.8.8.8 and the ping you tried earlier didn't work?

                                      I would confirm if 8.8.8.8 is reachable through the VPN by pinging it directly, you can use a computer that is set to go out through the VPN, so you wouldn't need to choose any source interface in pfsense..
                                      Just make sure that the computer is indeed being routed through the VPN..

                                      dead on arrival, nowhere to be found.

                                      J 1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        jonny.b74 @mcury
                                        last edited by jonny.b74

                                        @mcury said in Client VPN is closing its connection randomly:

                                        @jonny-b74 Your image is showing interface KEEPSOLID_US as the source, so how you have replies from 8.8.8.8 and the ping you tried earlier didn't work?

                                        I would confirm if 8.8.8.8 is reachable through the VPN by pinging it directly, you can use a computer that is set to go out through the VPN, so you wouldn't need to choose any source interface in pfsense..

                                        8.8.8.8 is not reachable from my computer via the vpn ... apologies it just did

                                        Just make sure that the computer is indeed being routed through the VPN..

                                        M 1 Reply Last reply Reply Quote 0
                                        • M Away
                                          mcury Rebel Alliance @jonny.b74
                                          last edited by mcury

                                          @jonny-b74 said in Client VPN is closing its connection randomly:

                                          8.8.8.8 is not reachable from my computer via the vpn ... apologies it just did

                                          If the ping is working , OK, but note that Google drops some ICMP packets, at least they used to drop.

                                          Based on your ping/ping-exit config, if no packets sent/received for at least 5 seconds, one ping would be sent, and if this ping is not replied by remote 6 times in a roll (5 x 6 = 30), a ping-exit will happen..

                                          So, keep using the computer for at least 30 minutes, just use the VPN, to confirm if it will drop..
                                          Then report back

                                          You can leave a ping running to 8.8.8.8 from this computer, check if you have drops..

                                          dead on arrival, nowhere to be found.

                                          J 1 Reply Last reply Reply Quote 0
                                          • J Offline
                                            jonny.b74 @mcury
                                            last edited by

                                            @mcury

                                            vpn just dropped aroung 20 mins total time
                                            Feb 15 20:02:49 openvpn 35548 SIGTERM[soft,ping-exit] received, process exiting

                                            I was running ping 8.8.8.8 in the background

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.