• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN is not working if client is reconnected immediately

Scheduled Pinned Locked Moved OpenVPN
22 Posts 9 Posters 5.4k Views 8 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    apant
    last edited by Feb 23, 2021, 7:30 PM

    Hi,

    I installed v2.5 for the first time and I encounter a problem with openvpn. My installation is identical to many other I deployed with previous versions.

    My problem is the following: If I disconnect and reconnect openvpn client immediately, the connection succeeds, but I cannot access services behind VPN. I cannot even ping pfsense. If I wait 4-5 minutes before reconnecting everything works fine.

    I checked the following:

    1. The routes are deleted after disconnection.
    2. The routes are added after reconnection (routing table is correct).
    3. Tried with different versions of openvpn client for Windows.
    4. No errors in openvpn client log.
    S 1 Reply Last reply Feb 23, 2021, 8:05 PM Reply Quote 2
    • S Offline
      steamerzone @apant
      last edited by Feb 23, 2021, 8:05 PM

      @apant Looks like the same issue I have:

      https://forum.netgate.com/topic/161300/pfsense-2-5-0-openvpn-reconnect-failing

      1 Reply Last reply Reply Quote 2
      • D Offline
        dyener
        last edited by Feb 24, 2021, 3:58 AM

        Yes, I have the same problem! It seems like the OpenVPN server (i.e. the pfSense box) does not recognize when the client has terminated the connection, and instead it waits for a ping timeout before the client is correctly understood to be disconnected. I found that the waiting period is correlated with the "Ping" settings in the OpenVPN server settings. By default "Timeout" is 60 seconds, and "ping-restart" is twice this, or 120 seconds. This is about how long it was taking before the disconnected clients could reconnect. But if I reduce "Timeout" to 20 seconds, then I only need to wait 40 seconds.

        1 Reply Last reply Reply Quote 2
        • P Offline
          Pippin
          last edited by Feb 24, 2021, 10:21 AM

          On the client side, add:

          explicit-exit-notify 3
          

          https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

          S A 2 Replies Last reply Feb 24, 2021, 1:11 PM Reply Quote 2
          • V Offline
            viktor_g Netgate
            last edited by Feb 24, 2021, 10:39 AM

            feature request created:
            https://redmine.pfsense.org/issues/11520

            1 Reply Last reply Reply Quote 2
            • S Offline
              steamerzone @Pippin
              last edited by steamerzone Feb 24, 2021, 1:24 PM Feb 24, 2021, 1:11 PM

              @pippin said in OpenVPN is not working if client is reconnected immediately:

              On the client side, add:

              explicit-exit-notify 3
              

              https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

              This option doesn't seem to fix this issue, after a disconnect the client is still listed as connected in pfsense's status screen.

              Edit: for this option to work it needs to have a working connection on disconnect, and most cases the reconnect is needed for a failed connection.

              1 Reply Last reply Reply Quote 3
              • D Offline
                dyener
                last edited by Feb 25, 2021, 3:20 PM

                Thank you all for your help!

                Rather than change all my config files on the client machines, I put an entry in the Advanced / Custom options in the pfSense server, push "explicit-exit-notify 3". Now I have no problem if a client manually disconnects and then reconnects immediately.

                However, as steamerzone said, I am also worried what will happen if the disconnection happens inadvertently, e.g. client machine loses wifi signal or goes to sleep before the client program has a chance to send the exit signal. It should be able to regain full network functionality if it reconnects automatically in a few seconds.

                Also, what is different here between OpenVPN 2.5 and previous versions? I see the explicit-exit-notify option in the 2.4 documentation, yet I don't think I had this problem with 2.4.

                1 Reply Last reply Reply Quote 2
                • A Offline
                  apant @Pippin
                  last edited by apant Feb 26, 2021, 8:30 AM Feb 26, 2021, 8:26 AM

                  @pippin It works like a charm ! Thanks !

                  @steamerzone it seems that it's normal to not work with failed connections since it's a client side option and in this case the client cannot notify the server for the disconnection.

                  It seems that we need a server side option here I think.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by Feb 27, 2021, 11:15 PM

                    What shows up in the logs on both sides when the reconnect fails like this?

                    I took a test client just now and reconnected it about 20 times in a row to a UDP server without a single failure. It doesn't have exit notify enabled either.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    A 1 Reply Last reply Feb 28, 2021, 8:53 AM Reply Quote 0
                    • A Offline
                      apant @jimp
                      last edited by Feb 28, 2021, 8:53 AM

                      @jimp the connection is always succeed but traffic is not passing through VPN if you do not wait 2-3 minutes (without explicit-exit-notify) before reconnection. There is no error.

                      J 1 Reply Last reply Feb 28, 2021, 4:10 PM Reply Quote 1
                      • J Offline
                        jimp Rebel Alliance Developer Netgate @apant
                        last edited by Feb 28, 2021, 4:10 PM

                        @apant said in OpenVPN is not working if client is reconnected immediately:

                        @jimp the connection is always succeed but traffic is not passing through VPN if you do not wait 2-3 minutes (without explicit-exit-notify) before reconnection. There is no error.

                        I was finally able to reproduce this given that bit of info and narrow it down a little:

                        • It does appear to be related to the remote port being the same when reconnecting.
                          • If I set the client config to have lport 0 so it randomizes its own local port, then each reconnect can pass traffic.
                          • This is better behavior anyhow, I'm not sure why we don't add this into the exported configs by default.
                        • It is not related to pf/firewall states
                          • Clearing the states doesn't affect whether or not the later reconnections can pass traffic when the client port is reused, so it appears to be internal in OpenVPN itself.

                        Still need to see if there is anything else server side that might affect it but that at least narrows the focus and identifies another potential workaround. That's assuming I'm hitting the same conditions others are, though.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        C 1 Reply Last reply Feb 28, 2021, 5:19 PM Reply Quote 3
                        • P Offline
                          Pippin
                          last edited by Feb 28, 2021, 4:38 PM

                          From memory, for client side it is advised to use --nobind (without --lport)
                          --nobind is included in NetworkManager (Linux) by default.

                          Will try to find the posts by OpenVPN devs...

                          1 Reply Last reply Reply Quote 2
                          • J Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by Feb 28, 2021, 4:52 PM

                            nobind also works, likely for much the same reason.

                            That would be viable for remote access clients but if this same issue also affects site-to-site then that wouldn't be enough to work around it.

                            None of the changes in the log for OpenVPN 2.5.1 appear to be related but I'm curious if it makes a difference.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 1
                            • J Offline
                              jimp Rebel Alliance Developer Netgate
                              last edited by Feb 28, 2021, 5:17 PM

                              I added an issue to track the upstream problem since there isn't much we can do locally (clients in pfSense already default to lport 0)
                              https://redmine.pfsense.org/issues/11575

                              I also added an issue to have the export package automatically add nobind with an option to opt out.
                              https://redmine.pfsense.org/issues/11574

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              E 1 Reply Last reply Jun 20, 2021, 6:55 PM Reply Quote 2
                              • C Offline
                                christian.schneider @jimp
                                last edited by christian.schneider Feb 28, 2021, 5:20 PM Feb 28, 2021, 5:19 PM

                                @jimp lport 0 works perfect for me, thank you!

                                P 1 Reply Last reply Mar 17, 2021, 11:59 AM Reply Quote 2
                                • P Offline
                                  Pippin @christian.schneider
                                  last edited by Pippin Mar 17, 2021, 12:02 PM Mar 17, 2021, 11:59 AM

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • P Offline
                                    Pippin
                                    last edited by Mar 17, 2021, 12:03 PM

                                    @pippin said in OpenVPN is not working if client is reconnected immediately:

                                    Will try to find the posts by OpenVPN devs...

                                    Please see my remark:
                                    https://redmine.pfsense.org/issues/11575

                                    1 Reply Last reply Reply Quote 0
                                    • E Offline
                                      Elrick75 @jimp
                                      last edited by Jun 20, 2021, 6:55 PM

                                      @jimp Hi, I noticed that nobind or lport 0 both work but it is not possible to have both in the configuration file.
                                      Which one should be chosen between the two please? which one is better?

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        Pippin
                                        last edited by Jun 20, 2021, 7:01 PM

                                        The recommendation by OpenVPN is --nobind.

                                        1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by Jun 21, 2021, 12:10 PM

                                          Generally speaking, nobind is better.

                                          You would only need lport 0 if you had to bind to a specific IP address on the client, but wanted a random source port. Otherwise, nobind is better since it lets to OS pick the most appropriate source IP address and port.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          J 1 Reply Last reply Jun 21, 2021, 6:41 PM Reply Quote 1
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            [[user:consent.lead]]
                                            [[user:consent.not_received]]