Client timeouts and reconnections
-
I'm facing a disconnection / traffic issues with my OpenVPN server.
Whenever the client network changes (say a. notebook wakes from sleep), OpenVPN reconnects. However, sometimes, after the connection is done, no traffic can be routes through the VPN for a while (about 5 minutes?).
Could this be related to how the timeout is handled?
I can reproduce my issue pretty easily if I reconnect the WiFi on my laptop without disconnecting OpenVPN first.
Here's the log when I get disconnected:
Mar 7 11:23:22 openvpn 65729 user/ipaddress:1194 [user] Inactivity timeout (--ping-restart), restarting
This is the server config file:
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon ping 60 push "ping 60" ping-restart 80 push "ping-restart 80" ping-timer-rem persist-tun persist-key proto udp4 auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 192.168.16.10 tls-server server 192.168.32.0 255.255.254.0 client-config-dir /var/etc/openvpn/server1/csc verify-client-cert none username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user VlBOIExEQVAsTG9jYWwgRGF0YWJhc2U= false server1 1194 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'Netgate+VPN+Server' 1" lport 1194 management /var/etc/openvpn/server1/sock unix push "route 192.168.16.0 255.255.255.0" push "route 192.168.17.0 255.255.255.0" push "route 192.168.0.0 255.255.255.0" push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 192.168.17.10" push "dhcp-option WINS 192.168.17.11" duplicate-cn capath /var/etc/openvpn/server1/ca cert /var/etc/openvpn/server1/cert key /var/etc/openvpn/server1/key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1/tls-auth 0 data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC data-ciphers-fallback AES-128-CBC allow-compression asym persist-remote-ip float topology net30 explicit-exit-notify 1
and the client's config file (without the certificates):
dev tun persist-tun persist-key ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote x.x.x.x 1194 udp auth-user-pass remote-cert-tls server
I don't mind the reconnections, but it's a problem that after a reconnection the client can't route traffic for some minutes.
I've tried different combinations of the "Ping" setting in pfSense's UI with no luck, and tried using keep alive as well, also with no luck.
Any idea would be appreciated.
-
When you say the client reconnects but no traffic is routed, it reminds me of these recent threads:
- https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately
- https://forum.netgate.com/topic/161300/pfsense-2-5-0-openvpn-reconnect-failing
There are a few simple suggestions for client-side config changes; do any of them work for you?
-
@dyener thank you for the pointer!
Addinglport 0
to the client config fixed my issues.