OpenVPN disconnects intermittently (every few weeks)

vpnguy

I have latest pfsense 2.5.2 running an OpenVPN client through the device running 24/7. However, every few weeks I have to refresh the connection in the Status -> OpenVPN page. When this happens it shows no IP address for the connection.

I'm pretty new to pfsense and firewalls so if any helpful person needs more info from me on my setup please let me know.

Below are my OpenVPN client settings, followed by the OpenVPN logs:

Settings:

Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP on IPv4 only
Device mode: Layer 3 Tunnel Mode
Interface: WAN
Server host: myvpnprovider.com
Server port: 1912
Proxy Authentication: none
User Authentication: (username, password)
Authentication Retry: Unchecked (retries the connection when authentication fails)
TLS Configuration:
User a TLS Key
<OpenVPN Static key value>
TLS Key Usage Mode: TLS Authentication
TLS keydir direction: Default direction
Peer certificate authority: (provided by VPN provider)
Client certificate: None (username/ password required)
Data encryption negotiation: enabled
Data encryption algorithms:
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block)
AES-128-CFB1 (128 bit key, 128 bit block)
AES-128-CFB8 (128 bit key, 128 bit block)
AES-128-GCM (128 bit key, 128 bit block)
AES-128-OFB (128 bit key, 128 bit block)
AES-128-CBC (192 bit key, 128 bit block)
AES-128-CFB (192 bit key, 128 bit block)
AES-128-CFB1 (192 bit key, 128 bit block)
AES-128-CFB8 (192 bit key, 128 bit block)
AES-256-GCM
AES-128-GCM
Fallback Data Encryption Algorithm: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Tunnel settings: (blank)
Limit outgoing bandwidth: Between 100 and 100,000,000 bytes/sec
Allow Compression: Decompress incoming, do not compress outgoing (asymmetric)
Compression: Disable Compression [Omit Preference]
Topology: Subnet -- One IP address per client in a common subnet
Type-of-Service: blank
Don't pull routes: blank
Don't add/remove routes: blank
Pull DNS: blank
Ping Settings:
Inactive: 0
Ping method: keepalive -- Use keepalive helper
Interval: 10
Timeout: 60
Advanced configuration:
Custom options:
persis-key
persist-tun
remote-cert-tls server
reneg-sec 0
auth-retry interact
UDP Fast I/0: blank
Exit Notify: Disabled
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity level: default

Logs:

Jan 11 11:29:03 openvpn 57365 RESOLVE: Cannot resolve host address: myvpnprovider.com:1912 (Name does not resolve)
Jan 11 11:29:03 openvpn 57365 Could not determine IPv4/IPv6 protocol
Jan 11 11:29:03 openvpn 57365 SIGUSR1[soft,init_instance] received, process restarting
Jan 11 11:34:03 openvpn 57365 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

(these log entries repeat every few minutes until I manually refresh the VPN connection in Status -> OpenVPN)

bcruze

You are at the mercy of your vpn provider for stability… doesn’t mean it’s your hardware or your internet connection, but it could be

Use the remote host command for it to reconnect to the next online server: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Under tunnel options

I also prefer to use the server external ip… since we do not know what dns servers you are using
… some are set to block vpn provider servers

Gertjan

@vpnguy

The question :

@vpnguy said in OpenVPN disconnects intermittently (every few weeks):

OpenVPN disconnects intermittently (every few weeks)

The answer :

@vpnguy said in OpenVPN disconnects intermittently (every few weeks):

RESOLVE: Cannot resolve host address: myvpnprovider.com:1912 (Name does not resolve)

In short : at Jan 11 11:29:03 the OpenVPN client wanted to reconnect to VPN server, as it does what we all do :
Take "myvpnprovider.com" as it can't understand what that is (only humans can) and use the DNS to translate (also called resolve) that into an IP.
But the asnwer was : Cannot resolve host address: myvpnprovider.com:1912 (Name does not resolve), so, it stopped.

If you tryu to call some one, and you have his name, you use a phone book to look up the number, tight ?
It's exactly the same thing. If you can't find the phone book, you pass on to something else, you can't phone the guy.

You could look into the log of your "DNS" (the resolver log) to see what unbound (the resolver) was doing at that moment ?
Example : unbound was restarting at that moment ?
Because, example, your WAN IP changed at that moment (see the system log at around that moment) ? When the WAN IP changes, many processes get restarted.

Maybe the OpenVPN client restarted before unbound was restarted, that would explain the " (Name does not resolve)".
This is what is known as a race condition.

A possible solution :
Look up the IP of "myvpnprovider.com" yourself :

host myvpnprovider.com

and use the IP found here :

vpnguy

Good ideas, I will try these out when back at the office. My concern would be that the VPN server IP's might not be static but I will take that up with the VPN provider.