Often OpenVPN reconnections
-
Hello
I use pfSense 2.6.0 as OpenVPN server and it is connected to several branch Ubiqiti Edgerouter X routers that are OpenVPN clients. As I see the OpenVPN connection is reconnected often. Mostly the time of the reconnection is plus minus one minute and I can see following message in the log of the router. Clients are authenticated by active directory account and common certificate.
Sep 7 20:25:53 ICE-GTW-JIH openvpn[3112]: [OVPNserverCERT] Inactivity timeout (--ping-restart), restarting
Sep 7 20:25:53 ICE-GTW-JIH openvpn[3112]: SIGUSR1[soft,ping-restart] received, process restarting
Sep 7 20:25:53 ICE-GTW-JIH openvpn[3112]: Restart pause, 5 second(s)
Sep 7 20:25:58 ICE-GTW-JIH openvpn[3112]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:2500
Sep 7 20:25:58 ICE-GTW-JIH openvpn[3112]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sep 7 20:25:58 ICE-GTW-JIH openvpn[3112]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sep 7 20:25:58 ICE-GTW-JIH openvpn[3112]: UDPv4 link remote: [AF_INET]x.x.x.x:2500
Sep 7 20:26:15 ICE-GTW-JIH openvpn[3112]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:2500 [5]
Sep 7 20:26:25 ICE-GTW-JIH openvpn[3112]: TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:2500 [5]
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: TLS: Initial packet from [AF_INET]x.x.x.x:2500, sid=258336a8 1648b170
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: VERIFY OK: depth=1, CN=internal-ca,
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: VERIFY KU OK
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: Validating certificate extended key usage
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: VERIFY EKU OK
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: VERIFY OK: depth=0, CN=OVPNserverCERT,
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sep 7 20:26:28 ICE-GTW-JIH openvpn[3112]: [OVPNserverCERT] Peer Connection Initiated with [AF_INET]x.x.x.x:2500
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: SENT CONTROL [OVPNserverCERT]: 'PUSH_REQUEST' (status=1)
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: PUSH: Received control message: 'PUSH_REPLY,route -- many of my branches networks -- ,route-gateway 10.0.75.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.75.6 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: route options modified
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: route-related options modified
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: peer-id set
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: OPTIONS IMPORT: data channel crypto options modified
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: Preserving previous TUN/TAP instance: vtun0
Sep 7 20:26:29 ICE-GTW-JIH openvpn[3112]: Initialization Sequence CompletedThis is client configuration (OpenVPN version 2.4.7.1)
dev tun
persist-key
persist-tun
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x 2500 udp4
auth-user-pass /config/auth/pwd.txt
remote-cert-tls server
passtos
explicit-exit-notify<ca>
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
setenv CLIENT_CERT 0This is server configuration (OpenVPN 2.5.4)
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x.x.x.x
tls-server
server 10.0.75.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user QURfSWNl false server1 2500
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OVPNserverCERT' 1"
lport 2500
management /var/etc/openvpn/server1/sock unix
client-to-client
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-GCM
allow-compression asym
passtos
topology subnet
inactive 300I have tried to put followoing command to client reneg-sec 0
and this to server reneg-sec 36000
but it did not help meAny idea what could help me?
-
@aldomoro said in Often OpenVPN reconnections:
This is client configuration (OpenVPN version 2.4.7.1)
2.4.7 is old.
Export the client config again. It will contain a more recent client.
Or go straight to
[https://openvpn.net/client-connect-vpn-for-windows/](link url)
or
[https://openvpn.net/community-downloads/](link url)at least server and client will be 2.5.x
-
Hi @gertjan
my client is Ubiqiti router, not Windows computer. I cannot change a version OpenVPN client in the router.
