OpenVPN dies and wont restart when my main internet temporarily goes down

fabio1999ita

@oldschoolrouterjockey after you lose connection what color got the status? in your screen is green

oldschoolrouterjockey

@fabio1999ita
I'm trying to simulate an OPenVPN failure failure w/o disrupting the rest of my network, by null routing the current VPN server IP and also by nullrouting any further DNS lookup for the service to 127.0.0.1. My current VPN server FQDN in my client config is 87-1-US.cg-dialup.net and the current connection's remote host is on 154.16.192.246 and here is the result of my blackholing attempts:

[22.01-RELEASE][root@REDACTED]/root: netstat -nr | grep 154.16.192.246
154.16.192.246/32  127.0.0.1          UGSB        lo0
[22.01-RELEASE][root@REDACTED]/root: host 87-1-US.cg-dialup.net
87-1-US.cg-dialup.net has address 127.0.0.1
[22.01-RELEASE][root@REDACTED]/root:

However the OpenVPN status shows the connection still up:

And also my clients on the particular Wifi network that are forced to use the OpenVPN service still can access the internet and calls to ipinfo.me still shows their public IP address as 154.16.192.246.

So now I am thoroughly confused, especially as I have earned my living over the past 25 years as a CCNP network engineer. This connection should NOT be up!

Myster_fr

Hi,

Don't know if you've already tried this : in the client configuration, at the bottom, in the "Custom options" field, try adding :
connection retry -1;

This should make OpenVPN retry indefinitely to reconnect.

oldschoolrouterjockey

@myster_fr said in OpenVPN dies and wont restart when my main internet temporarily goes down:

Hi,

Don't know if you've already tried this : in the client configuration, at the bottom, in the "Custom options" field, try adding :
connection retry -1;

This should make OpenVPN retry indefinitely to reconnect.

I dont think that is still a valid option at least in the latest openvpn. their docs page at link text dont have that one as an option. it does have this:

--connect-retry-max n
n specifies the number of times each --remote or <connection> entry is tried. Specifying n as one would try each entry exactly once. A successful connection resets the counter. (default=unlimited).

which seems to indicate "unlimited" is the default. Here is my config:

[22.01-RELEASE][root@me]/root: cat /var/etc/openvpn/client2/config.ovpn
dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 30
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <REDACTED>
engine devcrypto
tls-client
client
lport 0
management /var/etc/openvpn/client2/sock unix
remote 87-1-US.cg-dialup.net 443 udp4
auth-user-pass /var/etc/openvpn/client2/up
auth-retry nointeract
remote-cert-tls server
capath /var/etc/openvpn/client2/ca
cert /var/etc/openvpn/client2/cert
key /var/etc/openvpn/client2/key
data-ciphers AES-256-CBC:AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-128-GCM
allow-compression no
resolv-retry infinite
route-noexec
explicit-exit-notify 1
route-nopull

swixo

I am experiencing same issue. I have to log into the client and restart it manually if the server restarts.

Did you fix your issue? What did you do?

opticalc

@swixo
I have no idea - it seems to have gone away. Here are my current settings: (under the GUI, "ping settings" section, the "inactive" is set to 0, which isnt reflected in the file below:

: cat /var/etc/openvpn/client2/config.ovpn
dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 30
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <REDACTED>
engine devcrypto
tls-client
client
lport 0
management /var/etc/openvpn/client2/sock unix
remote <REDACTED> 443 udp4
auth-user-pass /var/etc/openvpn/client2/up
auth-retry nointeract
remote-cert-tls server
capath /var/etc/openvpn/client2/ca
cert /var/etc/openvpn/client2/cert
key /var/etc/openvpn/client2/key
data-ciphers AES-256-CBC:AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-128-GCM
allow-compression no
resolv-retry infinite
route-noexec
explicit-exit-notify 1
route-nopull
:

swixo

This post is deleted!

swixo

I tried everything - then remembered issues with DCO in the past.

After disabling DCO - the link will reliably restore every time.

opticalc

@swixo
I've got 22.01 which doesnt support DCO so I guess I already have it disabled "inherently"

jsnl

I'm unsure if my issue is related and so I've opened a new topic, but I have this happen when my remote (not my server) internet is unstable. In my case I think it has something to do with exceeding the maxclients value. Is your maxclients value set low, or at the default number?

This is the thread I just opened with my logs attached.

opticalc

@jsnl said in OpenVPN dies and wont restart when my main internet temporarily goes down:

I'm unsure if my issue is related and so I've opened a new topic, but I have this happen when my remote (not my server) internet is unstable. In my case I think it has something to do with exceeding the maxclients value. Is your maxclients value set low, or at the default number?

This is the thread I just opened with my logs attached.

I dont have an option for maxclients in this config. I think because you're having problems with PFSense as an OpenVPN server and im having a problem with PFSener as an OpenVPN client