Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] OpenVPN Server not connecting clients after 80 tunnels

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 373 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambos
      last edited by Bambos

      Hello everyone,

      i have a pfSense server that is used as VPN Access server.

      Setup Description:

      The Open VPN Server is the default options like below:
      WAN UDP4 / 1145
      (TUN) 172.18.1.0/24
      Mode: Peer to Peer ( SSL/TLS )
      Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC
      Digest: SHA256
      D-H Params: 2048 bits

      all the clients connecting with certificates to the same CA and same Server.
      the client specific overrride is working and assigning tunnel IP's on the same range:
      172.18.1.21/24 - 172.18.1.250/24

      Problem Description:

      Now we have about 80 clients connected successfully, and after that we have some strange behavior. What happening is some clients are not connected, and they stay not connected for a long period of time. Sometimes i saw packets on the gateway metric from 100% loss to 86% loss, and then back to 100% loss.
      After restarting the service or the pfsense completely, all the clients are connecting, but some clients doing the same strange behavior. Is not the same clients.

      Is confirmed that clients has internet access because we can see in the firewall logs that they are passing the allow port rule.

      Also i can see open vpn logs that the connection is initiated but failing.

      Is there any limit on the max firewall states / routing ?
      Is there any limit on the open VPN Server ?

      What might be the issue ? now i have at least 3 clients with this behavior, while other 60-70 are connected successfully and rest of them are known to be offline.
      Thanks for any comments / suggestions.

      VPN Logs below for the last 30 minutes for a client that is not connecting:

      Feb 13 14:58:59 openvpn 81020 plant25/165.220.129.46:35822 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
      Feb 13 14:58:59 openvpn 81020 plant25/165.220.129.46:35822 MULTI: Learn: 172.18.1.25 -> plant25/165.220.129.46:35822
      Feb 13 14:54:54 openvpn 81020 plant25/165.220.129.46:64328 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
      Feb 13 14:54:54 openvpn 81020 plant25/165.220.129.46:64328 MULTI: Learn: 172.18.1.25 -> plant25/165.220.129.46:64328
      Feb 13 14:44:35 openvpn 81020 plant25/165.220.129.46:39537 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
      Feb 13 14:44:35 openvpn 81020 plant25/165.220.129.46:39537 MULTI: Learn: 172.18.1.25 -> plant25/165.220.129.46:39537
      Feb 13 14:29:54 openvpn 81020 plant25/165.220.129.46:14402 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
      Feb 13 14:29:54 openvpn 81020 plant25/165.220.129.46:14402 MULTI: Learn: 172.18.1.25 -> plant25/165.220.129.46:14402
      Feb 13 14:25:47 openvpn 81020 plant25/165.220.129.46:63211 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)

      B 1 Reply Last reply Reply Quote 0
      • B
        Bambos @Bambos
        last edited by

        After system reboot, the previous client came online:

        Feb 13 15:30:54 openvpn 15014 plant25/165.220.129.46:62387 SENT CONTROL [plant25]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,route 192.168.15.0 255.255.255.0,ifconfig 172.18.1.25 255.255.255.0,peer-id 16,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:30:54 openvpn 15014 plant25/165.220.129.46:62387 MULTI: primary virtual IP for plant25/165.220.129.46:62387: 172.18.1.25
        Feb 13 15:30:54 openvpn 15014 plant25/165.220.129.46:62387 MULTI: Learn: 172.18.1.25 -> plant25/165.220.129.46:62387

        and another client is lost, while before reboot was connected:

        Feb 13 15:57:05 openvpn 15014 plant59/31.152.145.226:1704 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:57:05 openvpn 15014 plant59/31.152.145.226:1704 MULTI: primary virtual IP for plant59/31.152.145.226:1704: 172.18.1.59
        Feb 13 15:57:05 openvpn 15014 plant59/31.152.145.226:1704 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1704
        Feb 13 15:52:38 openvpn 15014 plant59/31.152.145.226:1676 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:52:38 openvpn 15014 plant59/31.152.145.226:1676 MULTI: primary virtual IP for plant59/31.152.145.226:1676: 172.18.1.59
        Feb 13 15:52:38 openvpn 15014 plant59/31.152.145.226:1676 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1676
        Feb 13 15:48:30 openvpn 15014 plant59/31.152.145.226:1724 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:48:30 openvpn 15014 plant59/31.152.145.226:1724 MULTI: primary virtual IP for plant59/31.152.145.226:1724: 172.18.1.59
        Feb 13 15:48:30 openvpn 15014 plant59/31.152.145.226:1724 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1724
        Feb 13 15:44:13 openvpn 15014 plant59/31.152.145.226:1669 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:44:13 openvpn 15014 plant59/31.152.145.226:1669 MULTI: primary virtual IP for plant59/31.152.145.226:1669: 172.18.1.59
        Feb 13 15:44:13 openvpn 15014 plant59/31.152.145.226:1669 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1669
        Feb 13 15:39:32 openvpn 15014 plant59/31.152.145.226:1782 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:39:32 openvpn 15014 plant59/31.152.145.226:1782 MULTI: primary virtual IP for plant59/31.152.145.226:1782: 172.18.1.59
        Feb 13 15:39:32 openvpn 15014 plant59/31.152.145.226:1782 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1782
        Feb 13 15:33:06 openvpn 15014 plant59/31.152.145.226:1709 SENT CONTROL [plant59]: 'PUSH_REPLY,route-gateway 172.18.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.18.1.59 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)
        Feb 13 15:33:06 openvpn 15014 plant59/31.152.145.226:1709 MULTI: primary virtual IP for plant59/31.152.145.226:1709: 172.18.1.59
        Feb 13 15:33:06 openvpn 15014 plant59/31.152.145.226:1709 MULTI: Learn: 172.18.1.59 -> plant59/31.152.145.226:1709

        1 Reply Last reply Reply Quote 0
        • N
          netblues
          last edited by

          What is the setting in specifig server, tunnel settings, concurrent connections?

          B 1 Reply Last reply Reply Quote 0
          • B
            Bambos @netblues
            last edited by

            @netblues hello,
            it's 100, set it at the maximum clients with certificates.

            N 1 Reply Last reply Reply Quote 0
            • N
              netblues @Bambos
              last edited by

              @Bambos try putting in to a much higher number, say 200,
              It might be temporary exhaustion if some clients are re connecting often.
              (temporarily disconnects)

              B 1 Reply Last reply Reply Quote 0
              • B
                Bambos @netblues
                last edited by

                @netblues thank you netblues. it seems that there is an improvement. maybe the online counting is true when the clients are on a transitioning stage. (??).

                N 1 Reply Last reply Reply Quote 0
                • N
                  netblues @Bambos
                  last edited by

                  @Bambos This is surely the case

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.