OpenVPN cannot connect if the client IP changes, need server reboot



  • We have an OpenVPN server on static IP address at HO. There are two branch offices connected to it using OpenVPN/shared-key. The client offices are having DSL and the IP changes every night.  The problem is that every time the Client IP changes, the OpenVPN connection drops and cannot be reached from HO again. However, a server reboot resolves the issue. Any one experienced this problem? Any suggestions?



  • Do you have the Dynamic IP checkbox checked in your server settings?  This enables the float option.

    –float
        Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.

    Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.

    ![Screen shot 2010-01-02 at 12.13.00 PM.png](/public/imported_attachments/1/Screen shot 2010-01-02 at 12.13.00 PM.png)
    ![Screen shot 2010-01-02 at 12.13.00 PM.png_thumb](/public/imported_attachments/1/Screen shot 2010-01-02 at 12.13.00 PM.png_thumb)



  • Thanks for the suggestion. However, it did not work.



  • Did you try the float option on the client as well?



  • Did you check on the server the checkbox
    "Dynamic IP"
    –> "Assume dynamic IPs, so that DHCP clients can connect. "
    ?



  • @GruensFroeschli:

    Did you check on the server the checkbox
    "Dynamic IP"
    –> "Assume dynamic IPs, so that DHCP clients can connect. "
    ?

    Suggested that above  ;)



  • Ah yes :D
    I only read the discription of the –float option and thought "isn't that the same as this checkbox?" ^^".

    But the OpenVPN log should show if a client with an IP connects which is discarded.

    @pvinodkr : what does the log say?



  • Hi,
    Thank you all for the responses.  Here are the openvpn logs.

    This is before reboot of the client (HO and Branch can't talk to each other):
    –----------------------------------------------------------------------
    Jan 12 20:41:23 pfsense openvpn[364]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
    uilt on Nov  9 2008
    Jan 12 20:41:23 pfsense openvpn[364]: gw <ho_wan_ip>Jan 12 20:41:23 pfsense openvpn[364]: TUN/TAP device /dev/tun0 opened
    Jan 12 20:41:23 pfsense openvpn[364]: /sbin/ifconfig tun0 192.168.31.1 192.168.31.2 mtu 1
    500 netmask 255.255.255.255 up
    Jan 12 20:41:23 pfsense openvpn[364]: /etc/rc.filter_configure tun0 1500 1544 192.168.31.
    1 192.168.31.2 init
    Jan 12 20:41:24 pfsense openvpn[373]: UDPv4 link local (bound): [undef]:1185
    Jan 12 20:41:24 pfsense openvpn[373]: UDPv4 link remote: [undef]
    Jan 12 20:41:25 pfsense openvpn[375]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
    uilt on Nov  9 2008
    Jan 12 20:41:25 pfsense openvpn[375]: gw <ho_wan_ip>Jan 12 20:41:25 pfsense openvpn[375]: TUN/TAP device /dev/tun1 opened
    Jan 12 20:41:25 pfsense openvpn[375]: /sbin/ifconfig tun1 192.168.1.1 192.168.1.2 mtu 150
    0 netmask 255.255.255.255 up
    Jan 12 20:41:25 pfsense openvpn[375]: /etc/rc.filter_configure tun1 1500 1544 192.168.1.1
    192.168.1.2 init
    Jan 12 20:41:26 pfsense openvpn[386]: UDPv4 link local (bound): [undef]:1189
    Jan 12 20:41:26 pfsense openvpn[386]: UDPv4 link remote: [undef]
    Jan 12 20:41:27 pfsense openvpn[390]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] b
    uilt on Nov  9 2008
    Jan 12 20:41:27 pfsense openvpn[390]: gw <ho_wan_ip>Jan 12 20:41:27 pfsense openvpn[390]: TUN/TAP device /dev/tun2 opened
    Jan 12 20:41:27 pfsense openvpn[390]: /sbin/ifconfig tun2 192.168.32.1 192.168.32.2 mtu 1
    500 netmask 255.255.255.255 up
    Jan 12 20:41:27 pfsense openvpn[390]: /etc/rc.filter_configure tun2 1500 1544 192.168.32.
    1 192.168.32.2 init
    Jan 12 20:41:28 pfsense openvpn[404]: UDPv4 link local (bound): [undef]:1188
    Jan 12 20:41:28 pfsense openvpn[404]: UDPv4 link remote: [undef]
    ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^

    The one below is after a client reboot (The connection is good):
    –----------------------------------------------------------
    Jan 12 20:57:31 pfsense openvpn[363]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
    Jan 12 20:57:31 pfsense openvpn[363]: gw <ho_wan_ip>Jan 12 20:57:31 pfsense openvpn[363]: TUN/TAP device /dev/tun0 opened
    Jan 12 20:57:31 pfsense openvpn[363]: /sbin/ifconfig tun0 192.168.31.1 192.168.31.2 mtu 500 netmask 255.255.255.255 up
    Jan 12 20:57:31 pfsense openvpn[363]: /etc/rc.filter_configure tun0 1500 1544 192.168.311 192.168.31.2 init
    Jan 12 20:57:32 pfsense openvpn[372]: UDPv4 link local (bound): [undef]:1185
    Jan 12 20:57:32 pfsense openvpn[372]: UDPv4 link remote: [undef]
    Jan 12 20:57:33 pfsense openvpn[374]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
    Jan 12 20:57:33 pfsense openvpn[374]: gw <ho_wan_ip>Jan 12 20:57:33 pfsense openvpn[374]: TUN/TAP device /dev/tun1 opened
    Jan 12 20:57:33 pfsense openvpn[374]: /sbin/ifconfig tun1 192.168.1.1 192.168.1.2 mtu 150 netmask 255.255.255.255 up
    Jan 12 20:57:33 pfsense openvpn[374]: /etc/rc.filter_configure tun1 1500 1544 192.168.1. 192.168.1.2 init
    Jan 12 20:57:34 pfsense openvpn[385]: UDPv4 link local (bound): [undef]:1189
    Jan 12 20:57:34 pfsense openvpn[385]: UDPv4 link remote: [undef]
    Jan 12 20:57:34 pfsense openvpn[385]: Peer Connection Initiated with <br_wan_ip>:1196
    Jan 12 20:57:35 pfsense openvpn[389]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] uilt on Nov  9 2008
    Jan 12 20:57:35 pfsense openvpn[389]: gw <ho_wan_ip>Jan 12 20:57:35 pfsense openvpn[389]: TUN/TAP device /dev/tun2 opened
    Jan 12 20:57:35 pfsense openvpn[389]: /sbin/ifconfig tun2 192.168.32.1 192.168.32.2 mtu 500 netmask 255.255.255.255 up
    Jan 12 20:57:35 pfsense openvpn[389]: /etc/rc.filter_configure tun2 1500 1544 192.168.321 192.168.32.2 init
    Jan 12 20:57:35 pfsense openvpn[385]: Initialization Sequence Completed
    Jan 12 20:57:36 pfsense openvpn[403]: UDPv4 link local (bound): [undef]:1188
    Jan 12 20:57:36 pfsense openvpn[403]: UDPv4 link remote: [undef]</ho_wan_ip></br_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip></ho_wan_ip>



  • This thread http://forum.pfsense.org/index.php/topic,5340.0.html discusses the options that get applied when you check the dynamic IP box on the server.  I believe its:

    float
    persist-remote-ip

    Gruens you should know this!  (naw its cool, that was years ago it looks like you were involved in this thread  :))

    I am actually having the same problem.  I have followed the thread that I listed above and only manually used the "float" option, not using the dynamic IP checkbox on server.

    I still lose conection, Logs: (my logs read from bottom to top)

    Mar 4 13:24:14 openvpn[34044]: UDPv4 link remote: [undef]
    Mar 4 13:24:14 openvpn[34044]: UDPv4 link local (bound): [undef]:1194
    Mar 4 13:24:14 openvpn[34044]: Preserving previous TUN/TAP instance: tun0
    Mar 4 13:24:14 openvpn[34044]: LZO compression initialized
    Mar 4 13:24:14 openvpn[34044]: Re-using pre-shared static key
    Mar 4 13:24:12 openvpn[34044]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 4 13:24:12 openvpn[34044]: Inactivity timeout (–ping-restart), restarting

    It looks like it works.  But I cannot talk to either end of the tunnel from either location, no pinging possible.  Obviously if I restart the link manually by restarting the server / client, it works fine.

    So, manually placing the "float" in custom options on server does not seem to work.  I will try adding it to client as well.  Gonna play with it some more.



  • Still struggling to keep the link alive after the Client changes its IP.  Any thoughts?



  • Here are my logs and confs.  Again: I don't have a problem establishing the link, but when the client changes its IP (dynamic pppoe), the connection does not recover.  Let me know what you all think.

    -I have tried unchecking the "dynamic ip" option on the server because in previous posts mentioned, the "persist-remote-ip" flag "probably your server stay's on the old IP while he recieved data from the new IP and discards them" (Gruens quote). and manually adding "float" to the server conf.

    Im pretty sure "dynamic IP" checked adds "persist-remote-ip" and "float"

    Thanks for your time!

    CLIENT LOG: (My logs read from bottom to top, fyi this is a bridge setup)

    Mar 9 03:44:18 openvpn[16537]: Exiting
    Mar 9 03:44:18 openvpn[16537]: Cannot allocate TUN/TAP dev dynamically
    Mar 9 03:44:18 openvpn[16537]: gw 75.52.146.39
    Mar 9 03:44:18 openvpn[16537]: LZO compression initialized
    Mar 9 03:44:18 openvpn[16537]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
    Mar 9 03:44:16 openvpn[16537]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009
    Mar 9 03:44:16 openvpn[16537]: SIGHUP[hard,] received, process restarting
    Mar 9 03:44:03 openvpn[16537]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.2 10.0.0.1 init
    Mar 9 03:44:03 openvpn[16537]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
    Mar 9 03:44:03 openvpn[16537]: event_wait : Interrupted system call (code=4)
    Mar 9 03:41:21 openvpn[16537]: Initialization Sequence Completed
    Mar 9 03:41:20 openvpn[16537]: Peer Connection Initiated with x.x.x.x(remote ip):1194
    Mar 9 03:40:49 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
    Mar 9 03:40:49 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
    Mar 9 03:40:49 openvpn[16537]: Preserving previous TUN/TAP instance: tun0
    Mar 9 03:40:49 openvpn[16537]: LZO compression initialized
    Mar 9 03:40:49 openvpn[16537]: Re-using pre-shared static key
    Mar 9 03:40:47 openvpn[16537]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 9 03:40:47 openvpn[16537]: Inactivity timeout (–ping-restart), restarting
    Mar 9 03:39:47 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
    Mar 9 03:39:47 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
    Mar 9 03:39:47 openvpn[16537]: Preserving previous TUN/TAP instance: tun0
    Mar 9 03:39:47 openvpn[16537]: LZO compression initialized
    Mar 9 03:39:47 openvpn[16537]: Re-using pre-shared static key
    Mar 9 03:39:45 openvpn[16537]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 9 03:39:45 openvpn[16537]: Inactivity timeout (–ping-restart), restarting
    Mar 8 07:18:09 openvpn[16537]: Initialization Sequence Completed
    Mar 8 07:18:08 openvpn[16537]: Peer Connection Initiated with x.x.x.x(remote IP):1194
    Mar 8 07:18:06 openvpn[16537]: UDPv4 link remote: x.x.x.x(remote IP):1194
    Mar 8 07:18:06 openvpn[16537]: UDPv4 link local (bound): [undef]:1195
    Mar 8 07:18:06 openvpn[16537]: UID set to nobody
    Mar 8 07:18:06 openvpn[16537]: GID set to nobody
    Mar 8 07:18:03 openvpn[16519]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.2 10.0.0.1 init
    Mar 8 07:18:03 openvpn[16519]: /sbin/ifconfig tun0 10.0.0.2 10.0.0.1 mtu 1500 netmask 255.255.255.255 up
    Mar 8 07:18:03 openvpn[16519]: TUN/TAP device /dev/tun0 opened
    Mar 8 07:18:03 openvpn[16519]: gw 99.137.16.43
    Mar 8 07:18:03 openvpn[16519]: LZO compression initialized
    Mar 8 07:18:03 openvpn[16519]: WARNING: file '/var/etc/openvpn_client1.secret' is group or others accessible
    Mar 8 07:18:03 openvpn[16519]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009

    Client conf:

    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote x.x.x.x(remote IP) 1194
    lport 1195
    ifconfig 10.0.0.2 10.0.0.1
    route 192.168.85.0 255.255.255.0
    secret /var/etc/openvpn_client1.secret
    comp-lzo
    user nobody
    group nobody

    Server Log (logs read from bottom to top)

    Mar 9 15:47:51 openvpn[24358]: SIGTERM[hard,] received, process exiting
    Mar 9 15:47:38 openvpn[24358]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.1 10.0.0.2 init
    Mar 9 15:47:38 openvpn[24358]: ERROR: FreeBSD route delete command failed: shell command exited with error status: 77
    Mar 9 15:47:38 openvpn[24358]: event_wait : Interrupted system call (code=4)
    Mar 9 03:44:56 openvpn[24358]: UDPv4 link remote: [undef]
    Mar 9 03:44:56 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
    Mar 9 03:44:56 openvpn[24358]: Preserving previous TUN/TAP instance: tun0
    Mar 9 03:44:56 openvpn[24358]: LZO compression initialized
    Mar 9 03:44:56 openvpn[24358]: Re-using pre-shared static key
    Mar 9 03:44:54 openvpn[24358]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 9 03:44:54 openvpn[24358]: Inactivity timeout (–ping-restart), restarting
    Mar 9 03:41:20 openvpn[24358]: Initialization Sequence Completed
    Mar 9 03:41:20 openvpn[24358]: Peer Connection Initiated with 75.52.146.38:1195
    Mar 9 03:39:49 openvpn[24358]: UDPv4 link remote: [undef]
    Mar 9 03:39:49 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
    Mar 9 03:39:49 openvpn[24358]: Preserving previous TUN/TAP instance: tun0
    Mar 9 03:39:49 openvpn[24358]: LZO compression initialized
    Mar 9 03:39:49 openvpn[24358]: Re-using pre-shared static key
    Mar 9 03:39:47 openvpn[24358]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 9 03:39:47 openvpn[24358]: Inactivity timeout (–ping-restart), restarting
    Mar 8 07:18:07 openvpn[24358]: Initialization Sequence Completed
    Mar 8 07:18:06 openvpn[24358]: Peer Connection Initiated with 99.137.16.42:1195
    Mar 8 07:17:47 openvpn[24358]: UDPv4 link remote: [undef]
    Mar 8 07:17:47 openvpn[24358]: UDPv4 link local (bound): [undef]:1194
    Mar 8 07:17:47 openvpn[24358]: UID set to nobody
    Mar 8 07:17:47 openvpn[24358]: GID set to nobody
    Mar 8 07:17:45 openvpn[24340]: /etc/rc.filter_configure tun0 1500 1545 10.0.0.1 10.0.0.2 init
    Mar 8 07:17:45 openvpn[24340]: /sbin/ifconfig tun0 10.0.0.1 10.0.0.2 mtu 1500 netmask 255.255.255.255 up
    Mar 8 07:17:45 openvpn[24340]: TUN/TAP device /dev/tun0 opened
    Mar 8 07:17:45 openvpn[24340]: gw x.x.x.x
    Mar 8 07:17:45 openvpn[24340]: LZO compression initialized
    Mar 8 07:17:45 openvpn[24340]: WARNING: file '/var/etc/openvpn_server1.secret' is group or others accessible
    Mar 8 07:17:45 openvpn[24340]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Dec 4 2009

    Server conf
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.0.1 10.0.0.2
    lport 1194
    route 192.168.40.0 255.255.255.0
    secret /var/etc/openvpn_server1.secret
    comp-lzo
    user nobody
    group nobody
    float



  • I am still having this problem.  I have also tried just running openvpn from the command line using the above listed configs.  It just seems like the float command is not doing anything or is not working the way that it should.  I see the client try to re-establish the link, and the server just doesn't accept the connection.

    Any thoughts / suggestions?

    Thanks


Log in to reply