Openvpn client disconnected randomly



  • Hi,
    I have a PFsense 2.0 behind a proxy that is configured as openvpn client in a site to site network.
    The openVPN server is in internet and is listen on port 443.

    The network seems to be ok, in sense that I can ping from both side.

    The issue is that the Pfsense behind the proxy is randomly disconnected. Can you help me to make the connection persistent even if the openvpn client is behind a proxy?

    PS : I have other Openvpn clients connected to that openvpn server, but they aren't disconnected randomly. They are not behind a proxy so I think that it is something that involve the proxy itself.

    How can I solve the issue?



  • what do your openvpn logs show when it's disconnected?



  • This is the openvpn log. I'm not able to make a table. sorry  :-\

    Last 50 OpenVPN log entries

    Jan 20 14:36:39

    openvpn[2445]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)

    Jan 20 14:36:39

    openvpn[2445]: TCPv4_CLIENT link local: [undef]

    Jan 20 14:36:39

    openvpn[2445]: TCPv4_CLIENT link remote: [AF_INET]10.3.204.167:80

    Jan 20 14:36:43

    openvpn[2445]: [server] Peer Connection Initiated with [AF_INET]10.3.204.167:80

    Jan 20 14:36:45

    openvpn[2445]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)

    Jan 20 14:36:45

    openvpn[2445]: Preserving previous TUN/TAP instance: ovpnc1

    Jan 20 14:36:45

    openvpn[2445]: Initialization Sequence Completed

    Jan 24 23:50:01

    openvpn[2445]: Connection reset, restarting [-1]

    Jan 24 23:50:01

    openvpn[2445]: SIGUSR1[soft,connection-reset] received, process restarting

    Jan 24 23:50:06

    openvpn[2445]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Jan 24 23:50:06

    openvpn[2445]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts

    Jan 24 23:50:06

    openvpn[2445]: Re-using SSL/TLS context

    Jan 24 23:50:06

    openvpn[2445]: LZO compression initialized

    Jan 24 23:50:06

    openvpn[2445]: Attempting to establish TCP connection with [AF_INET]10.3.204.167:80 [nonblock]

    Jan 24 23:50:07

    openvpn[2445]: TCP connection established with [AF_INET]10.3.204.167:80

    Jan 24 23:50:12

    openvpn[2445]: recv_line: TCP port read timeout expired: Operation now in progress (errno=36)

    Jan 24 23:50:12

    openvpn[2445]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1560 192.168.20.2 255.255.255.0 init

    Jan 24 23:50:12

    openvpn[2445]: SIGTERM[soft,init_instance] received, process exiting

    Jan 26 02:07:47

    openvpn[5525]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011

    Jan 26 02:07:47

    openvpn[5525]: WARNING: file '/var/etc/openvpn/client1.pas' is group or others accessible

    Jan 26 02:07:47

    openvpn[5525]: WARNING: using –pull/--client and --ifconfig together is probably not what you want

    Jan 26 02:07:47

    openvpn[5525]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Jan 26 02:07:47

    openvpn[5525]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts

    Jan 26 02:07:48

    openvpn[5525]: LZO compression initialized

    Jan 26 02:07:48

    openvpn[5723]: Attempting to establish TCP connection with [AF_INET]10.3.204.167:80 [nonblock]

    Jan 26 02:07:49

    openvpn[5723]: TCP connection established with [AF_INET]10.3.204.167:80

    Jan 26 02:07:51

    openvpn[5723]: TCPv4_CLIENT link local: [undef]

    Jan 26 02:07:51

    openvpn[5723]: TCPv4_CLIENT link remote: [AF_INET]10.3.204.167:80

    Jan 26 02:07:54

    openvpn[5723]: [server] Peer Connection Initiated with [AF_INET]10.3.204.167:80

    Jan 26 02:07:57

    openvpn[5723]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)

    Jan 26 02:07:57

    openvpn[5723]: TUN/TAP device /dev/tun1 opened

    Jan 26 02:07:57

    openvpn[5723]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

    Jan 26 02:07:57

    openvpn[5723]: /sbin/ifconfig ovpnc1 192.168.20.2 netmask 255.255.255.0 mtu 1500 up

    Jan 26 02:07:57

    openvpn[5723]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    Jan 26 02:07:57

    openvpn[5723]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 192.168.20.2 255.255.255.0 init

    Jan 26 02:07:57

    openvpn[5723]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    Jan 26 02:07:57

    openvpn[5723]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    Jan 26 02:07:57

    openvpn[5723]: WARNING: potential route subnet conflict between local LAN [10.0.127.0/255.255.255.0] and remote VPN [10.0.0.0/255.0.0.0]

    Jan 26 02:07:57

    openvpn[5723]: Initialization Sequence Completed

    Jan 26 16:20:35

    openvpn[5723]: [server] Inactivity timeout (–ping-restart), restarting

    Jan 26 16:20:35

    openvpn[5723]: SIGUSR1[soft,ping-restart] received, process restarting

    Jan 26 16:20:40

    openvpn[5723]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Jan 26 16:20:40

    openvpn[5723]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts

    Jan 26 16:20:40

    openvpn[5723]: Re-using SSL/TLS context

    Jan 26 16:20:40

    openvpn[5723]: LZO compression initialized

    Jan 26 16:20:40

    openvpn[5723]: Attempting to establish TCP connection with [AF_INET]10.3.204.167:80 [nonblock]

    Jan 26 16:20:41

    openvpn[5723]: TCP connection established with [AF_INET]10.3.204.167:80

    Jan 26 16:20:46

    openvpn[5723]: recv_line: TCP port read timeout expired: Operation now in progress (errno=36)

    Jan 26 16:20:46

    openvpn[5723]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1560 192.168.20.2 255.255.255.0 init

    Jan 26 16:20:46

    openvpn[5723]: SIGTERM[soft,init_instance] received, process exiting



  • Looks like your proxy is dropping the connection after a period of time. Lot of possible reasons so hard to say for sure, but maybe it has a hard limit on how long a connection can live, or someone periodically does something to the proxy that drops you.



  • perhaps the network inactivity may cause a disconnection by proxy. is it possible to ping the openvpn server every five minuts?



  • @grzmrc:

    perhaps the network inactivity may cause a disconnection by proxy. is it possible to ping the openvpn server every five minuts?

    use:

    keepalive n m
    

    n: if there is no traffic for n seconds then send a ping
    m: if there isn't a ping for m seconds then restart the tunnel.

    example:

    keepalive 60 300
    


  • The keepalive in OpenVPN is automatic. If there is no traffic going over the tunnel, it sends its keepalives to keep the connection up, and to detect if it drops.



  • Well,
    When proxy drops my connection I need to set openvpn client to disabile and then re-enable the openvpn client in pfsense.
    Is it possible to automatize this task whenever the openvpn connection is lost?


Log in to reply