[Solved] Dynamic IP client and reconnection problem
-
Hi.
I've successfully set up 3 site-to-site vpn between remote networks and main site local network with OpenVpn.
One of the pfsense boxes on the remote networks (witch acts like a openvpn client) is on a adsl connection without a static Ip and with a lot of disconnections-reconnections because of a bad quality line. We're trying to do something about it, but in the mean tiime…
When the reconnection and the subsequent IP change occurs the openvpn connection don't come up again automatically.
Both openvpn server and client notices the line drop but when client tries to reconnect on the server side log there's a lot ofopenvpn[75489]: TCP NOTE: Rejected connection attempt from x.x.x.x:65281 due to –remote setting
and on the client side obviously I've a loop of connections attempts with no success
openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
openvpn[11703]: Connection reset, restarting [0]
openvpn[11703]: TCPv4_CLIENT link remote: y.y.y.y:1196
openvpn[11703]: TCPv4_CLIENT link local: [undef]
openvpn[11703]: TCP connection established with y.y.y.y:1196
openvpn[11703]: Attempting to establish TCP connection with y.y.y.y:1196
openvpn[11703]: Preserving previous TUN/TAP instance: tun0
openvpn[11703]: Re-using pre-shared static keyI've tried to switch to udp connection, connections and reconnections don't ends with the same problem….
but for some reason in this case I have no site-to-site, i.e.: cannot ping from a client from the remote network to a client on the local network and vice versa, as with the tcp connection.If I enter the openvpn server connection page on server side and save, forcing a complete restart of the openvpn server, the connection come up again in no time.
I'm running 06-04-2007 snapshot on both sides.
No custom options, standard settings as in the Gino Thomas tutorial
thanks -
did you check on your opnvpn-server the checkbox: "Dynamic IP"
checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.
-
did you check on your opnvpn-server the checkbox: "Dynamic IP"
checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.
Yes, it's checked. Looking at openvpn options I tried adding a –float manually in custom options. but no changes.
-
could you post the content of your server-config-file
and the client config-file of the "problem-client"? -
could you post the content of your server-config-file
and the client config-file of the "problem-client"?OK, that's the server config (i hope you mean this excerpt from the xml, otherwise i don't know where to look)
<config><disable><protocol>TCP</protocol>
<dynamic_ip>on</dynamic_ip>
<local_port>1196</local_port>
<addresspool>10.0.4.0/24</addresspool>
<nopool><local_network><remote_network>192.168.11.0/24</remote_network>
<client2client><crypto>BF-CBC</crypto>
<auth_method>shared_key</auth_method>
<shared_key>(snip)</shared_key>
<ca_cert><server_cert><server_key><dh_params><crl><dhcp_domainname><dhcp_dns><dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
<dhcp_nbtscope><dhcp_nbtdisable></dhcp_nbtdisable></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_dns></dhcp_domainname></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>And here's from the client side
<openvpnclient><config><disable><protocol>TCP</protocol>
<serveraddr>myFQNservername</serveraddr>
<serverport>1196</serverport>
<interface_ip>10.0.4.0/24</interface_ip>
<remote_network>10.0.0.0/24</remote_network>
<proxy_hostname><proxy_port>3128</proxy_port>
<crypto>BF-CBC</crypto>
<auth_method>shared_key</auth_method>
<shared_key>(idem)</shared_key>
<ca_cert><client_cert><client_key><use_lzo><use_shaper><use_dynamicport></use_dynamicport></use_shaper></use_lzo></client_key></client_cert></ca_cert></proxy_hostname></disable></config></openvpnclient>The non standard port it's because, as previously said, I've another 2 site-to-site openvpn clients.
thank you -
i meant the config file itself.
you can find it here:/var/etc/openvpn_server0.conf
you use two shared key's to connect to both ends.
wouldnt it be easier if the two side's connect to a single PKI-server? -
i meant the config file itself.
you can find it here:/var/etc/openvpn_server0.conf
ok, here it is the server side:
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.4.1 10.0.4.2
lport 1196
route 192.168.11.0 255.255.255.0
secret /var/etc/openvpn_server2.secret
persist-remote-ip
floatAnd here's the client side
writepid /var/run/openvpn_client0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote (myserver) 1196
lport 1194
ifconfig 10.0.4.2 10.0.4.1
route 10.0.0.0 255.255.255.0
secret /var/etc/openvpn_client0.secretyou use two shared key's to connect to both ends.
wouldnt it be easier if the two side's connect to a single PKI-server?Probably I'll use PKI when I've all up and running.
I already use PKI for single users connecting remotely with notebooks, shared keys are quicker for tests (IMHO, obviously).thanks
-
i think your problem is the line with persist-remote-ip
Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.
your log shows:
openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
openvpn[11703]: Connection reset, restartingprobably your server stay's on the old IP while he recieved data from the new IP and discards them.
-
i think your problem is the line with persist-remote-ip
Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.
your log shows:
openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
openvpn[11703]: Connection reset, restartingprobably your server stay's on the old IP while he recieved data from the new IP and discards them.
Ok. I'm not that familiar with the architecture of pfsense, but since I've not manually edited the mentioned config files I suppose that they are automatically generated with those options by pfsense whenever something is changed in the openvpn server GUI page, it's correct?
So even if I remove the line with that option the config file will remain the same only until the next edit via GUI?
Or until the next restart?
However: I'll try to remove it, disconnect the adsl cable from the remote router a couple of times, see what happens and post the results.
Thank you -
Ok, after some guess work the problem is solved.
Unchecked "Dynamic IP" in VPN server webConfigurator page BUT added "float" as custom option.
This removes
persist-remote-ip
from server side config and mantains
float
Now, when client reconnect from a different dynamic IP the server accept the connection.
Beeing a neewbie I think "Dynamic IP" means exactly this behavior. Instead "persist-remote-ip" pop up in config file which prevents exactly this. There's something I don't understand or this is a bug? -
Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!
I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.
But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.
Regards
Robby