[Solved] Dynamic IP client and reconnection problem



  • Hi.
    I've successfully set up 3 site-to-site vpn between remote networks and main site local network with OpenVpn.
    One of the pfsense boxes on the remote networks (witch acts like a openvpn client) is on a adsl connection without a static Ip and with a lot of disconnections-reconnections because of a bad quality line. We're trying to do something about it, but in the mean tiime…
    When the reconnection and the subsequent IP change occurs the openvpn connection don't come up again automatically.
    Both openvpn server and client notices the line drop but when client tries to reconnect on the server side log there's a lot of

    openvpn[75489]: TCP NOTE: Rejected connection attempt from x.x.x.x:65281 due to –remote setting

    and on the client side obviously I've a loop of connections attempts with no success

    openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
    openvpn[11703]: Connection reset, restarting [0]
    openvpn[11703]: TCPv4_CLIENT link remote: y.y.y.y:1196
    openvpn[11703]: TCPv4_CLIENT link local: [undef]
    openvpn[11703]: TCP connection established with y.y.y.y:1196
    openvpn[11703]: Attempting to establish TCP connection with y.y.y.y:1196
    openvpn[11703]: Preserving previous TUN/TAP instance: tun0
    openvpn[11703]: Re-using pre-shared static key

    I've tried to switch to udp connection, connections and reconnections don't ends with the same problem….
    but for some reason in this case I have no site-to-site, i.e.: cannot ping from a client from the remote network to a client on the local network and vice versa, as with the tcp connection.

    If I enter the openvpn server connection page on server side and save, forcing a complete restart of the openvpn server, the connection come up again in no time.

    I'm running 06-04-2007 snapshot on both sides.
    No custom options, standard settings as in the Gino Thomas tutorial
    thanks



  • did you check on your opnvpn-server the checkbox: "Dynamic IP"

    checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.



  • @GruensFroeschli:

    did you check on your opnvpn-server the checkbox: "Dynamic IP"

    checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.

    Yes, it's checked. Looking at openvpn options I tried adding a –float manually in custom options. but no changes.



  • could you post the content of your server-config-file
    and the client config-file of the "problem-client"?



  • @GruensFroeschli:

    could you post the content of your server-config-file
    and the client config-file of the "problem-client"?

    OK, that's the server config (i hope you mean this excerpt from the xml, otherwise i don't know where to look)

    <config><disable><protocol>TCP</protocol>
    <dynamic_ip>on</dynamic_ip>
    <local_port>1196</local_port>
    <addresspool>10.0.4.0/24</addresspool>
    <nopool><local_network><remote_network>192.168.11.0/24</remote_network>
    <client2client><crypto>BF-CBC</crypto>
    <auth_method>shared_key</auth_method>
    <shared_key>(snip)</shared_key>
    <ca_cert><server_cert><server_key><dh_params><crl><dhcp_domainname><dhcp_dns><dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
    <dhcp_nbtscope><dhcp_nbtdisable></dhcp_nbtdisable></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_dns></dhcp_domainname></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>

    And here's from the client side

    <openvpnclient><config><disable><protocol>TCP</protocol>
    <serveraddr>myFQNservername</serveraddr>
    <serverport>1196</serverport>
    <interface_ip>10.0.4.0/24</interface_ip>
    <remote_network>10.0.0.0/24</remote_network>
    <proxy_hostname><proxy_port>3128</proxy_port>
    <crypto>BF-CBC</crypto>
    <auth_method>shared_key</auth_method>
    <shared_key>(idem)</shared_key>
    <ca_cert><client_cert><client_key><use_lzo><use_shaper><use_dynamicport></use_dynamicport></use_shaper></use_lzo></client_key></client_cert></ca_cert></proxy_hostname></disable></config></openvpnclient>

    The non standard port it's because, as previously said, I've another 2 site-to-site openvpn clients.
    thank you



  • i meant the config file itself.
    you can find it here:

    /var/etc/openvpn_server0.conf

    you use two shared key's to connect to both ends.
    wouldnt it be easier if the two side's connect to a single PKI-server?



  • @GruensFroeschli:

    i meant the config file itself.
    you can find it here:

    /var/etc/openvpn_server0.conf

    ok, here it is the server side:

    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.4.1 10.0.4.2
    lport 1196
    route 192.168.11.0 255.255.255.0
    secret /var/etc/openvpn_server2.secret
    persist-remote-ip
    float

    And here's the client side

    writepid /var/run/openvpn_client0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote (myserver) 1196
    lport 1194
    ifconfig 10.0.4.2 10.0.4.1
    route 10.0.0.0 255.255.255.0
    secret /var/etc/openvpn_client0.secret

    you use two shared key's to connect to both ends.
    wouldnt it be easier if the two side's connect to a single PKI-server?

    Probably I'll use PKI when I've all up and running.
    I already use PKI for single users connecting remotely with notebooks, shared keys are quicker for tests (IMHO, obviously).

    thanks



  • i think your problem is the line with persist-remote-ip

    Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.

    your log shows:

    openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
    openvpn[11703]: Connection reset, restarting

    probably your server stay's on the old IP while he recieved data from the new IP and discards them.



  • @GruensFroeschli:

    i think your problem is the line with persist-remote-ip

    Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.

    your log shows:

    openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
    openvpn[11703]: Connection reset, restarting

    probably your server stay's on the old IP while he recieved data from the new IP and discards them.

    Ok. I'm not that familiar with the architecture of pfsense, but since I've not manually edited the mentioned config files I suppose that they are automatically generated with those options by pfsense whenever something is changed in the openvpn server GUI page, it's correct?
    So even if I remove the line with that option the config file will remain the same only until the next edit via GUI?
    Or until the next restart?
    However: I'll try to remove it, disconnect the adsl cable from the remote router a couple of times, see what happens and post the results.
    Thank you



  • Ok, after some guess work the problem is solved.
    Unchecked "Dynamic IP" in VPN server webConfigurator page BUT added "float" as custom option.
    This removes
    persist-remote-ip
    from server side config and mantains
    float
    Now, when client reconnect from a different dynamic IP the server accept the connection.
    Beeing a neewbie I think "Dynamic IP" means exactly this behavior. Instead "persist-remote-ip" pop up in config file which prevents exactly this. There's something I don't understand or this is a bug?



  • Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!

    I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.

    But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.

    Regards

    Robby


Log in to reply