• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Dynamic IP client and reconnection problem

Scheduled Pinned Locked Moved OpenVPN
11 Posts 3 Posters 32.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mrktt77
    last edited by Jul 16, 2007, 12:40 AM Jun 28, 2007, 7:11 AM

    Hi.
    I've successfully set up 3 site-to-site vpn between remote networks and main site local network with OpenVpn.
    One of the pfsense boxes on the remote networks (witch acts like a openvpn client) is on a adsl connection without a static Ip and with a lot of disconnections-reconnections because of a bad quality line. We're trying to do something about it, but in the mean tiime…
    When the reconnection and the subsequent IP change occurs the openvpn connection don't come up again automatically.
    Both openvpn server and client notices the line drop but when client tries to reconnect on the server side log there's a lot of

    openvpn[75489]: TCP NOTE: Rejected connection attempt from x.x.x.x:65281 due to –remote setting

    and on the client side obviously I've a loop of connections attempts with no success

    openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
    openvpn[11703]: Connection reset, restarting [0]
    openvpn[11703]: TCPv4_CLIENT link remote: y.y.y.y:1196
    openvpn[11703]: TCPv4_CLIENT link local: [undef]
    openvpn[11703]: TCP connection established with y.y.y.y:1196
    openvpn[11703]: Attempting to establish TCP connection with y.y.y.y:1196
    openvpn[11703]: Preserving previous TUN/TAP instance: tun0
    openvpn[11703]: Re-using pre-shared static key

    I've tried to switch to udp connection, connections and reconnections don't ends with the same problem….
    but for some reason in this case I have no site-to-site, i.e.: cannot ping from a client from the remote network to a client on the local network and vice versa, as with the tcp connection.

    If I enter the openvpn server connection page on server side and save, forcing a complete restart of the openvpn server, the connection come up again in no time.

    I'm running 06-04-2007 snapshot on both sides.
    No custom options, standard settings as in the Gino Thomas tutorial
    thanks

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Jun 28, 2007, 10:02 AM

      did you check on your opnvpn-server the checkbox: "Dynamic IP"

      checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • M
        mrktt77
        last edited by Jun 28, 2007, 1:25 PM

        @GruensFroeschli:

        did you check on your opnvpn-server the checkbox: "Dynamic IP"

        checking this box add's "float" to the config files and allows your client if he passes the authentification with a new IP/port to reconnect.

        Yes, it's checked. Looking at openvpn options I tried adding a –float manually in custom options. but no changes.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Jun 28, 2007, 3:27 PM

          could you post the content of your server-config-file
          and the client config-file of the "problem-client"?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • M
            mrktt77
            last edited by Jun 28, 2007, 4:30 PM

            @GruensFroeschli:

            could you post the content of your server-config-file
            and the client config-file of the "problem-client"?

            OK, that's the server config (i hope you mean this excerpt from the xml, otherwise i don't know where to look)

            <config><disable><protocol>TCP</protocol>
            <dynamic_ip>on</dynamic_ip>
            <local_port>1196</local_port>
            <addresspool>10.0.4.0/24</addresspool>
            <nopool><local_network><remote_network>192.168.11.0/24</remote_network>
            <client2client><crypto>BF-CBC</crypto>
            <auth_method>shared_key</auth_method>
            <shared_key>(snip)</shared_key>
            <ca_cert><server_cert><server_key><dh_params><crl><dhcp_domainname><dhcp_dns><dhcp_wins><dhcp_nbdd><dhcp_ntp><dhcp_nbttype>0</dhcp_nbttype>
            <dhcp_nbtscope><dhcp_nbtdisable></dhcp_nbtdisable></dhcp_nbtscope></dhcp_ntp></dhcp_nbdd></dhcp_wins></dhcp_dns></dhcp_domainname></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>

            And here's from the client side

            <openvpnclient><config><disable><protocol>TCP</protocol>
            <serveraddr>myFQNservername</serveraddr>
            <serverport>1196</serverport>
            <interface_ip>10.0.4.0/24</interface_ip>
            <remote_network>10.0.0.0/24</remote_network>
            <proxy_hostname><proxy_port>3128</proxy_port>
            <crypto>BF-CBC</crypto>
            <auth_method>shared_key</auth_method>
            <shared_key>(idem)</shared_key>
            <ca_cert><client_cert><client_key><use_lzo><use_shaper><use_dynamicport></use_dynamicport></use_shaper></use_lzo></client_key></client_cert></ca_cert></proxy_hostname></disable></config></openvpnclient>

            The non standard port it's because, as previously said, I've another 2 site-to-site openvpn clients.
            thank you

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Jun 28, 2007, 11:48 PM

              i meant the config file itself.
              you can find it here:

              /var/etc/openvpn_server0.conf

              you use two shared key's to connect to both ends.
              wouldnt it be easier if the two side's connect to a single PKI-server?

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • M
                mrktt77
                last edited by Jun 29, 2007, 7:30 AM

                @GruensFroeschli:

                i meant the config file itself.
                you can find it here:

                /var/etc/openvpn_server0.conf

                ok, here it is the server side:

                writepid /var/run/openvpn_server2.pid
                #user nobody
                #group nobody
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                dev tun
                proto tcp-server
                cipher BF-CBC
                up /etc/rc.filter_configure
                down /etc/rc.filter_configure
                ifconfig 10.0.4.1 10.0.4.2
                lport 1196
                route 192.168.11.0 255.255.255.0
                secret /var/etc/openvpn_server2.secret
                persist-remote-ip
                float

                And here's the client side

                writepid /var/run/openvpn_client0.pid
                #user nobody
                #group nobody
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                dev tun
                proto tcp-client
                cipher BF-CBC
                up /etc/rc.filter_configure
                down /etc/rc.filter_configure
                remote (myserver) 1196
                lport 1194
                ifconfig 10.0.4.2 10.0.4.1
                route 10.0.0.0 255.255.255.0
                secret /var/etc/openvpn_client0.secret

                you use two shared key's to connect to both ends.
                wouldnt it be easier if the two side's connect to a single PKI-server?

                Probably I'll use PKI when I've all up and running.
                I already use PKI for single users connecting remotely with notebooks, shared keys are quicker for tests (IMHO, obviously).

                thanks

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Jun 29, 2007, 2:29 PM

                  i think your problem is the line with persist-remote-ip

                  Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.

                  your log shows:

                  openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
                  openvpn[11703]: Connection reset, restarting

                  probably your server stay's on the old IP while he recieved data from the new IP and discards them.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • M
                    mrktt77
                    last edited by Jun 29, 2007, 3:21 PM

                    @GruensFroeschli:

                    i think your problem is the line with persist-remote-ip

                    Preserve most recently authenticated remote IP address and port number across SIGUSR1 or –ping-restart restarts.

                    your log shows:

                    openvpn[11703]: SIGUSR1[soft,connection-reset] received, process restarting
                    openvpn[11703]: Connection reset, restarting

                    probably your server stay's on the old IP while he recieved data from the new IP and discards them.

                    Ok. I'm not that familiar with the architecture of pfsense, but since I've not manually edited the mentioned config files I suppose that they are automatically generated with those options by pfsense whenever something is changed in the openvpn server GUI page, it's correct?
                    So even if I remove the line with that option the config file will remain the same only until the next edit via GUI?
                    Or until the next restart?
                    However: I'll try to remove it, disconnect the adsl cable from the remote router a couple of times, see what happens and post the results.
                    Thank you

                    1 Reply Last reply Reply Quote 0
                    • M
                      mrktt77
                      last edited by Jul 16, 2007, 12:47 AM

                      Ok, after some guess work the problem is solved.
                      Unchecked "Dynamic IP" in VPN server webConfigurator page BUT added "float" as custom option.
                      This removes
                      persist-remote-ip
                      from server side config and mantains
                      float
                      Now, when client reconnect from a different dynamic IP the server accept the connection.
                      Beeing a neewbie I think "Dynamic IP" means exactly this behavior. Instead "persist-remote-ip" pop up in config file which prevents exactly this. There's something I don't understand or this is a bug?

                      1 Reply Last reply Reply Quote 0
                      • R
                        rpedrica
                        last edited by Dec 13, 2007, 7:30 PM

                        Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!

                        I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.

                        But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.

                        Regards

                        Robby

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received