Openvpn instable with poor internet connection.
After the Upgrade from Pfsense 2.0.3 to 2.1 RC0 have i notice all OpenVPN Connection restarts at the same time when the connection is fully occupied.
The Problem is not the OpenVPN connection, the problem is the gatway monitoring.
I solved that with creating vpn interfaces and disable all gateway monitoring.
My VPN connections runs now consistently without restarts.
If the gateway monitoring parameters are at the defaults, then when the internet connection is "poor" (packet loss, latency…) the system will consider it down (that is the point of gateway monitoring - to give up on a gateway at some point). At places with slow links and known issues with packet loss, I set the advanced gateway monitoring parameters "crazy high" - like 40-50% packet loss, 4000-5000ms latency. Then the gateway is only considered down when it really has got to be almost totally unusable.
At 15-20% packet loss, I find that the OpenVPN links struggle to stay established anyway. I guess too many of the UDP packets disappear in the bit bucket, acknowledges in the OpenVPN protocol, certificate and key renegotiations... just give up.
I am trying to understand what does gateway monitoring solve for when there is only 1 WAN? If it is a DHCP WAN then I assume things would automatically get done that need done when the IP changes regardless of gateway monitoring. I understand with 2 WANs the need to kill states but it seems to me like gateway monitoring just causes issues for people with 1 WAN by killing states and such when the connection just might be temporarily bad. It seems to me like gateway monitoring by default should not do anything on a 1 WAN system. Under what circumstances would you want to do state killing, etc when your single WAN goes down for some amount of time?
I guess a more specific question would be under what circumstances would state killing and other things gateway monitoring does when it detects a downed gateway be wanted with a 1 WAN system? I would think the majority of setups would never want state killing for a 1 WAN system. I know this is one of the things that caught me off guard when I first started using pfsense. I just didn't expect that behavior with 1 WAN.
Under "System:Advanced:Miscellaneous", you'll find the options for "Gateway Monitoring:State", where its says:
By default the monitoring process will flush states for a gateway that goes down. This option overrides that behavior by not clearing states for existing connections.
Yup, I think this is pretty well hidden. I would have expected it under "System:Routing:Gateways".