OpenVPN been very unstable since 2.1.4 upgrade
I have been reading around but not sure if there is any real evidence, but my OpenVPN mesh network has been very unstable since the upgrade to 2.1.4, prior to this upgrade it has been rock solid never going down unless there was a power outage at one of the sites and then only that site was effected. What I'm seeing is pauses in the network for about 30 second - 5 minutes at random times. The only way I really know I'm down is when I try to log into my home PfSense firewall but can't because my LDAP server is located at one of my remote sites so the timeout interval in PfSense cause the log in process to hang. When it pauses a ping of the remote site on the private side results in a timeout.
An inspection of the logs don't reveal anything concerning excepts this:
openvpn: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2564 / time = (1405132113) Fri Jul 11 22:28:33 2014 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
There are a bunch of these and this
Jul 11 22:50:29 openvpn: Peer Connection Initiated with [AF_INET]220.127.116.11:47672
Jul 11 22:49:58 openvpn: UDPv4 link remote: [undef]
Jul 11 22:49:58 openvpn: UDPv4 link local (bound): [AF_INET]18.104.22.168:1194
Jul 11 22:49:58 openvpn: Preserving previous TUN/TAP instance: ovpns1
Jul 11 22:49:58 openvpn: Re-using pre-shared static key
Jul 11 22:49:58 openvpn: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jul 11 22:49:55 openvpn: SIGUSR1[soft,ping-restart] received, process restarting
Can the changes to OpenSSL be the cause of my instability? I'm going to down grade two of my sites back to 2.1.3 tonight during scheduled maintenance to see if this fixes issue. I have been doing a continuous ping for over 5 minutes and at one of my sites I am seeing 29.3% packet loss and 8% packet loss from another site. Even though I have a remote connection to the PfSense firewall my ssh session never dropped. The ping test was from me to site X and from Site B to Site X. I can ping from other sites other to site X to take Site X as the issue out of the equation. Like I stated before the problem only started to happen when I upgraded to 2.1.4
I'm using PfSnse 2.1.4 Full x64
on a Core 2 Duo E6750 @ 2.66 GHz with 4GB of RAM 80GB HDD
other sites are configured similarly.
After further testing looks like the problem may have been ISP related. I will upgrade back to 2.1.4 a retest to see if the problem is solved.
I'm just using it as a client to a commercial vpn service, but I'm seeing the same problem. Packet loss warnings on the gateways, both wan and vpn connection, used to be very rare and usually indicated a dropped connection to my isp, but that's no longer the case. I now get them several times a day, and I'm also seeing weird things like this.
The openvpn service is stopped, but the link is up; how can that be?? ???
Were you able to determine if the isp was the cause of your problem?
#edited for clarity
I work for the ISP that I am using so I have tools to check the link out. Everything looked good with the tools but I was able to change the feed (meaning the plant that gives the cable modem signal) and everything seems to be good now. I guess in my case upgrading to 2.1.4 and having cable issues was coincidental. If I think about it I did change somethings in my test lab at work too which probably caused the issue. Who is your ISP?
Who is your ISP?
Time Warner, southwest Ohio USA. 30 down/5 up. It's generally been very reliable.
I tried running from the live cd without the vpn and it worked perfectly, so it seems the problem is specific to the vpn setup. To say I'm a novice at this stuff would be kind, it was something of a miracle I was able to get the vpn working at all. It's possible something isn't set up right, but it did seem to work perfectly as far as I could tell until the recent upgrade. At the very least I wasn't seeing dropped connections and warnings about packet loss on a daily basis.
I should mention that I recently switched to a new vpn node which complicates things. It's identical to others I used except for the ip address, as far as I know. Your post made me think the upgrade broke something, but perhaps not. I'll go back to the one I was using and see how it goes.
The problem did turn out to be the provider, just for the record. 2.1.4 is fine at least regarding this issue.