OpenVPN occasionally reconnecting 100's of times causing acct disable by PureVPN



  • Hi guys, not sure where to start with this one so pls. suggest what I need to post to help solve it.

    I have OpenVPN setup to connect to my PureVPN account (permanently) and all traffic on one interface (subnet) is routed through this VPN.
    I am currently running 2.2.3-RELEASE.

    Three times now in the last 2 months I have had my account disabled by PureVPN and received the following email:

    Our hands were shaking, our hearts were beating fast and we were very nervous – but in the end, we had to pull the plug! We had to disable your account because it was generating VPN sessions like crazy.
    The high numbers of VPN sessions were disrupting delivery of impeccable VPN service to our other partners.
    Your account having below given username has been disabled.

    Support tell me it was because I connected and disconnected more than 200 times (their limit).

    The pfsense OpenVPN logs do not show this and appear normal.
    It expires and reconnects every hour at xx:43.

    Aug 17 14:43:39
    openvpn[23192]: TLS: tls_process: killed expiring key
    Aug 17 14:43:46
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 14:43:46
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 14:43:52
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 14:43:52
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 14:43:52
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 14:43:52
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 14:43:52
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 15:43:44
    openvpn[23192]: TLS: tls_process: killed expiring key
    Aug 17 15:43:52
    openvpn[23192]: TLS: soft reset sec=0 bytes=4493641/0 pkts=21386/0
    Aug 17 15:43:54
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 15:43:54
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 15:43:57
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 15:43:57
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 15:43:57
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 15:43:57
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 15:43:57
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 16:43:52
    openvpn[23192]: TLS: tls_process: killed expiring key
    Aug 17 16:43:57
    openvpn[23192]: TLS: soft reset sec=0 bytes=2678573/0 pkts=17429/0
    Aug 17 16:43:59
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 16:43:59
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 16:44:02
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 16:44:02
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 16:44:02
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 16:44:02
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 16:44:02
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 17:43:57
    openvpn[23192]: TLS: tls_process: killed expiring key
    Aug 17 17:44:02
    openvpn[23192]: TLS: soft reset sec=0 bytes=2603998/0 pkts=16911/0
    Aug 17 17:44:04
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 17:44:04
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 17:44:16
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 17:44:16
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 17:44:16
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 17:44:16
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 17:44:16
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 18:44:02
    openvpn[23192]: TLS: tls_process: killed expiring key
    Aug 17 18:44:16
    openvpn[23192]: TLS: soft reset sec=0 bytes=2617542/0 pkts=16810/0
    Aug 17 18:44:18
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 18:44:18
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 18:44:22
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 18:44:22
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 18:44:22
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 18:44:22
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 18:44:22
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 18:57:47
    openvpn[23192]: [PureVPN] Inactivity timeout (--ping-restart), restarting
    Aug 17 18:57:47
    openvpn[23192]: TCP/UDP: Closing socket
    Aug 17 18:57:47
    openvpn[23192]: SIGUSR1[soft,ping-restart] received, process restarting
    Aug 17 18:57:47
    openvpn[23192]: Restart pause, 2 second(s)
    Aug 17 18:57:49
    openvpn[23192]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 17 18:57:49
    openvpn[23192]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 17 18:57:49
    openvpn[23192]: Re-using SSL/TLS context
    Aug 17 18:57:49
    openvpn[23192]: LZO compression initialized
    Aug 17 18:57:49
    openvpn[23192]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
    Aug 17 18:57:49
    openvpn[23192]: Socket Buffers: R=[42080->393216] S=[57344->393216]
    Aug 17 18:57:49
    openvpn[23192]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
    Aug 17 18:57:49
    openvpn[23192]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
    Aug 17 18:57:49
    openvpn[23192]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
    Aug 17 18:57:49
    openvpn[23192]: Local Options hash (VER=V4): '9e7066d2'
    Aug 17 18:57:49
    openvpn[23192]: Expected Remote Options hash (VER=V4): '162b04de'
    Aug 17 18:57:49
    openvpn[23192]: UDPv4 link local (bound): [AF_INET]xx.1xx.153.106
    Aug 17 18:57:49
    openvpn[23192]: UDPv4 link remote: [AF_INET]213.5.71.71:53
    Aug 17 18:57:49
    openvpn[23192]: TLS: Initial packet from [AF_INET]213.5.71.71:53, sid=5f1b703a c494527f
    Aug 17 18:57:51
    openvpn[23192]: VERIFY OK: depth=1, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 18:57:51
    openvpn[23192]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain
    Aug 17 18:57:54
    openvpn[23192]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 18:57:54
    openvpn[23192]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 18:57:54
    openvpn[23192]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Aug 17 18:57:54
    openvpn[23192]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 17 18:57:54
    openvpn[23192]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Aug 17 18:57:54
    openvpn[23192]: [PureVPN] Peer Connection Initiated with [AF_INET]213.5.71.71:53
    Aug 17 18:57:56
    openvpn[23192]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1)
    Aug 17 18:57:56
    openvpn[23192]: AUTH: Received control message: AUTH_FAILED
    Aug 17 18:57:56
    openvpn[23192]: TCP/UDP: Closing socket
    Aug 17 18:57:56
    openvpn[23192]: /sbin/route delete -net 185.2.29.191 202.138.4.80 255.255.255.255
    Aug 17 18:57:56
    openvpn[23192]: /sbin/route delete -net 0.0.0.0 213.5.66.65 128.0.0.0
    Aug 17 18:57:56
    openvpn[23192]: /sbin/route delete -net 128.0.0.0 213.5.66.65 128.0.0.0
    Aug 17 18:57:56
    openvpn[23192]: Closing TUN/TAP interface
    Aug 17 18:57:56
    openvpn[23192]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1558 213.5.66.70 255.255.255.224 init
    Aug 17 18:57:56
    openvpn[23192]: SIGTERM[soft,auth-failure] received, process exiting
    
    From 
    

  • Rebel Alliance Developer Netgate

    Looks like you lost connection (timeout).

    Do you perhaps have multiple accounts connecting with the same cert/credentials? They could be knocking each other offline



  • Hi Jimp.

    Good point, I do have a family member that also uses this account on occasion.
    PureVPN allow 5 concurrent logins and so this should be ok, but perhaps it's not pfsense but his sessions that are flapping.

    I'll check with him.



  • I hate to bump a thread over a year old but I am running into this EXACT same issue.
    I don't believe anyone else is using my account. One thing that I have noticed is when I am connected through the VPN the connection will stop working for a couple min then it will start working again. OP did you ever solve this issue? I would love to hear how you did it.
    Any help would be great!



  • My recommendation is to carefully inspect PureVPN's own .ovpn configuration files and ensure your pfSense client configuration is as close to that as possible. They could have a particular setup and full well know that without the specific options they chose this kind of stuff will happen.



  • @duren:

    My recommendation is to carefully inspect PureVPN's own .ovpn configuration files and ensure your pfSense client configuration is as close to that as possible. They could have a particular setup and full well know that without the specific options they chose this kind of stuff will happen.

    Thank you for the reply.
    I have followed the instructions on the PureVPN website (https://support.purevpn.com/pfsense-openvpn-configuration-guide) and they do not work at all, I have tried to get in touch with their support team and they the provided me this link https://support.purevpn.com/my-vpn-disconnects-after-every-few-minutes-what-should-i-do and then they stopped responding to my inquiries.
    I was hoping someone on here might have successfully used another guide to setup there PureVPN to connect through PFsense.
    Just for further reference I used this guide with some minor tweaks https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video



  • I took a look at their ovpn files and it doesn't look like there's anything that would make much difference.

    The guide should work, just skip steps 10, 11 and 12 and enter the username and password in the pfSense gui.

    If it still doesn't work, you'll have to post your log.


Log in to reply