OpenVPN cannot ping after reconnect

T

Trigve

Hi,
I'm wondering if anyone has encountered the problem I'm having.

I have OpenVPN 2.5.1 server on FreeBSD 12.2 using UDP. Then I'm using Windows 10 client to connect to the server. Now, I connect to the openvpn. Everything works fine, I can ping/ssh/whatsoever. Then I disconnect the VPN and connect once more. Now, connection is estabilished (no error in OpenVPN console) but I cannot ping or connect to anything. If I disconnect and wait for 10 minutes then everythings is back to normal and works. Also if I VNC to the server and restart the service, everything then works OK. Note that I've used (and am using) OpenVPN on debian also and I never had this kind of problem.

I've tried to search for the solutions but without success. Anyone knows what's going on?

Thank You
 
There's no enough information given to diagnose the problem. Can you share your openvpn.conf, ccd config and client.ovpn. It's look like that there's some routing issue but without any more information i can't tell for sure. You can tweak your keepalive on the server so it will drop disconnected client faster.

keepalive 10 120
will ping every 10 sec and if no response is received in 120 sec the client session will be drop.
 
Thank You for the reply VladiBG.

Server:
Code: 
port XXX
proto udp
dev tun
ca ...
cert ...
key ...
dh ...
topology subnet
server 10.8.X.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir server/ccd
keepalive 10 120
tls-auth ...
cipher ...
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth ...
remote-cert-tls client

Client:
Code: 
client
tls-client
dev tun
proto udp
remote ...
ca ...
cert ...
key ...
tls-auth ... 1
cipher ...
auth ...
verb 3
mute 20

There is no CCD for the given client.
 
To your client config add
Code: 
nobind
remote-cert-tls server

Note: you are missing crl in your server config. When you need to disable some client cert that are no longer valid/used you need to generate a crl and include it in your server config.
Note2: in your server config you have persist-key/tun and you don't have same opt in your client.
 
VladiBG said:
To your client config add
Code: 
nobind
remote-cert-tls server

Note: you are missing crl in your server config. When you need to disable some client cert that are no longer valid/used you need to generate a crl and include it in your server config.
Note2: in your server config you have persist-key/tun and you don't have same opt in your client.
Click to expand...

Thank you for the reply. I've added the given options to the config and it looks like it's working ;)

Also thanks for the notes, I've implemented them.
 
My configuration is a bit different. I'm using the default server.conf and client.conf with some small changes only to the push routes, bridge with tap and networks.
Do you observe any difference in performance using some other auth alg which by default is SHA1 HMAC. The Manual of openvpn(8) said it add 16 or 20 bytes on top of the data pkg.

My installation is done like this:

Code: 
pkg install openvpn
mkdir /usr/local/etc/openvpn
cp -R /usr/local/share/easy-rsa/ /usr/local/etc/openvpn/easy-rsa/
cd /usr/local/share/examples/openvpn/sample-config-files/
cp server.conf /usr/local/etc/openvpn/
cd /usr/local/etc/openvpn/easy-rsa/
./easyrsa.real init-pki
./easyrsa.real build-ca nopass
./easyrsa.real build-server-full server nopass
./easyrsa.real build-client-full client1 nopass
./easyrsa.real gen-dh
./easyrsa.real gen-crl

cd /usr/local/etc/openvpn/easy-rsa/pki
openvpn --genkey --secret ta.key

mv /usr/local/etc/openvpn/server.conf /usr/local/etc/openvpn/openvpn.conf
ee /usr/local/etc/openvpn/openvpn.conf


Code: 
ca /usr/local/etc/openvpn/easy-rsa/pki/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt
key /usr/local/etc/openvpn/easy-rsa/pki/private/server.key
crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem
dh /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /usr/local/etc/openvpn/easy-rsa/pki/ta.key


Code: 
mkdir /usr/local/etc/newsyslog.conf.d
ee /usr/local/etc/newsyslog.conf.d/openvpn.conf


Code: 
/var/log/openvpn/openvpn.log root:wheel 640 3 1000 * JC


Code: 
mkdir /usr/local/etc/syslog.d
ee /usr/local/etc/syslog.d/openvpn.conf

Code: 
!openvpn
*.*    /var/log/openvpn/openvpn.log
!-openvpn

Code: 
newsyslog -vC
service syslogd reload
sysrc openvpn_enable=yes
service openvpn start
 
For auth I'm using sha512. I haven't tested the performance but my subjective feeling is that sha512 is a little bit slower (based on another OpenVPN setup which is using default auth). But I haven't made any side to side comparsions, only some iperf3 test (which were useless in the end).
 
You must log in or register to reply here.
Back
Top