Getting OpenVPN clients to reconnect after VRRP failover

Hi.

I’m wondering if anybody knows OpenVPN enough here to help me. I just set up a pair of VyOS routers with VRRP (rolling realease VyOS 1.5-rolling-202408210022 on both). I also have dial-in OpenVPN set up on the routers.

Both the VRRP failover and the OpenVPN dial-in works as intended, but OpenVPN clients don’t reconnect to the other router after failover. I can manually disconnect and reconnect the VPN after failover and that works perfectly.

The .ovpn config file has these stanzas

ping 10
ping-restart 30

Which I thought should mean that the OpenVPN client would ping the other end of the tunnel every 10 seconds and after 30 seconds of no reply try to reestablish the connection.

When the tunnel is up and working the OpenVPN client log shows lines like this:

11:55:23 - Tunnel interface is now UP
11:55:33 - Send ping
11:55:44 - Send ping
11:55:49 - Data: Received ping, do nothing
11:55:55 - Send ping
11:56:06 - Send ping
11:56:10 - Data: Received ping, do nothing

…but when the tunnel is down (that is, when I shut down the VRRP master that the client originally connected to) the log only shows “send ping messages” and nothing else:

11:58:29 - Send ping
11:58:40 - Send ping
11:58:51 - Send ping
11:59:02 - Send ping
11:59:13 - Send ping
11:59:24 - Send ping
11:59:35 - Send ping
11:59:46 - Send ping
11:59:57 - Send ping
12:00:08 - Send ping
12:00:19 - Send ping
12:00:30 - Send ping
12:00:41 - Send ping
12:00:52 - Send ping
12:01:03 - Send ping
12:01:14 - Send ping
12:01:25 - Send ping
12:01:36 - Send ping
12:01:47 - Send ping
12:01:58 - Send ping
12:02:09 - Send ping
12:02:20 - Send ping

Just a thought: do you by any chance push keepalive or ping* settings from the server side? If so, these may override client settings (see manual).

Ah! That might be it. I don’t have any explicit settings for this server side, this is the only openvpn config on the routers:

openvpn vtun0 {
    local-port 1194
    mode server
    persistent-tunnel
    protocol udp
    server {
        domain-name voip.afrita.is
        name-server 172.17.41.100
        name-server 172.17.41.101
        push-route 172.17.41.0/24 {
        }
        subnet 172.17.48.0/23
    }
    tls {
        ca-certificate fw-ovh.cert-authority
        certificate fw-ovh.cert
        dh-params dhparams
    }
}

…but I took a better look at the OpenVPN client log and saw this:

⏎[Sep 13, 2024, 13:34:43] EVENT: GET_CONFIG ⏎[Sep 13, 2024, 13:34:43] Sending PUSH_REQUEST to server...
[a bunch of push options]
6 [ping] [10]
7 [ping-restart] [600]
[a bunch more push options]

So it seems like the VyOS is pushing longer ping-restart times. So, would I change it with some “set interface vtun0 openvpn-option” commands?

Yes, that was it. When I added the stanza set interfaces openvpn vtun0 openvpn-option '--keepalive 3 12' to both routers the client started automatically reconnecting.

Thank you for the help marc_s, I had been banging my head against this problem for a few days!

1 Like

Happy to help, you’re welcome :slight_smile:

Afterthought: you might want to try the keepalive setting:

16:40 vyos@gw 1.4.0 /home/vyos
✎ edit interfaces openvpn vtun0 » set
Possible completions:
 > authentication       Authentication settings
   description          Description
   device-type          OpenVPN interface device-type (default: tun)
   disable              Administratively disable interface
 > encryption           Data Encryption settings
   hash                 Hashing Algorithm
 > ip                   IPv4 routing parameters
 > ipv6                 IPv6 routing parameters
 > keep-alive           Keepalive helper options
+> local-address        Local IP address of tunnel (IPv4 or IPv6)
   local-host           Local IP address to accept connections (all if not set)
   local-port           Local port number to accept connections
 > mirror               Mirror ingress/egress packets
   mode                 OpenVPN mode of operation
 > offload              Configurable offload options
+  openvpn-option       Additional OpenVPN options. You must use the syntax of
                        openvpn.conf in this text-field. Using this without proper
                        knowledge may result in a crashed OpenVPN server. Check
                        system log to look for errors.
   persistent-tunnel    Do not close and reopen interface (TUN/TAP device) on client
                        restarts
   protocol             OpenVPN communication protocol (default: udp)
   redirect             Redirect incoming packet to destination
+  remote-address       IP address of remote end of tunnel
+  remote-host          Remote host to connect to (dynamic if not set)
   remote-port          Remote port number to connect to
 > replace-default-route
                        OpenVPN tunnel to be used as the default route
 > server               Server-mode options
   shared-secret-key    Secret key shared with remote end of tunnel
 > tls                  Transport Layer Security (TLS) options
   use-lzo-compression  Use fast LZO compression on this TUN/TAP interface
   vrf                  VRF instance name

16:40 vyos@gw 1.4.0 /home/vyos
✎ edit interfaces openvpn vtun0 » set keep-alive
Possible completions:
   failure-count        Maximum number of keepalive packet failures (default: 60)
   interval             Keepalive packet interval in seconds (default: 10)

They should expand into local (VyOS) and remote (push ...) stanzas. IMHO better than an openvpn-option ... command.

Ah! I was specifically looking for that option but didn’t see it! Thanks for the tip

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.