Openvpn client does not reconnect after server change

dcu · March 8, 2024, 2:17am

I have the following configuration, the client connects, but if I change the configuration on the server, the connection drops but the client never reconnects:

Client:

set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '10'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option '--ping 15'
set interfaces openvpn vtun0 openvpn-option '--ping-restart 60'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'ip-public'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/1.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/openvpn/2.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/openvpn/2.key'

Server:

set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 server client 1 ip '172.16.1.3'
set interfaces openvpn vtun0 server subnet '172.16.1.0/24'
set interfaces openvpn vtun0 server topology 'subnet'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/openvpn/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/openvpn/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/openvpn/server.key'

tjh · March 8, 2024, 2:36am

Do you have any logs that might hold any information?

dcu · March 8, 2024, 3:00am

I do the following command on the server:

reset openvpn interface vtun0

the client does not reset, I have to use the same command to get it working again.

When the above happened, I was waiting 10 minutes and the client did not give any log, it does nothing to reconnect.

VyOS 1.3.2 client
VyOS 1.3.6 server

dcu · March 8, 2024, 3:40am

It seems to be working now, after a few reboots. But the time approx. It’s 10 minutes. It seems a bit much to me for a reconnection.

echowings · March 8, 2024, 3:52am

The port could be disabled by ISP firewall, if there is internet censorship existed.
Highly recommend test your configuration in LAN.

dcu · March 9, 2024, 3:41am

It is not a problem with the ISP, both are dedicated services and they provide the ports and they work perfectly. I have modified these values, placing them lower and it is the same, it is 10 minutes.

dcu:

set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '10'
set interfaces openvpn vtun0 openvpn-option '--ping 15'
set interfaces openvpn vtun0 openvpn-option '--ping-restart 60'

After 10 minutes, VyOS gives me the ping reset log message and restarts the connection.

SERVER:

Mar 09 00:18:57 sudo[20131]:    admin : TTY=pts/1 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/libexec/vyos/op_mode/reset_openvpn.py vtun0

CLIENT:

Mar 09 00:28:51 openvpn-vtun0[2058]: [server] Inactivity timeout (--ping-restart), restarting
Mar 09 00:28:51 openvpn-vtun0[2058]: Closing TUN/TAP interface
Mar 09 00:28:51 openvpn-vtun0[2058]: net_addr_v4_del: 172.16.X.X dev vtun0
Mar 09 00:28:51 openvpn-vtun0[2058]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 09 00:28:51 openvpn-vtun0[2058]: Restart pause, 5 second(s)
Mar 09 00:28:56 openvpn-vtun0[2058]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mar 09 00:28:56 openvpn-vtun0[2058]: TCP/UDP: Preserving recently used remote address: [AF_INET]-:1194
Mar 09 00:28:56 openvpn-vtun0[2058]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 09 00:28:56 openvpn-vtun0[2058]: UDP link local: (not bound)
Mar 09 00:28:56 openvpn-vtun0[2058]: UDP link remote: [AF_INET]-:1194
Mar 09 00:28:56 openvpn-vtun0[2058]: TLS: Initial packet from [AF_INET]-:1194, sid=65d9b741 b38aa9e0
Mar 09 00:28:56 openvpn-vtun0[2058]: VERIFY OK: depth=1, CN=ca
Mar 09 00:28:56 openvpn-vtun0[2058]: VERIFY OK: depth=0, CN=server
Mar 09 00:28:56 openvpn-vtun0[2058]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mar 09 00:28:56 openvpn-vtun0[2058]: [server] Peer Connection Initiated with [AF_INET]-:1194
Mar 09 00:28:56 openvpn-vtun0[2058]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.16.X.X,topology subnet,ping 10,ping-restart 600,ifconfig 172.16.X.X 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: route-related options modified
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: peer-id set
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mar 09 00:28:56 openvpn-vtun0[2058]: OPTIONS IMPORT: data channel crypto options modified
Mar 09 00:28:56 openvpn-vtun0[2058]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 09 00:28:56 openvpn-vtun0[2058]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 09 00:28:56 openvpn-vtun0[2058]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 09 00:28:56 openvpn-vtun0[2058]: TUN/TAP device vtun0 opened
Mar 09 00:28:56 openvpn-vtun0[2058]: net_iface_mtu_set: mtu 1500 for vtun0
Mar 09 00:28:56 openvpn-vtun0[2058]: net_iface_up: set vtun0 up
Mar 09 00:28:56 openvpn-vtun0[2058]: net_addr_v4_add: 172.16.X.X/24 dev vtun0
Mar 09 00:28:56 openvpn-vtun0[2058]: Initialization Sequence Completed

tjh · March 10, 2024, 7:05pm

So is it fair to say it’s working but the ping-timeout value isn’t being followed, is that now the issue?

dcu · March 17, 2024, 7:43pm

You can solve it, the openvpn-options are only on the server side.

Server:

set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 openvpn-option '--verb 3'
set interfaces openvpn vtun0 openvpn-option '--mute 10'
set interfaces openvpn vtun0 openvpn-option '--client-to-client'
set interfaces openvpn vtun0 openvpn-option '--keepalive 10 60'

Client:

set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'xx.xx.xx.xx'

Now if the service goes down, it comes back after 60 seconds.

echowings · March 18, 2024, 8:19am

Maybe you can try wireguard. It is statueless. and reconnect more faster.

system · April 17, 2024, 8:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.