# Network configuration
## "dev tun" will create a routed IP tunnel
dev tun
port 1194
proto tcp
server 10.0.2.0 255.255.255.0
## Maintain a record of client <-> virtual IP address
## associations in this file. If OpenVPN goes down or
## is restarted, reconnecting clients can be assigned
## the same virtual IP address from the pool that was
## previously assigned.
ifconfig-pool-persist ipp.txt
# Connection configuration
# # The keepalive directive causes ping-like
# # messages to be sent back and forth over
# # the link so that each side knows when
# # the other side has gone down.
# # Ping every 10 seconds, assume that remote
# # peer is down if no ping received during
# # a 120 second time period.
keepalive 10 120
comp-lzo
persist-key
persist-tun
# Logging
status openvpn-status.log
verb 4
mute 5
#Security Config
###Use AES-256-CBC (Cipher Block Chaining) for data encryption
cipher AES-256-CBC
##Use SHA512 to authenticate encrypted data
auth SHA512
###Use at least the version 1.2 of TLS (which is the only truly secure version atm)
#Maximum number of output packets queued before TCP (default=64)
tcp-queue-limit 256
Thank you for your reply.
More details about the issue :
- This is the client configuration file :
client configuration file
client
remote server..com
ca /home/user.user/escesc/ca.crt
auth-user-pass
cipher AES-256-CBC
comp-lzo yes
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
- This is the Log from the client ( server and client IPs are removed )
[oconf=Log from the client ]Jun 13 8:48:51 AM: State changed to Connecting
Jun 13 8:48:51 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 8:48:51 AM: Running on Microsoft Windows 7 Professional
Jun 13 8:48:51 AM: Bringing up interface...
Jun 13 8:48:52 AM: Checking reachability status of connection...
Jun 13 8:48:52 AM: Connection is reachable. Starting connection attempt.
Jun 13 8:48:52 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 8:48:52 AM: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Jun 13 8:49:06 AM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:49:07 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 8:49:07 AM: TCPv4_CLIENT link local: [undef]
Jun 13 8:49:07 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 8:49:07 AM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 13 8:49:07 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 8:49:10 AM: AUTH: Received control message: AUTH_FAILED
Jun 13 8:49:13 AM: SIGUSR1[soft,auth-failure] received, process restarting
Jun 13 8:49:13 AM: State changed to Connecting
Jun 13 8:49:30 AM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:49:30 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 8:49:31 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 8:49:31 AM: TCPv4_CLIENT link local: [undef]
Jun 13 8:49:31 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 8:49:32 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 8:49:34 AM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 13 8:49:34 AM: open_tun, tt->ipv6=0
Jun 13 8:49:34 AM: TAP-WIN32 device [FFFFF] opened: \\.\Global\{0E8D2151-3C91-4344-BB5A-2EBC326C8720}.tap
Jun 13 8:49:34 AM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.2.238/255.255.255.252 on interface {0E8D2151-3C91-4344-BB5A-2EBC326C8720} [DHCP-serv: 10.0.2.237, lease-time: 31536000]
Jun 13 8:49:34 AM: Successful ARP Flush on interface [28] {0E8D2151-3C91-4344-BB5A-2EBC326C8720}
Jun 13 8:49:39 AM: Initialization Sequence Completed
Jun 13 8:49:39 AM: DNS set to Split, report follows:
Server - 8.8.8.8:53; Lookup Type - Split; Domains - domain.com.
Server - 192.168.1.1:53; Lookup Type - Any; Domains - None
Jun 13 8:49:39 AM: State changed to Connected
Jun 13 8:54:44 AM: Connection reset, restarting [0]
Jun 13 8:54:44 AM: SIGUSR1[soft,connection-reset] received, process restarting
Jun 13 8:54:44 AM: State changed to Connecting
Jun 13 8:54:44 AM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:54:44 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 8:54:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:02:03 AM: State changed to Disconnecting
Jun 13 9:02:11 AM: State changed to Disconnected
Jun 13 9:02:39 AM: State changed to Connecting
Jun 13 9:02:39 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 9:02:39 AM: Running on Microsoft Windows 7 Professional
Jun 13 9:02:39 AM: Bringing up interface...
Jun 13 9:02:40 AM: Checking reachability status of connection...
Jun 13 9:02:40 AM: Connection is reachable. Starting connection attempt.
Jun 13 9:02:40 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 9:02:40 AM: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Jun 13 9:03:19 AM: State changed to Disconnecting
Jun 13 9:03:25 AM: State changed to Disconnected
Jun 13 9:06:15 AM: State changed to Connecting
Jun 13 9:06:15 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 9:06:15 AM: Running on Microsoft Windows 7 Professional
Jun 13 9:06:15 AM: Bringing up interface...
Jun 13 9:06:15 AM: Checking reachability status of connection...
Jun 13 9:06:15 AM: Connection is reachable. Starting connection attempt.
Jun 13 9:06:15 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 9:06:15 AM: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Jun 13 9:06:24 AM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 13 9:06:24 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 9:06:25 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 9:06:25 AM: TCPv4_CLIENT link local: [undef]
Jun 13 9:06:25 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 9:06:25 AM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 13 9:06:26 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 9:06:28 AM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 13 9:06:28 AM: open_tun, tt->ipv6=0
Jun 13 9:06:28 AM: TAP-WIN32 device [Iggg] opened: \\.\Global\{0E8D2151-3C91-4344-BB5A-2EBC326C8720}.tap
Jun 13 9:06:28 AM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.2.238/255.255.255.252 on interface {0E8D2151-3C91-4344-BB5A-2EBC326C8720} [DHCP-serv: 10.0.2.237, lease-time: 31536000]
Jun 13 9:06:28 AM: Successful ARP Flush on interface [28] {0E8D2151-3C91-4344-BB5A-2EBC326C8720}
Jun 13 9:06:33 AM: Initialization Sequence Completed
Jun 13 9:06:34 AM: DNS set to Split, report follows:
Server - 8.8.8.8:53; Lookup Type - Split; Domains - domain.com.
Jun 13 9:06:34 AM: State changed to Connected[/oconf]
The vpn servers arround 200 clients. That's why I can't change from tcp to udp since this will require changing all client configuration. When I test connectivity with an other test vpn server with the same configuration for both client and server, I don't find any issue in the log.
I suspected the issue to be related to both tcp-queue-limit and bcast-buffers options. I'm not sure what exact values should be setting and what's the exact value to set.
[oconf=New client log]Jun 15 07:13:42 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 TLS: Initial packet from [AF_INET]XXXX.XXX.49:39933, sid=4ea08386 b92cbe2b
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 TLS: Username/Password authentication succeeded for username 'user1.user1' [CN SET]
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 NOTE: --mute triggered...
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 1 variation(s) on previous 5 message(s) suppressed by --mute
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 [user1.user1] Peer Connection Initiated with [AF_INET]XXXX.XXX.49:39933
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI_sva: pool returned IPv4=10.0.2.82, IPv6=(Not enabled)
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_06af414951a661f727b950968bb4f446.tmp
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI: Learn: 10.0.2.82 -> user1.user1/XXXX.XXX.49:39933
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI: primary virtual IP for user1.user1/XXXX.XXX.49:39933: 10.0.2.82
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 PUSH: Received control message: 'PUSH_REQUEST'
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 send_push_reply(): safe_cap=940
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 SENT CONTROL [user1.user1]: 'PUSH_REPLY,dhcp-option DOMAIN *** (status=1)
Jun 15 07:14:35 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:14:35 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 NOTE: --mute triggered...
Jun 15 07:24:20 vpn-us-east-1 dhclient[1336]: DHCPREQUEST on eth0 to 10.100.46.1 port 67 (xid=0x4c96258c)
Jun 15 07:24:20 vpn-us-east-1 dhclient[1336]: DHCPACK from 10.100.46.1 (xid=0x4c96258c)
Jun 15 07:24:22 vpn-us-east-1 dhclient[1336]: bound to 10.100.46.51 -- renewal in 1680 seconds.
Jun 15 07:24:22 vpn-us-east-1 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/0a:df:4d:3a:e1:1c/local-ipv4s
Jun 15 07:24:22 vpn-us-east-1 ec2net: [rewrite_aliases] Rewriting aliases of eth0[/oconf]