I've got an OVPN Access Server (2.1.9) running on AWS in multi-daemon mode (UDP and TCP), creating a Layer 3 (Routing/NAT) tunnel with about 30 unique clients configured (all on dynamic VPN IPs, using unique auto-login client configs). All internet traffic is being routed through the VPN, multiple sessions per user is enabled. While all clients are running on identical Linux-based routers with identical firmware, some of them have stable connections that will persist for days or weeks, while others seem to disconnect frequently, sometimes throwing a "disconnected because user-specific properties prevent concurrent VPN connections by this user" error. This error seems logical since each client is configured to act as a gateway to its own unique subnet, so if an immediate reconnect is attempted before the first session is closed, the server is probably detecting and preventing a routing anomaly (two clients shouldn't both be the gateway for the same subnet).
Of those clients that experience disconnects, some come back up on their own (presumably on account of some of the config parameters like ping-restart, connect-retry, etc.) while others stay disconnected until a remote user power cycles their device. When I'm working on a client experiencing disconnects, I notice that my SSH session will terminate and the VPN session will still show as active for about 2.5 minutes before the server closes the connection. In some cases, I can observe a new session being initiated by the disconnected client very quickly thereafter. Others will not come back up without a reset done remotely.
My access server is configured with the following additional directives:
Code: Select all
cipher AES-128-CBC
keepalive 15 75
resolv-retry infinite
persist-tun
persist-key
duplicate-cn
Code: Select all
cipher AES-128-CBC
keepalive 15 75
resolv-retry infinite
persist-tun
persist-key
connect-retry 60
connect-timeout 60
connect-retry-max infinite
Code: Select all
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 443 tcp
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 1194 udp
remote [URL to OVPN server removed] 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
Code: Select all
cipher AES-128-CBC
keepalive 15 75
resolv-retry infinite
persist-tun
persist-key
connect-retry 60
connect-timeout 60
connect-retry-max infinite
daemon
Code: Select all
PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 15,ping-restart 75,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway [VPN subnet removed].145,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,block-ipv6,ifconfig [VPN subnet removed].151 255.255.255.240'