Site-to-site Connection to remote LAN devices drops after a minute, but tunnel never goes down.

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
maxburn
OpenVPN User
Posts: 20
Joined: Mon Dec 12, 2016 6:07 pm

Site-to-site Connection to remote LAN devices drops after a minute, but tunnel never goes down.

Post by maxburn » Fri Mar 16, 2018 6:58 pm

OK, I have a Ubuntu server on my local LAN running OpenVPN as server. I also have a remote Ubiquiti Edgerouter connecting to my Ubuntu OpenVPN with no issue, port forwarding etc in local pfSense working fine tunnel up etc. I also added a static route in pfSense to point local LAN devices to the OpenVPN server to reach remote LAN devices.

Current Symptoms:
  • Local LAN devices can ping remote LAN devices
  • Through the Ubuntu server I can SSH into a linux server on the remote LAN and ping anything on the local LAN with no issues
  • If I use another computer on my local LAN to SSH into the same linux server above and ping something on local LAN it will work for a minute and then drop the SSH connection.
  • If I tell my local Synology to start an rsync with a remote synology it will initially say connected and then fail with 0bytes transferred.
  • I do not see the tunnel going up/down, it connects once and is stable.
server

# Listen port
port (some port here)
# OpenVPN server can only listen to one port/protocol at a time. Choose.
;proto udp
proto tcp-server
# TCP is a Connection-Oriented protocol ..
# There is no requirement for --explicit-exit-notify as the TCP protocol handles the
# connection state. If TCP specified above comment next line out.
;explicit-exit-notify 1
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem

ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

# with this server always grabs 10.80.0.1
topology "subnet"
push "topology subnet"
server 10.80.0.0 255.255.255.0

# read this to see what clients are connected
# Windows requires double \\ here to path
status /var/log/status.log

# OpenVPN log goes to C:\Program Files\OpenVPN\log\* whatever this ovpn file is named
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
log /var/log/openvpn.log

# telnet management interface, disable for normal use, use server cmd on server?
;management localhost 10020

# ovpn server pushes config info to clients from files in ccd dir.
# Matches are based on CN in connecting key, so CN in key must match file name exactly.
# Static VPN addressing and Client LAN routing is controlled in these files.
# client configuration directory (home is config dir, so rel path ok here)
client-config-dir ccd

# Allow LAN routing between clients
client-to-client
# Push routes to connecting clients, they need to know about all other LANs, including server LAN
push "route 10.0.1.0 255.255.255.0"
push "route 10.0.3.0 255.255.255.0"

# Allow the server to route traffic to client LANs, do not include server LAN
route 10.0.3.0 255.255.255.0

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret


CCD file for the connecting client

Code: Select all

iroute 10.0.3.0 255.255.255.0
ifconfig-push 10.80.0.11 255.255.255.0
Client config

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# UDP is the preferred alternative in most cases.
# If you cannot get a reliable UDP connection,
# then you might need to look into TCP.
;proto udp
proto tcp-client

# address of server and port of server
remote example.com some port

# Where are the keys? Uncomment appropriate lines AND put in client #
# -Windows
;ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
;cert "C:\\Program Files\\OpenVPN\\config\\client#.crt"
;key "C:\\Program Files\\OpenVPN\\config\\client#.key"
# -Ubiquiti EdgeRouter
;ca /config/auth/ca.crt
;cert /config/auth/client1.crt
;key /config/auth/client1.key
# Ubuntu Server: keys to be appended at end of file (this is base config)

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth /config/auth/ta.key 1

########## keys start here ###########
Last edited by maxburn on Fri Mar 16, 2018 10:07 pm, edited 1 time in total.

maxburn
OpenVPN User
Posts: 20
Joined: Mon Dec 12, 2016 6:07 pm

Re: Site-to-site Connection to remote LAN devices stop connecting after a minute

Post by maxburn » Fri Mar 16, 2018 10:05 pm

Is this a routing issue?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4790
Joined: Fri Jun 03, 2016 1:17 pm

Re: Site-to-site Connection to remote LAN devices drops after a minute, but tunnel never goes down.

Post by TinCanTech » Sat Mar 17, 2018 1:05 am

log files are not for kids ..

maxburn
OpenVPN User
Posts: 20
Joined: Mon Dec 12, 2016 6:07 pm

Re: Site-to-site Connection to remote LAN devices drops after a minute, but tunnel never goes down.

Post by maxburn » Sat Mar 17, 2018 2:30 pm

It was a routing issue.
https://forum.pfsense.org/index.php?topic=145288.0

What I'm not getting is why this guide says this additional static route in the gateway is not an acceptable answer.
https://forum.pfsense.org/index.php?topic=145288.0

I then back tracked and put the OpenVPN server in the pfSense router. After much trouble got it working.
https://forum.pfsense.org/index.php?top ... #msg789391

Post Reply