Page 1 of 1

Ubuntu 18.04 OpenVPN client disconnection problem

Posted: Fri Jan 24, 2020 1:24 pm
by erikire

I have a Raspberry Pi 4B running an OpenVPN server using the configuration below.

Code: Select all

[oconf=server]# Raspberry Pi 4B OpenVPN server configuration
port 1194
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key

dh /etc/openvpn/server/dh4096.pem
crl-verify /etc/openvpn/server/crl.pem

push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
push "block-outside-dns"


cipher AES-256-CBC
auth SHA512

tls-auth /etc/openvpn/server/ta.key 0
remote-cert-tls client
tls-version-min 1.2

keepalive 10 120
user nobody
group nogroup

status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3[/oconf]
I have also configured and installed 3 clients, one on an iPad, one other on a
GalaxyS7 and a last one on an Ubuntu 18.04 using NetworkManager.

Code: Select all

[oconf=client]# galaxy client OpenVPN configuration
proto udp
dev tun

remote <serverURL> 1194

pkcs12 galaxy-to-server.p12

cipher AES-256-CBC
auth SHA512

tls-auth ta.key 1
remote-cert-tls server
tls-version-min 1.2

resolv-retry infinite

verb 3[/oconf]

Code: Select all

UBUNTU 18.04 NetworkManager OpenVPN settings

Identity Tab
   Name:    server TEST
   Gateway: <serverURL>:1194
   Type:    Certificates (TLS)
   CA certificate: ca.crt
   User certificate:  ubuntu-to-server.crt
   User private key:  ubuntu-to-server.key
   User key password: ********
      General Tab
         Use LZO data compression: checked + adaptive
         Set virtual device type: checked + TUN and name: tun
      Security Tab
         Cipher: AES-256-CBC
         HMAC Authentication: SHA-512
      TLS Authentication Tab
         Verify peer (server) certificate usage signature: checked
            Remote peer certificate TLS type: Server
         Verify peer (server) certificate nsCertType designation: checked
            Remote peer certificate nsCert designation: Server
         Additional TLS authentication or encryption
            Mode: TLS-Auth
            Key File: ta.key
            Key Direction: 1
All the 3 clients can connect successfully to the server, but the server logfile has a few differences
after disconnecting the clients.

After disconnecting the iPad and the Galaxy clients the server logfile show a
line like this:

Thu Jan 23 15:43:00 2020 galaxy-to-server/XX.XX.XX.XX:65079 SIGTERM[soft,remote-exit] received, client-instance exiting

Disconnecting the Ubuntu client with the NetworkManager doesn't send any SIGTERM[soft,remote-exit] to
the server (or at least the server log doesn't has a such line).
From the Ubuntu side the connection seams closed and it's also possible to reconnect again to the OpenVPN server using
the NetworkManager. In this case, in the server log the corresponding connection lines are logged again.

When the connection from the Ubuntu client to the server is disconnected, a few
minutes later it seems that the server tries to reconnect to the Ubuntu client (see below).
This behaviour doesn't happen after disconnecting iPad or Galaxy clients.

Thu Jan 23 15:19:34 2020 ubuntu-to-server/XX.XX.XX.XX:44634 [ubuntu-to-server] Inactivity timeout (--ping-restart), restarting
Thu Jan 23 15:19:34 2020 ubuntu-to-server/XX.XX.XX.XX:44634 SIGUSR1[soft,ping-restart] received, client-instance restarting
Thu Jan 23 15:19:44 2020 ubuntu-to-server/XX.XX.XX.XX:39780 [ubuntu-to-server] Inactivity timeout (--ping-restart), restarting
Thu Jan 23 15:19:44 2020 ubuntu-to-server/XX.XX.XX.XX:39780 SIGUSR1[soft,ping-restart] received, client-instance restarting

Looking at the server log, it seems that the iPad and the GalaxyS7 are using TLSv1.2 and
Ubuntu is using TLSv1.3

What is wrong? Should I change any other setting in the NetworkManager?

Many thx!

Re: Ubuntu 18.04 OpenVPN client disconnection problem

Posted: Fri Jan 24, 2020 2:43 pm
by erikire
It seems that the NetworkManager doesn't support the explicit-exit-notify option.
It was an expired bug notification, that I have reactivated. Hopefully it will be fixed...