Vpn Server Connection lost suddenly

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Vpn Server Connection lost suddenly

Post by secoonder » Sun Dec 10, 2017 6:06 am

i am Using Ubuntu 14.04 . i installed OPen Vpn Server three year ago. i am using site to site Vpn
8 different Networks talking to My Main Networks(My vpn Server is here)... (Network A ,B,C ... ,H)
it works properly.
Yesterday,Some vpn Client networks connection started lost.After three minutes ,their connections was successfuly.

3 network failures connected with vpn.This happened for 20 minutes.This Client Network was not download/Upload problem.

And then the problem is solved.
What happened was I reconnected before I did anything.8 vpn client are certificates is different? i could not understand the problem.
My VPN Server log is

Code: Select all

"New Connection by client "myclient" will cause previous active,sessions by this client to be dropped.Remember to use the--duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."

My Vpn Server conf is

Code: Select all

port 1194
tun-mtu 1400
tls-server
proto tcp
dev tun
ca  /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/firewall.crt
key /etc/openvpn/easy-rsa/keys/firewall.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.2.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt 600
push "route 192.168.x.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS d.e.f.g"
client-to-client
keepalive 20 60
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
My Vpn Client conf is (one of the eight)

Code: Select all

tls-client
client
dev tun
proto tcp
tun-mtu 1400
remote a.b.c.d 1194
resolv-retry infinite
pkcs12 example.p12
askpass con.txt
resolv-retry infinite
ns-cert-type server
comp-lzo
verb 3
status /var/log/openvpn-status.log
route-method exe
route-delay 2
How can i solve this problem ?
Can you help me ?
Thank you very much for your help

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Sun Dec 10, 2017 1:19 pm

We need complete logs.

Please see:
HOWTO: Request Help ! {2}

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Tue Dec 19, 2017 5:14 pm

Thank you TinCanTech
When these problems occur; Some clients were properly connected my vpn server.But some clients disconnected it, but these clients have a internet at the same time. ? :D :D
My Vpn Server is

Code: Select all

root@xxxx:/etc/openvpn# uname -a
Linux xxxx 3.13.0-79-generic #123-Ubuntu SMP Fri Feb 19 14:27:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ifconfig tun0

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.a.b.c  P-t-P:10.a.b.d  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:206295348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155141003 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:211743522723 (211.7 GB)  TX bytes:55917175516 (55.9 GB)
server.conf is

Code: Select all

port 1194
tun-mtu 1400
tls-server
proto tcp
dev tun
ca  /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/firewall.crt
key /etc/openvpn/easy-rsa/keys/firewall.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.2.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt 600
push "route 192.168.x.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS d.e.f.g"
client-to-client
keepalive 20 60
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
server.log

Code: Select all

Tue Dec 19 00:42:46 2017 85.98.x.y:53736 [client1] Peer Connection Initiated with [AF_INET]85.98.x.y:53736
Tue Dec 19 00:42:46 2017 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Client1 Pc is Win 7 pro 64 bit.
Client 1 ovpn file is
client1

Code: Select all

tls-client
client
dev tun
proto tcp
tun-mtu 1400
remote a.b.c.d 1194
resolv-retry infinite
pkcs12 example.p12
askpass con.txt
resolv-retry infinite
ns-cert-type server
comp-lzo
verb 3
status /var/log/openvpn-status.log
route-method exe
route-delay 2
And then i noticed something.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16
client8,10.2.1.20
i deleted client8 in ipp.txt.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16


and i restarted "/etc/init.d/openvpn restart".
The client8 is not removed.i can see again.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16
client8,10.2.1.20
But " my server.conf is "client-config-dir /etc/openvpn/ccd"
and ccd folder is

Code: Select all

more client4 
ifconfig-push 10.2.1.93 10.2.1.94

Code: Select all

more client5 
ifconfig-push 10.2.1.97 10.2.1.98

Code: Select all

more client6 
client6: No such file or directory

Code: Select all

more client7 
ifconfig-push 10.2.1.101 10.2.1.102

Code: Select all

more client8
client8: No such file or directory
"Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"

Could it be an interesting thing with that? What can i do ?

if they are not enough ,am ı make verb 4 in server.conf ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Dec 20, 2017 3:39 pm

secoonder wrote:
Sun Dec 10, 2017 6:06 am
3 network failures connected with vpn.This happened for 20 minutes.This Client Network was not download/Upload problem.

And then the problem is solved.
This is the problem you must document properly ..
And it probably has nothing to do with OpenVPN but is some unrelated network error.
secoonder wrote:
Tue Dec 19, 2017 5:14 pm
if they are not enough ,am ı make verb 4 in server.conf ?
If it happens again then capture your server and client log at verb 4.

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 3:35 pm

Thank you.today is the problem again.my log is

Code: Select all

Wed Jan 10 09:23:48 2018 us=635372 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635410 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635423 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635572 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635698 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635708 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635935 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635947 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636150 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636183 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636194 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636204 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636213 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636221 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636230 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636239 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636249 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=726682 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=845551 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)

Some users connection ware connected or disconnected for 1 hour.The Main Vpn Server line is normally .
Can you help me ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 6:22 pm

secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 6:35 pm

You mean they left the company ?
i deleted your openvpn files.
But their config files could not deleted my open vpn server.
we have protection from ddos.
my error is not change.
my open vpn server ;

Code: Select all

root@gxxxxr:~# ethtool tun0
Settings for tun0:
        Supported ports: [ ]
        Supported link modes:   Not reported
        Supported pause frame use: No
        Supports auto-negotiation: No
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Current message level: 0xffffffa1 (-95)
                               drv ifup tx_err tx_queued intr tx_done rx_status pktdata hw wol 0xffff8000
        Link detected: yes
can you help me TinCanTech

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 6:46 pm

secoonder wrote:
Wed Jan 10, 2018 6:35 pm
You mean they left the company ?
i deleted your openvpn files.
But their config files could not deleted my open vpn server.
we have protection from ddos.
my error is not change.
my open vpn server ;

Code: Select all

root@gxxxxr:~# ethtool tun0
Settings for tun0:
        Supported ports: [ ]
        Supported link modes:   Not reported
        Supported pause frame use: No
        Supports auto-negotiation: No
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Current message level: 0xffffffa1 (-95)
                               drv ifup tx_err tx_queued intr tx_done rx_status pktdata hw wol 0xffff8000
        Link detected: yes
can you help me TinCanTech
This is irrelevant.
TinCanTech wrote:
Wed Jan 10, 2018 6:22 pm
secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.
TinCanTech wrote:
Sun Dec 10, 2017 1:19 pm
We need complete logs.

Please see:
HOWTO: Request Help ! {2}
What you have posted looks exactly like a DOS attack by employees who have left the company but who still have access to your VPN.

I reiterate: you need to revoke their certificates

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 7:17 pm

i cancelled your certificates.is it raletionship switch and eth0 speed/duplex settings?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 9:14 pm

Take note: if you have revoked some certificates then you need to load a certificate revocation list.

See --crl-verify in The Manual v24x

Also, you may find google helps you translate to English.

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Vpn access block problem

Post by secoonder » Fri Jan 19, 2018 2:02 pm

Hello
One user connects to the vpn server from home.This user left the work.i want to block access to this user to Vpn Server.

Firstly ,i deleted user.ovpn,user,p12,user.crt, user.csr files.But this cilent can still connect to Vpn server.
What can i do

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Fri Jan 19, 2018 2:18 pm

TinCanTech wrote:
Wed Jan 10, 2018 6:22 pm
secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.
TinCanTech wrote:
Wed Jan 10, 2018 9:14 pm
Take note: if you have revoked some certificates then you need to load a certificate revocation list.

See --crl-verify in The Manual v24x

Also, you may find google helps you translate to English.
That is the solution.

secoonder
OpenVPN User
Posts: 12
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Tue Jan 23, 2018 3:44 am

TinCanTech
Thank you.i reconfigured vpn server.i added --crl-verify module.
when i revoked the certificates,i took an error

Code: Select all

CRL: cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: Permission denied (errno=13)
i searched internet and i added

Code: Select all

sudo chown -R nobody /etc/openvpn/easy-rsa/keys 
The revoke script working now.
But does adding this command create a security problem ?
Because all vpn files owned nobody ,not root.

i have an idea.
1) i move crl.pem file from /etc/openvpn/easy-rsa/keys/ to /etc/openvpn
2)chown nobody crl.pem
3)chown -R root /etc/openvpn/easy-rsa/keys/
4) /etc/init.d/openvpn restart
Which is the best idea TincanTech ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3700
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Tue Jan 23, 2018 1:17 pm

Your second option sounds ok.

If your server drops privileges to --user nobody then crl.pem must be readable by that user because it is read every time a certificate is verified.

Post Reply