Vpn Server Connection lost suddenly

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Vpn Server Connection lost suddenly

Post by secoonder » Sun Dec 10, 2017 6:06 am

i am Using Ubuntu 14.04 . i installed OPen Vpn Server three year ago. i am using site to site Vpn
8 different Networks talking to My Main Networks(My vpn Server is here)... (Network A ,B,C ... ,H)
it works properly.
Yesterday,Some vpn Client networks connection started lost.After three minutes ,their connections was successfuly.

3 network failures connected with vpn.This happened for 20 minutes.This Client Network was not download/Upload problem.

And then the problem is solved.
What happened was I reconnected before I did anything.8 vpn client are certificates is different? i could not understand the problem.
My VPN Server log is

Code: Select all

"New Connection by client "myclient" will cause previous active,sessions by this client to be dropped.Remember to use the--duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."

My Vpn Server conf is

Code: Select all

port 1194
tun-mtu 1400
tls-server
proto tcp
dev tun
ca  /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/firewall.crt
key /etc/openvpn/easy-rsa/keys/firewall.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.2.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt 600
push "route 192.168.x.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS d.e.f.g"
client-to-client
keepalive 20 60
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
My Vpn Client conf is (one of the eight)

Code: Select all

tls-client
client
dev tun
proto tcp
tun-mtu 1400
remote a.b.c.d 1194
resolv-retry infinite
pkcs12 example.p12
askpass con.txt
resolv-retry infinite
ns-cert-type server
comp-lzo
verb 3
status /var/log/openvpn-status.log
route-method exe
route-delay 2
How can i solve this problem ?
Can you help me ?
Thank you very much for your help

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Sun Dec 10, 2017 1:19 pm

We need complete logs.

Please see:
HOWTO: Request Help ! {2}

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Tue Dec 19, 2017 5:14 pm

Thank you TinCanTech
When these problems occur; Some clients were properly connected my vpn server.But some clients disconnected it, but these clients have a internet at the same time. ? :D :D
My Vpn Server is

Code: Select all

root@xxxx:/etc/openvpn# uname -a
Linux xxxx 3.13.0-79-generic #123-Ubuntu SMP Fri Feb 19 14:27:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ifconfig tun0

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.a.b.c  P-t-P:10.a.b.d  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:206295348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155141003 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:211743522723 (211.7 GB)  TX bytes:55917175516 (55.9 GB)
server.conf is

Code: Select all

port 1194
tun-mtu 1400
tls-server
proto tcp
dev tun
ca  /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/firewall.crt
key /etc/openvpn/easy-rsa/keys/firewall.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.2.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt 600
push "route 192.168.x.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
push "dhcp-option DNS m.n.o.p"
push "dhcp-option DNS d.e.f.g"
client-to-client
keepalive 20 60
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
server.log

Code: Select all

Tue Dec 19 00:42:46 2017 85.98.x.y:53736 [client1] Peer Connection Initiated with [AF_INET]85.98.x.y:53736
Tue Dec 19 00:42:46 2017 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Client1 Pc is Win 7 pro 64 bit.
Client 1 ovpn file is
client1

Code: Select all

tls-client
client
dev tun
proto tcp
tun-mtu 1400
remote a.b.c.d 1194
resolv-retry infinite
pkcs12 example.p12
askpass con.txt
resolv-retry infinite
ns-cert-type server
comp-lzo
verb 3
status /var/log/openvpn-status.log
route-method exe
route-delay 2
And then i noticed something.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16
client8,10.2.1.20
i deleted client8 in ipp.txt.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16


and i restarted "/etc/init.d/openvpn restart".
The client8 is not removed.i can see again.
My ipp .txt is

Code: Select all

client4,10.2.1.4
client5,10.2.1.8
client6,10.2.1.12
client7,10.2.1.16
client8,10.2.1.20
But " my server.conf is "client-config-dir /etc/openvpn/ccd"
and ccd folder is

Code: Select all

more client4 
ifconfig-push 10.2.1.93 10.2.1.94

Code: Select all

more client5 
ifconfig-push 10.2.1.97 10.2.1.98

Code: Select all

more client6 
client6: No such file or directory

Code: Select all

more client7 
ifconfig-push 10.2.1.101 10.2.1.102

Code: Select all

more client8
client8: No such file or directory
"Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"

Could it be an interesting thing with that? What can i do ?

if they are not enough ,am ı make verb 4 in server.conf ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Dec 20, 2017 3:39 pm

secoonder wrote:
Sun Dec 10, 2017 6:06 am
3 network failures connected with vpn.This happened for 20 minutes.This Client Network was not download/Upload problem.

And then the problem is solved.
This is the problem you must document properly ..
And it probably has nothing to do with OpenVPN but is some unrelated network error.
secoonder wrote:
Tue Dec 19, 2017 5:14 pm
if they are not enough ,am ı make verb 4 in server.conf ?
If it happens again then capture your server and client log at verb 4.

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 3:35 pm

Thank you.today is the problem again.my log is

Code: Select all

Wed Jan 10 09:23:48 2018 us=635372 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635410 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635423 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635572 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635698 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635708 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635935 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=635947 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636150 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636183 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636194 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636204 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636213 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636221 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636230 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636239 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=636249 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=726682 xzbd/1.2.3.4MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Wed Jan 10 09:23:48 2018 us=845551 xzbd/1.2.3.4 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)

Some users connection ware connected or disconnected for 1 hour.The Main Vpn Server line is normally .
Can you help me ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 6:22 pm

secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 6:35 pm

You mean they left the company ?
i deleted your openvpn files.
But their config files could not deleted my open vpn server.
we have protection from ddos.
my error is not change.
my open vpn server ;

Code: Select all

root@gxxxxr:~# ethtool tun0
Settings for tun0:
        Supported ports: [ ]
        Supported link modes:   Not reported
        Supported pause frame use: No
        Supports auto-negotiation: No
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Current message level: 0xffffffa1 (-95)
                               drv ifup tx_err tx_queued intr tx_done rx_status pktdata hw wol 0xffff8000
        Link detected: yes
can you help me TinCanTech

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 6:46 pm

secoonder wrote:
Wed Jan 10, 2018 6:35 pm
You mean they left the company ?
i deleted your openvpn files.
But their config files could not deleted my open vpn server.
we have protection from ddos.
my error is not change.
my open vpn server ;

Code: Select all

root@gxxxxr:~# ethtool tun0
Settings for tun0:
        Supported ports: [ ]
        Supported link modes:   Not reported
        Supported pause frame use: No
        Supports auto-negotiation: No
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Speed: 10Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Current message level: 0xffffffa1 (-95)
                               drv ifup tx_err tx_queued intr tx_done rx_status pktdata hw wol 0xffff8000
        Link detected: yes
can you help me TinCanTech
This is irrelevant.
TinCanTech wrote:
Wed Jan 10, 2018 6:22 pm
secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.
TinCanTech wrote:
Sun Dec 10, 2017 1:19 pm
We need complete logs.

Please see:
HOWTO: Request Help ! {2}
What you have posted looks exactly like a DOS attack by employees who have left the company but who still have access to your VPN.

I reiterate: you need to revoke their certificates

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Wed Jan 10, 2018 7:17 pm

i cancelled your certificates.is it raletionship switch and eth0 speed/duplex settings?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Wed Jan 10, 2018 9:14 pm

Take note: if you have revoked some certificates then you need to load a certificate revocation list.

See --crl-verify in The Manual v24x

Also, you may find google helps you translate to English.

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Vpn access block problem

Post by secoonder » Fri Jan 19, 2018 2:02 pm

Hello
One user connects to the vpn server from home.This user left the work.i want to block access to this user to Vpn Server.

Firstly ,i deleted user.ovpn,user,p12,user.crt, user.csr files.But this cilent can still connect to Vpn server.
What can i do

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Fri Jan 19, 2018 2:18 pm

TinCanTech wrote:
Wed Jan 10, 2018 6:22 pm
secoonder wrote: "Note:Client6 and client 8 left a work.Thus i deleted its file,but i can not deleted in ipp.txt"
You mean they left the company ?

If so you need to revoke their certificates because it looks like they are trying (and succeeding) to DOS you.
TinCanTech wrote:
Wed Jan 10, 2018 9:14 pm
Take note: if you have revoked some certificates then you need to load a certificate revocation list.

See --crl-verify in The Manual v24x

Also, you may find google helps you translate to English.
That is the solution.

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Tue Jan 23, 2018 3:44 am

TinCanTech
Thank you.i reconfigured vpn server.i added --crl-verify module.
when i revoked the certificates,i took an error

Code: Select all

CRL: cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: Permission denied (errno=13)
i searched internet and i added

Code: Select all

sudo chown -R nobody /etc/openvpn/easy-rsa/keys 
The revoke script working now.
But does adding this command create a security problem ?
Because all vpn files owned nobody ,not root.

i have an idea.
1) i move crl.pem file from /etc/openvpn/easy-rsa/keys/ to /etc/openvpn
2)chown nobody crl.pem
3)chown -R root /etc/openvpn/easy-rsa/keys/
4) /etc/init.d/openvpn restart
Which is the best idea TincanTech ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Tue Jan 23, 2018 1:17 pm

Your second option sounds ok.

If your server drops privileges to --user nobody then crl.pem must be readable by that user because it is read every time a certificate is verified.

secoonder
OpenVpn Newbie
Posts: 14
Joined: Sat Feb 27, 2016 11:24 am

Re: Vpn Server Connection lost suddenly

Post by secoonder » Tue Apr 03, 2018 1:49 pm

TinCanTech
i am apologize to you.I will ask another question.i actived crl-pem configuration.
Unfortunately, I've had this problem again.
This problem has been happening for 1 hour in 2 of 8 branches connected with vpn.Vpn connection down-up frequently.
Center Location ip: 1.1.1.1 First Client location ip : 2.2.2.2 Second Client Location İp: 3.3.3.3

First Client open vpn version : 2.3.2
Second Client Open Vpn version: 2.2.1
1)i monitored 1.1.1.1 , 2.2.2.2 , 3.3.3.3 internet mrtg trafic,there is no problem.
2) i called ISP Company.they said there was no DoS attack.
3)i looked Open Vpn Client Log.

Code: Select all

root@xxxx:~# more /var/log/openvpn-status.log
OpenVPN STATISTICS
Updated,Tue Apr  3 16:04:18 2018
TUN/TAP read bytes,65570708
TUN/TAP write bytes,121305473
TCP/UDP read bytes,125192577
TCP/UDP write bytes,71766971
Auth read bytes,121306125
pre-compress bytes,4641286
post-compress bytes,4338030
pre-decompress bytes,7046156
post-decompress bytes,10740825
END
there is not much to see from here. Can I see more of this part?

4)i looked Open Vpn Server log.

Code: Select all

Tue Apr  3 12:47:26 2018 us=49893 2.2.2.2:48713 CRL CHECK OK: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA,
 name=abcde, emailAddress=me@myhost.mydomain
Tue Apr  3 12:47:26 2018 us=50018 2.2.2.2:48713 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funst
on CA, name=abcde, emailAddress=me@myhost.mydomain
Tue Apr  3 12:47:26 2018 us=50556 2.2.2.2:48713 CRL CHECK OK: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=xxxxx, n
ame=abcde, emailAddress=me@myhost.mydomain
Tue Apr  3 12:47:26 2018 us=50618 2.2.2.2:48713 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=xxxxx, name=abcde, emailAddress=me@myhost.mydomain
Tue Apr  3 12:47:26 2018 us=424879 2.2.2.2:48713 Data Channel [b]Encrypt[/b]: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr  3 12:47:26 2018 us=424897 2.2.2.2:48713 Data Channel [b]Encrypt[/b]: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr  3 12:47:26 2018 us=424937 2.2.2.2:48713 Data Channel [b]Decrypt[/b]: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr  3 12:47:26 2018 us=424942 2.2.2.2:48713 Data Channel [b]Decrypt[/b]: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr  3 12:47:26 2018 us=548704 2.2.2.2:48713 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Apr  3 12:47:26 2018 us=548728 2.2.2.2:48713 [xxxxx] Peer Connection Initiated with [AF_INET]2.2.2.2:48713
Tue Apr  3 12:47:26 2018 us=548760 xxxxx/2.2.2.2:48713 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/xxxxx
Tue Apr  3 12:47:26 2018 us=550753 xxxxx/2.2.2.2:48713 MULTI: Learn: 10.2.1.21 -> xxxxx/2.2.2.2:48713
Tue Apr  3 12:47:26 2018 us=550770 xxxxx/2.2.2.2:48713 MULTI: primary virtual IP for xxxxx/2.2.2.2:48713: 10.2.1.21
Tue Apr  3 12:47:26 2018 us=550777 xxxxx/2.2.2.2:48713 MULTI: internal route 192.168.4.0/24 -> xxxxx/2.2.2.2:48713
Tue Apr  3 12:47:26 2018 us=550784 xxxxx/2.2.2.2:48713 MULTI: Learn: 192.168.4.0/24 -> xxxxx/2.2.2.2:48713
Above it encrpt,decrpt mean "Could it be that the meaning of the password is stolen" ?
And 12:22 Log

Code: Select all

Tue Apr  3 12:22:00 2018 us=215418 bbb/3.3.3.3:43722 [bbb] Inactivity timeout (--ping-restart), restarting
Tue Apr  3 12:22:00 2018 us=215498 bbb/3.3.3.3:43722 SIGUSR1[soft,ping-restart] received, client-instance restarting
Tue Apr  3 12:22:00 2018 us=215943 TCP/UDP: Closing socket
and another log

Code: Select all

Tue Apr  3 12:22:05 2018 us=281448 MULTI: multi_create_instance called
Tue Apr  3 12:22:05 2018 us=281566 Re-using SSL/TLS context
Tue Apr  3 12:22:05 2018 us=281599 LZO compression initialized
Tue Apr  3 12:22:05 2018 us=281619 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Tue Apr  3 12:22:05 2018 us=281746 Control Channel MTU parms [ L:1444 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Apr  3 12:22:05 2018 us=281789 Data Channel MTU parms [ L:1444 D:1444 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr  3 12:22:05 2018 us=281846 Local Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keys
ize 128,key-method 2,tls-server'
Tue Apr  3 12:22:05 2018 us=281865 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1444,tun-mtu 1400,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth
 SHA1,keysize 128,key-method 2,tls-client'
Tue Apr  3 12:22:05 2018 us=281900 Local Options hash (VER=V4): '347277f0'
Tue Apr  3 12:22:05 2018 us=281929 Expected Remote Options hash (VER=V4): '7dfc3732'
Tue Apr  3 12:22:05 2018 us=281968 TCP connection established with [AF_INET]3.3.3.3:44651
Tue Apr  3 12:22:05 2018 us=281990 TCPv4_SERVER link local: [undef]
Tue Apr  3 12:22:05 2018 us=282011 TCPv4_SERVER link remote: [AF_INET]3.3.3.3:44651
Tue Apr  3 12:22:06 2018 us=264507 3.3.3.3:44651 TLS: Initial packet from [AF_INET]3.3.3.3:44651, sid=203ffa8c 3e501bf1

My server verb is 4, should you increased this value for more log ?

Do i change vpn password ? Vpn passwords are not weak but may be stolen ?
because there are only problems in these two places .



Please help me,thank you very much

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Vpn Server Connection lost suddenly

Post by TinCanTech » Tue Apr 03, 2018 2:09 pm

secoonder wrote:
Tue Apr 03, 2018 1:49 pm
Do i change vpn password ? Vpn passwords are not weak but may be stolen ?
I do not know how you have protected your passwords .. is the client device in a locked room where only authorized personnel have access ? If you feel the need to change the password then do so ..

As for your VPN ..
secoonder wrote:
Tue Apr 03, 2018 1:49 pm
Tue Apr 3 12:47:26 2018 us=424879 2.2.2.2:48713 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 3 12:47:26 2018 us=424897 2.2.2.2:48713 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 3 12:47:26 2018 us=424937 2.2.2.2:48713 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 3 12:47:26 2018 us=424942 2.2.2.2:48713 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
This shows you what cipher is used to encrypt the data channel.
secoonder wrote:
Tue Apr 03, 2018 1:49 pm
Tue Apr 3 12:47:26 2018 us=548704 2.2.2.2:48713 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
This shows you what cipher is used to encrypt the control channel.

By the look of it you are running an old version of openvpn.

I would recommend you upgrade your servers and clients to version 2.4 if possible.

Also, use --cipher AES-256-CBC at least .. not BF-CBC because it is susceptible to SWEET32 attack if not used properly.

Post Reply