Dear ovpn community,
I use OpenVPN in the client role to connect to a VPN provider. Every
once in a while I get disconnected. Then openvpn will try to
reconnect, fails, reconnects, fails with the following messages:
Jul 19 00:07:59 mybox ovpn-TCP-my-connection[29426]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 19 00:07:59 mybox ovpn-TCP-my-connection[29426]: TCP/UDP: Preserving recently used remote address: [AF_INET]179.136.149.4:443
Jul 19 00:07:59 mybox ovpn-TCP-my-connection[29426]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Jul 19 00:07:59 mybox ovpn-TCP-my-connection[29426]: Attempting to establish TCP connection with [AF_INET]179.136.149.4:443 [nonblock]
Jul 19 00:09:59 mybox ovpn-TCP-my-connection[29426]: TCP: connect to [AF_INET]179.136.148.4:443 failed: Connection timed out
Jul 19 00:09:59 mybox ovpn-TCP-my-connection[29426]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Digging a bit deeper into the issue, I suspect a problem with the
routing table:
root@mybox:/etc/openvpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 187.16.64.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp1s0
128.0.0.0 187.16.64.1 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0
192.168.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 enp1s0
187.16.64.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
179.136.148.3 192.168.0.1 255.255.255.255 UGH 0 0 0 enp1s0
From my perspective the "128.0.0.0" entry causes traffic to be routed
via the broken tun0 device. As a consequence, the connection to the
provider can not be reestablished. If I delete it, reconnecting is
successful.
Are these rules pushed by the provider into my routing table and if
so, how can I make openvpn discard them before trying to reestablish a
broken connection?
I use Ubuntu 20 Server and the .conf file looks as follows:
Any type of help would be appreciated.
Cheers,
Thomas
ovpn-TCP-my-connection.conf:
setenv FORWARD_COMPATIBLE 1
setenv UV_SERVERID 1111
client
dev tun
proto tcp
remote 179.136.148.4
port 443
nobind
persist-key
persist-tun
ns-cert-type server
tls-version-min 1.2 or-highest
key-direction 1
push-peer-info
cipher AES-256-CBC
comp-lzo
verb 3
mute 20
reneg-sec 86400
mute-replay-warnings
max-routes 1000
# block-outside-dns
openvpn client does not reestablish connection (ubuntu server)
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
turnbeutel
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jul 19, 2021 1:33 pm
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: openvpn client does not reestablish connection (ubuntu server)
Please set --verb 4 in your config and post a complete log showing the problem.
-
turnbeutel
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jul 19, 2021 1:33 pm
Re: openvpn client does not reestablish connection (ubuntu server)
It took some time until the error came up. Here last night's log:
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: TCP/UDP: Preserving recently used remote address: [AF_INET]197.254.138.6:443
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: Attempting to establish TCP connection with [AF_INET]197.254.149.4:443 [nonblock]
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: TCP: connect to [AF_INET]197.254.138.6:443 failed: Connection timed out
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: SIGUSR1[connection failed(soft),init_instance] received, processrestarting
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: Restart pause, 300 second(s)
I added
verb 4
in the config file and restarted openvpn. However, the unsuccessful reconnect does not look that much more verbose than the last excerpt:
Then I deleted the 128.0.0.0 entry and restarted openvpn.
> route del -net 128.0.0.0 netmask 128.0.0.0
> service openvpn restart
This time the log was more verbose for the successful connection:
Jul 21 08:15:13 mybox systemd[1]: Stopped OpenVPN connection to TCP-my-connection.
Jul 21 08:15:13 mybox systemd[1]: Starting OpenVPN connection to TCP-my-connection...
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: DEPRECATED OPTION: --max-routes option ignored.The number of rout
es is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Jul 21 08:15:13 mybox systemd[1]: Started OpenVPN connection to TCP-my-connection.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.144.138.6:443
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Attempting to establish TCP connection with [AF_INET]197.254.149.4:443 [nonblock]
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP connection established with [AF_INET]197.254.138.6:443
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP_CLIENT link local: (not bound)
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP_CLIENT link remote: [AF_INET]197.254.138.6:443
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TLS: Initial packet from [AF_INET]197.254.138.6:443, sid=edf8d3ef b854eefc
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: depth=1, C=.., ST=.., L=.., O=.., OU=.., CN=ASCA2, emailAddress=..
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: nsCertType=SERVER
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: depth=0, CN=SERVER1111
Jul 21 08:15:15 mybox ovpn-TCP-my-connection[76509]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 21 08:15:15 mybox ovpn-TCP-my-connection[76509]: [SERVER1111] Peer Connection Initiated with [AF_INET]197.254.138.6:443
Jul 21 08:15:16 mybox ovpn-TCP-my-connection[76509]: SENT CONTROL [SERVER1111]: 'PUSH_REQUEST' (status=1)
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: SENT CONTROL [SERVER1111]: 'PUSH_REQUEST' (status=1)
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp option DNS 192.16.112.1,ping 10,ping-restart 90,comp-lzo no,route-gateway 192.16.112.1,topology subnet,socket-flags TCP_NODELAY,sndbuf 0,rcvbuf 0,ifconfig 192.16.112.15 255.255.248.0'
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: compression parms modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Socket Buffers: R=[131072->131072] S=[87040->87040]
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --socket-flags option modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Socket flags: TCP_NODELAY=1 succeeded
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: route options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: route-related options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 21 08:15:21 mybox systemd-udevd[76514]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 21 08:15:21 mybox networkd-dispatcher[654]: WARNING:Unknown index 11 seen, reloading interface list
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:21 mybox systemd-networkd[595]: tun0: Link UP
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 21 08:15:21 mybox systemd-networkd[595]: tun0: Gained carrier
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp1s0 HWADDR=00:0d:b9:50:fb:c4
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: TUN/TAP device tun0 opened
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: TUN/TAP TX queue length set to 100
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip link set dev tun0 up mtu 1500
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip addr add dev tun0 192.16.112.15/21 broadcast 192.16.119.255
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 197.254.138.6/32 via 192.168.0.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 0.0.0.0/1 via 192.16.112.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 128.0.0.0/1 via 192.16.112.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Initialization Sequence Completed
It seems as if the routing entries were pushed from the provider. There is also some --ip-win32 option added. The config files always seem to be tailored for windows. Maybe that's the problem?
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: TCP/UDP: Preserving recently used remote address: [AF_INET]197.254.138.6:443
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Jul 21 07:56:20 mybox ovpn-TCP-my-connection[56329]: Attempting to establish TCP connection with [AF_INET]197.254.149.4:443 [nonblock]
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: TCP: connect to [AF_INET]197.254.138.6:443 failed: Connection timed out
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: SIGUSR1[connection failed(soft),init_instance] received, processrestarting
Jul 21 07:58:20 mybox ovpn-TCP-my-connection[56329]: Restart pause, 300 second(s)
I added
verb 4
in the config file and restarted openvpn. However, the unsuccessful reconnect does not look that much more verbose than the last excerpt:
Then I deleted the 128.0.0.0 entry and restarted openvpn.
> route del -net 128.0.0.0 netmask 128.0.0.0
> service openvpn restart
This time the log was more verbose for the successful connection:
Jul 21 08:15:13 mybox systemd[1]: Stopped OpenVPN connection to TCP-my-connection.
Jul 21 08:15:13 mybox systemd[1]: Starting OpenVPN connection to TCP-my-connection...
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: DEPRECATED OPTION: --max-routes option ignored.The number of rout
es is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Jul 21 08:15:13 mybox systemd[1]: Started OpenVPN connection to TCP-my-connection.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.144.138.6:443
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Jul 21 08:15:13 mybox ovpn-TCP-my-connection[76509]: Attempting to establish TCP connection with [AF_INET]197.254.149.4:443 [nonblock]
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP connection established with [AF_INET]197.254.138.6:443
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP_CLIENT link local: (not bound)
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TCP_CLIENT link remote: [AF_INET]197.254.138.6:443
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: TLS: Initial packet from [AF_INET]197.254.138.6:443, sid=edf8d3ef b854eefc
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: depth=1, C=.., ST=.., L=.., O=.., OU=.., CN=ASCA2, emailAddress=..
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: nsCertType=SERVER
Jul 21 08:15:14 mybox ovpn-TCP-my-connection[76509]: VERIFY OK: depth=0, CN=SERVER1111
Jul 21 08:15:15 mybox ovpn-TCP-my-connection[76509]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 21 08:15:15 mybox ovpn-TCP-my-connection[76509]: [SERVER1111] Peer Connection Initiated with [AF_INET]197.254.138.6:443
Jul 21 08:15:16 mybox ovpn-TCP-my-connection[76509]: SENT CONTROL [SERVER1111]: 'PUSH_REQUEST' (status=1)
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: SENT CONTROL [SERVER1111]: 'PUSH_REQUEST' (status=1)
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp option DNS 192.16.112.1,ping 10,ping-restart 90,comp-lzo no,route-gateway 192.16.112.1,topology subnet,socket-flags TCP_NODELAY,sndbuf 0,rcvbuf 0,ifconfig 192.16.112.15 255.255.248.0'
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: compression parms modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Socket Buffers: R=[131072->131072] S=[87040->87040]
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --socket-flags option modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Socket flags: TCP_NODELAY=1 succeeded
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: route options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: route-related options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 21 08:15:21 mybox systemd-udevd[76514]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 21 08:15:21 mybox networkd-dispatcher[654]: WARNING:Unknown index 11 seen, reloading interface list
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:21 mybox systemd-networkd[595]: tun0: Link UP
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 21 08:15:21 mybox systemd-networkd[595]: tun0: Gained carrier
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp1s0 HWADDR=00:0d:b9:50:fb:c4
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: TUN/TAP device tun0 opened
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: TUN/TAP TX queue length set to 100
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip link set dev tun0 up mtu 1500
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip addr add dev tun0 192.16.112.15/21 broadcast 192.16.119.255
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 197.254.138.6/32 via 192.168.0.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 0.0.0.0/1 via 192.16.112.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: /sbin/ip route add 128.0.0.0/1 via 192.16.112.1
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 21 08:15:21 mybox ovpn-TCP-my-connection[76509]: Initialization Sequence Completed
It seems as if the routing entries were pushed from the provider. There is also some --ip-win32 option added. The config files always seem to be tailored for windows. Maybe that's the problem?
-
300000
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: openvpn client does not reestablish connection (ubuntu server)
If you add this one into client config .it will auto reconnect for you.
remap-usr1 SIGHUP
remap-usr1 SIGHUP
-
turnbeutel
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jul 19, 2021 1:33 pm
Re: openvpn client does not reestablish connection (ubuntu server)
thanks for your suggestion. openvpn configs look very cryptic to me and I have no idea what it does but I will report about any improvements.
-
turnbeutel
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Jul 19, 2021 1:33 pm
Re: openvpn client does not reestablish connection (ubuntu server)
wanted to report on the improvements: I still get timeouts once in a while for reasons I do not understand but now it properly reconnects. Many thanks 300000 for your advice.
Regards,
Thomas
Regards,
Thomas