Client VPN running but unreachable hosts after 16/24 hours

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ZINGARO1972
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 08, 2021 2:03 pm

Client VPN running but unreachable hosts after 16/24 hours

Post by ZINGARO1972 » Wed Sep 08, 2021 2:22 pm

Hi, guys
I Have a problem with a Linux client openvpn :
the vpn connection it's always running , but after more hours ( usually after 15 hours ) , the final Server into VPN they are unreachable ...
Note:
the debug whit nmap solve the vpn gateway and final Server ( with -Pn option ) , and the tcpdump into vpn interface show only Flags "S"
I need kill the openvpn process and restart it to restore the reachable Servers.

Now i tried to analize the debug file , but I not understand how find the information to understand how the vpn stop the traffic !

for example see this logs:

1. VPN running after 3 hours

.................
2021-09-08 16:15:28 us=211828 TLS: tls_pre_encrypt: key_id=0
2021-09-08 16:15:28 us=211849 tls_prepend_opcode_v2
2021-09-08 16:15:28 us=211886 ENCRYPT IV: 00000174 89616d17 66fd79de
2021-09-08 16:15:28 us=211918 ENCRYPT FROM: fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
2021-09-08 16:15:28 us=211942 ENCRYPT AD: 48000000 00000174
2021-09-08 16:15:28 us=211988 ENCRYPT TO: 48000000 00000174 010c7e48 07104b7e 4a5ab1f0 523b2815 84abe7e5 31615ca[more...]
2021-09-08 16:15:28 us=212007 SENT PING
2021-09-08 16:15:28 us=212023 TIMER: coarse timer wakeup 10 seconds
2021-09-08 16:15:28 us=212053 RANDOM USEC=184155
2021-09-08 16:15:28 us=212073 PO_CTL rwflags=0x0003 ev=3 arg=0x006c8c80
2021-09-08 16:15:28 us=212090 PO_CTL rwflags=0x0000 ev=4 arg=0x006c8b68
2021-09-08 16:15:28 us=212116 I/O WAIT Tr|Tw|SR|SW [10/184155]
2021-09-08 16:15:28 us=212144 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x006c8c80
2021-09-08 16:15:28 us=212162 event_wait returned 1
2021-09-08 16:15:28 us=212178 I/O WAIT status=0x0002
2021-09-08 16:15:28 us=212267 UDP WRITE [41] to [AF_INET]XXXXXXXXXXXXXXXXXXXXXXXXXX: P_DATA_V2 kid=0 DATA 00000000 00017401 0c7e4807 104b7e4a 5ab1f052 3b281584 abe7e531 615ca33[more...]
2021-09-08 16:15:28 us=212437 UDP write returned 41
2021-09-08 16:15:28 us=212503 PO_CTL rwflags=0x0001 ev=3 arg=0x006c8c80
2021-09-08 16:15:28 us=212522 PO_CTL rwflags=0x0001 ev=4 arg=0x006c8b68
2021-09-08 16:15:28 us=212595 I/O WAIT TR|Tw|SR|Sw [10/184155]
2021-09-08 16:15:28 us=257384 PO_WAIT[0,0] fd=3 rev=0x00000001 rwflags=0x0001 arg=0x006c8c80
2021-09-08 16:15:28 us=257468 event_wait returned 1
2021-09-08 16:15:28 us=257490 I/O WAIT status=0x0001
2021-09-08 16:15:28 us=257520 UDP read returned 41
2021-09-08 16:15:28 us=257606 UDP READ [41] from [AF_INET]XXXXXXXXXXXXXXXXXXXXX: P_DATA_V2 kid=0 DATA 00000000 00015520 1d4f6921 5c86ec18 08cc7393 b48e6d4c 9d68ef4b deedbe3[more...]
2021-09-08 16:15:28 us=257635 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]XXXXXXXXXXXXXXXXXXXXXXXXX
2021-09-08 16:15:28 us=257674 DECRYPT FROM: 00000155 201d4f69 215c86ec 1808cc73 93b48e6d 4c9d68ef 4bdeedbe 3da1646[more...]
2021-09-08 16:15:28 us=257698 DECRYPT IV: 00000155 cbdcb55f b6f082e0
2021-09-08 16:15:28 us=257724 DECRYPT MAC: 201d4f69 215c86ec 1808cc73 93b48e6d
2021-09-08 16:15:28 us=257749 DECRYPT FROM: 4c9d68ef 4bdeedbe 3da1646c d4190cab 94
2021-09-08 16:15:28 us=257771 DECRYPT AD: 48000000 00000155
2021-09-08 16:15:28 us=257801 DECRYPT TO: fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
2021-09-08 16:15:28 us=257844 PID_TEST [0] [SSL-0] [>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:340 0:341 t=1631110528[0] r=[0,64,15,0,1] sl=[44,64,64,528]
2021-09-08 16:15:28 us=257867 RECEIVED PING PACKET
2021-09-08 16:15:28 us=257886 PO_CTL rwflags=0x0001 ev=3 arg=0x006c8c80
2021-09-08 16:15:28 us=257903 PO_CTL rwflags=0x0001 ev=4 arg=0x006c8b68
2021-09-08 16:15:28 us=257926 I/O WAIT TR|Tw|SR|Sw [10/184155]
2021-09-08 16:15:28 us=638472 PO_WAIT[1,0] fd=4 rev=0x00000001 rwflags=0x0001 arg=0x006c8b68
2021-09-08 16:15:28 us=638536 event_wait returned 1
2021-09-08 16:15:28 us=638556 I/O WAIT status=0x0004

.................................


2.VPN running always 7 hours but server unreachable ...

2021-09-07 10:37:54 us=144884 ENCRYPT FROM: fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
2021-09-07 10:37:54 us=144934 ENCRYPT AD: 48000018 00000156
2021-09-07 10:37:54 us=144979 ENCRYPT TO: 48000018 00000156 c874bfe8 c054a84f bbe06ef6 8023a2b3 62d4124d 2c84a74[more...]
2021-09-07 10:37:54 us=144996 SENT PING
2021-09-07 10:37:54 us=145013 TIMER: coarse timer wakeup 10 seconds
2021-09-07 10:37:54 us=145057 TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=970503f2 cae16c1c, stored-sid=bfe1c8c1 c72d4209, stored-ip=[AF_INET]109.117.27.38:1194
2021-09-07 10:37:54 us=145076 TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=41 wakeup=604800
2021-09-07 10:37:54 us=145108 ACK reliable_send_timeout 604800 [8]
2021-09-07 10:37:54 us=145125 TLS: tls_process: timeout set to 558
2021-09-07 10:37:54 us=145152 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=546e0b19 f6785f99, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
2021-09-07 10:37:54 us=145179 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
2021-09-07 10:37:54 us=145211 RANDOM USEC=212375
2021-09-07 10:37:54 us=145230 PO_CTL rwflags=0x0003 ev=3 arg=0x006c7c80
2021-09-07 10:37:54 us=145246 PO_CTL rwflags=0x0000 ev=4 arg=0x006c7b68
2021-09-07 10:37:54 us=145271 I/O WAIT Tr|Tw|SR|SW [10/212375]
2021-09-07 10:37:54 us=145295 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x006c7c80
2021-09-07 10:37:54 us=145312 event_wait returned 1
2021-09-07 10:37:54 us=145327 I/O WAIT status=0x0002
2021-09-07 10:37:54 us=145374 UDP WRITE [41] to [AF_INET]XXXXXXXXXXXXXXXXXXXXXX: P_DATA_V2 kid=0 DATA 00001800 000156c8 74bfe8c0 54a84fbb e06ef680 23a2b362 d4124d2c 84a744e[more...]
2021-09-07 10:37:54 us=145485 UDP write returned 41
2021-09-07 10:37:54 us=145547 PO_CTL rwflags=0x0001 ev=3 arg=0x006c7c80
2021-09-07 10:37:54 us=145565 PO_CTL rwflags=0x0001 ev=4 arg=0x006c7b68
2021-09-07 10:37:54 us=145587 I/O WAIT TR|Tw|SR|Sw [10/212375]
2021-09-07 10:38:02 us=968165 PO_WAIT[0,0] fd=3 rev=0x00000001 rwflags=0x0001 arg=0x006c7c80
2021-09-07 10:38:02 us=968267 event_wait returned 1
2021-09-07 10:38:02 us=968290 I/O WAIT status=0x0001
2021-09-07 10:38:02 us=968323 UDP read returned 41
2021-09-07 10:38:02 us=968382 UDP READ [41] from [AF_INET]XXXXXXXXXXXXXXXXXXXXXXXXXX: P_DATA_V2 kid=0 DATA 00001800 00013951 4089c60e d2e11336 ff97279b 93d4b540 7193f922 61870bd[more...]
2021-09-07 10:38:02 us=968428 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]XXXXXXXXXXXXXXXXXXXXXXXXXX
2021-09-07 10:38:02 us=968469 DECRYPT FROM: 00000139 514089c6 0ed2e113 36ff9727 9b93d4b5 407193f9 2261870b dcb7036[more...]
2021-09-07 10:38:02 us=968492 DECRYPT IV: 00000139 bcca46fa e227baea
2021-09-07 10:38:02 us=968520 DECRYPT MAC: 514089c6 0ed2e113 36ff9727 9b93d4b5
2021-09-07 10:38:02 us=968544 DECRYPT FROM: 407193f9 2261870b dcb70366 0f8b05cb b2
2021-09-07 10:38:02 us=968566 DECRYPT AD: 48000018 00000139
2021-09-07 10:38:02 us=968595 DECRYPT TO: fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
2021-09-07 10:38:02 us=968638 PID_TEST [0] [SSL-0] [>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:312 0:313 t=1631003882[0] r=[0,64,15,0,1] sl=[8,64,64,528]
2021-09-07 10:38:02 us=968659 RECEIVED PING PACKET
2021-09-07 10:38:02 us=968678 PO_CTL rwflags=0x0001 ev=3 arg=0x006c7c80
2021-09-07 10:38:02 us=968694 PO_CTL rwflags=0x0001 ev=4 arg=0x006c7b68
2021-09-07 10:38:02 us=968719 I/O WAIT TR|Tw|SR|Sw [2/212375]
......

which is the return code that can indicate a VPN that is no longer working , and restart correctly the service ?
now I have inserted the flag inactiviti into cfg files ( I check and restart VPN with crontab jobs ) , but I don't like this solution !

the configuration are:

;route-up /home/vpnconnect/config/vpnlist/piksel/route_up.sh
;local 192.168.52.103
verb 11
; management localhost 7506
dev XXXXXX
dev-type tun
persist-tun
persist-key
; nobind
client
remote XXXXXXXXXXXXXXXXX tcp
resolv-retry infinite
ca ca.crt
cert client2.crt
key client2.key
ns-cert-type server
comp-lzo
;route-noexec
script-security 2
inactive 180

and :

script-security 3
route-up /home/vpnconnect/config/vpnlist/ragusa/route_up.sh

verb 11
dev XXX
dev-type tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
;resolv-retry infinite
remote XXXXXXXXXXXX udp
verify-x509-name "VPN-Server" name
auth-user-pass
pkcs12 VPN-UDP4-1194-client-vpn.p12
tls-auth VPN-UDP4-1194-client-vpn-tls.key 1
remote-cert-tls server
comp-lzo adaptive
;local 192.168.52.104
route-noexec
nobind
inactive 480

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by TinCanTech » Wed Sep 08, 2021 3:07 pm

Try without --persist-tun.

Never use --route-noexec, use --pull-filter ignore "route " instead (Add routes if you need to).

Use --verb 4 only.

viewtopic.php?f=30&t=22603

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by 300000 » Wed Sep 08, 2021 8:19 pm

Remove this inactive 180 this will drop connection after 180 .

inactive n [bytes]
Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet. The default value is 0 seconds, which disables this feature.If the optional bytes parameter is included, exit if less than bytes of combined in/out traffic are produced on the tun/tap device in n seconds.



You can try add this one "remap-usr1 SIGHUP" when client disconnected it will make auto reconnect so it should work for you.

ZINGARO1972
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 08, 2021 2:03 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by ZINGARO1972 » Thu Sep 09, 2021 2:50 am

ok,
i will removed -route-exec and insert pull-filter-ignore route ,
inactive set to 10800

I update the post not in a few days

ZINGARO1972
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 08, 2021 2:03 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by ZINGARO1972 » Fri Sep 10, 2021 1:44 pm

Hi,
i tested this configuration:

verb 4
dev-type tun
;persist-tun
persist-key
client
remote 1xxxxxxxxxxxxxxx
solv-retry infinite
ca ca.crt
cert client2.crt
key client2.key
ns-cert-type server
comp-lzo

; route-noexec
; route add 72.17.100.14 255.255.255.0
; push "route 172.17.0.0 255.255.0.0"

pull-filter ignore "route 10.1.1"
pull-filter ignore "route 10.11.13"

pull-filter ignore "route 10.55"
pull-filter ignore "route 10.100"

inactive 18000
but I have the same result: vpn running after 5 hours but host unreachable !

...............
...............
Thu Sep 9 23:43:41 2021 us=152469 VERIFY OK: depth=0, CN=vpksvpn01
Thu Sep 9 23:43:41 2021 us=172719 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 9 23:43:41 2021 us=172805 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 9 23:43:41 2021 us=172930 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 00:43:41 2021 us=467890 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 00:43:41 2021 us=495241 VERIFY OK: nsCertType=SERVER
Fri Sep 10 00:43:41 2021 us=495304 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 00:43:41 2021 us=516424 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 00:43:41 2021 us=516523 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 00:43:41 2021 us=516671 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 01:43:41 2021 us=5815 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 01:43:41 2021 us=18616 VERIFY OK: nsCertType=SERVER
Fri Sep 10 01:43:41 2021 us=18674 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 01:43:41 2021 us=40090 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 01:43:41 2021 us=40203 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 01:43:41 2021 us=40351 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 02:43:40 2021 us=799341 TLS: tls_process: killed expiring key
Fri Sep 10 02:43:41 2021 us=647455 TLS: soft reset sec=0 bytes=32242/-1 pkts=762/0
Fri Sep 10 02:43:41 2021 us=670281 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 02:43:41 2021 us=670675 VERIFY OK: nsCertType=SERVER
Fri Sep 10 02:43:41 2021 us=670706 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 02:43:41 2021 us=691875 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 02:43:41 2021 us=691950 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 02:43:41 2021 us=692058 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 03:43:41 2021 us=414784 TLS: soft reset sec=0 bytes=32245/-1 pkts=761/0
Fri Sep 10 03:43:41 2021 us=499495 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 03:43:41 2021 us=499889 VERIFY OK: nsCertType=SERVER
Fri Sep 10 03:43:41 2021 us=499921 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 03:43:41 2021 us=521188 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 03:43:41 2021 us=521266 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 03:43:41 2021 us=521386 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 04:43:41 2021 us=579375 TLS: soft reset sec=0 bytes=31973/-1 pkts=757/0
Fri Sep 10 04:43:41 2021 us=661700 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 04:43:41 2021 us=662180 VERIFY OK: nsCertType=SERVER
Fri Sep 10 04:43:41 2021 us=662216 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 04:43:41 2021 us=682670 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 04:43:41 2021 us=682748 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 04:43:41 2021 us=682841 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Sep 10 05:43:41 2021 us=591449 TLS: soft reset sec=0 bytes=33165/-1 pkts=773/0
Fri Sep 10 05:43:41 2021 us=662141 VERIFY OK: depth=1, CN=\0Dvpksvpn01
Fri Sep 10 05:43:41 2021 us=662615 VERIFY OK: nsCertType=SERVER
Fri Sep 10 05:43:41 2021 us=662653 VERIFY OK: depth=0, CN=vpksvpn01
Fri Sep 10 05:43:41 2021 us=683569 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 05:43:41 2021 us=683658 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 10 05:43:41 2021 us=683795 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
end log .... !
but openvpn client already running !


I will try this configuration to see if vpnclient stop running berofe inactive time:

ping 300
ping-exit 300
inactive 3600

any suggest ?

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by 300000 » Fri Sep 10, 2021 4:03 pm

you want to play with inactive set to 10800 and now you come to said lose connection to server.

ZINGARO1972
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 08, 2021 2:03 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by ZINGARO1972 » Sat Sep 11, 2021 9:12 pm

300000 wrote:
Fri Sep 10, 2021 4:03 pm
you want to play with inactive set to 10800 and now you come to said lose connection to server.
sorry I didn't understand your answer !!

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by 300000 » Sun Sep 12, 2021 5:50 pm

Inactive will drop connection so if you remove it and test against .if you persistent like to add inactive so this will drop

ZINGARO1972
OpenVpn Newbie
Posts: 5
Joined: Wed Sep 08, 2021 2:03 pm

Re: Client VPN running but unreachable hosts after 16/24 hours

Post by ZINGARO1972 » Mon Sep 13, 2021 7:21 am

I discovered a new problem,
the client successfully terminates the connection when the "inactive" expires, but the problem remains (it can no longer reach the hosts!), I must necessarily terminate the process "Openvpn Client" and restart it !
so my problem is not the "inactive" setting (which works correctly), but I have to kill the process by hand in memory, otherwise I can no longer reach the hosts inside the vpn...

Post Reply