Need help configuring your VPN? Just post here and you'll get that help.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
bluestu
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Jun 04, 2011 11:45 am
Post
by bluestu » Sat Jun 04, 2011 11:48 am
I'm running a multi-client server using OpenVPN 2.0 on Debian. I have unique certificates (with unique common names) for each client. They connect fine, and I can ping each client.
The problem is, when I set keepalive on the client, it always fails to get a response. For instance, if I set:
keepalive 10 60
The server will restart every 60 seconds due to not getting a response. The client and server are connected via a high speed leased line with no detected packet loss (0.0%).
The client shows this error:
Code: Select all
[server] Inactivity timeout (--ping-restart), restarting
Please help, as I have had to roll back my config to single tunnels which is a nightmare!
Thanks
s
-
Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Post
by Bebop » Sun Jun 05, 2011 9:42 am
bluestu wrote:The problem is, when I set keepalive on the client, it always fails to get a response
How strict is your server IPTABLES? Adding these can often solve the
no ping problems:
Code: Select all
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
The cure for boredom is curiosity
-
bluestu
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Jun 04, 2011 11:45 am
Post
by bluestu » Sun Jun 05, 2011 12:53 pm
I don't think this Can be the problem as the keep alive pings arn't actually ICMP anyway. They're UDP echoes??
I can ping the server from the client and vice versatile when the link is ip. It just constantly restarts from the client side saying pong-restart. The link is up and working when it thinks there is no pong.
Thanks
S
-
Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Post
by Bebop » Mon Jun 06, 2011 2:52 am
Server + client .conf, or little/no useful help will be likely to find you.
The cure for boredom is curiosity
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Mon Jun 06, 2011 7:59 am
Apart from Bebop's remark about config files, which is totally valid, here are some tips
* upgrade to openvpn 2.2 on Debian; 2.0 is
really old
* add the
to the server config, not the client config
-
bluestu
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Jun 04, 2011 11:45 am
Post
by bluestu » Mon Jun 06, 2011 10:37 am
Hi guys, thanks for you're help. Also sorry for the spell check on my iPhone, I can usually spell OK.
server.conf
local xxx.xxx.xxx.xxx 1194 udp
dev tun
tls-server
# Key info
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
reneg-sec 0
# IP Setup
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig-pool-linear
client-config-dir ccd
client-to-client
keepalive 2 10
comp-lzo
#persist-key
#persist-tun
verb 3
client.conf
remote xxx.xxx.xxx.xxx 1194 udp
persist-key
tls-client
pull
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ping 2
ping-restart 10
persist-tun
comp-lzo yes
dev tun
nobind
verb 3
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Mon Jun 06, 2011 12:51 pm
try commenting out
as it's rather obsolete; use
instead.
also make sure that both sides are doing LZO or not (I'd recommend to use 'comp-lzo yes' on both sides).
If you specify
on the server side then this is also pushed out to the client, overruling whatever you specify in the client config file for 'ping' and 'ping-restart'
-
bluestu
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Jun 04, 2011 11:45 am
Post
by bluestu » Mon Jun 06, 2011 1:28 pm
This has made no difference. The client still restarts saying ping-restart. The link is up and works fine, but it keeps dropping! I'm loosing the will to live with this!
s
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Mon Jun 06, 2011 2:47 pm
please post the client and server config files as they are now (just to check).
Also, set the verbosity in the client log to 7 ('verb 7') and reconnect; now look in the client log file for messages of the type 'PING SENT' ; if you something similar on the server you should see 'RECEIVED PING PACKET'
-
bluestu
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Jun 04, 2011 11:45 am
Post
by bluestu » Mon Jun 06, 2011 2:56 pm
When I set verbosity to 7 all I see in the syslog is:
Jun 6 14:57:19 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:19 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN WRITE [52]
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Mon Jun 06, 2011 3:20 pm
you're not seeing any PING messages being sent ?!?!?!? is this with openvpn 2.1 or still the old 2.0 ? I just verified for myself that this works on 2.1.4 and higher.
-
Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Post
by Bebop » Tue Jun 07, 2011 2:27 am
bluestu wrote:sorry for the spell check on my iPhone, I can usually spell OK
The word 'pong' came up a few times.. I was thinking what the
Sorry I couldn't help out much on this problem. I thought Keep-alive were just regular ICMP pings. Now I researched some more and found out you were correct, they are not. Thank you for the pointer. And thank you to Janjust for stepping in. Best of luck to getting this solved.
The cure for boredom is curiosity