No DNS or connection, usually until I reconnect

[NumericalScaler]

Hi all,

New user here. I installed OpenVPN on a raspberry pi using pivpn, which works great (no problems at all) with my Linux laptop. On two different android 9 devices however, I frequently do not have DNS or a connection. My browser won't load pages and apps configured to use a host name in my home network complain they can't find a host with that name. Usually when I disconnect and reconnect it works again.

The server has openvpn 2.4.7. I use OpenVPN connect 3.0.7 on the Android devices.

Does anyone else have this problem? What can I do to solve this?

Thanks for any help

[TinCanTech]

Please see:
viewtopic.php?f=30&t=22603

[NumericalScaler]

Thank you for your reply. Here is my configuration and logs:

server.conf:

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/trillian_f51e2ba5-2992-4f12-8c72-ac43be16bac2.crt
key /etc/openvpn/easy-rsa/pki/private/trillian_f51e2ba5-2992-4f12-8c72-ac43be16bac2.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 1.1.1.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

lgv40thinq.ovpn (which is the ovpn file I used to configure the Android app)

Code: Select all

client
dev tun
proto udp
remote myhost.com portnr
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name trillian_f51e2ba5-2992-4f12-8c72-ac43be16bac2 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>

journalctl | grep lgv40thinq

Below is the server log from when I at first did not get a connection, but when I switched it off and on in the app, I got a connection.

Code: Select all

sep 27 17:07:07 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
sep 27 17:07:07 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 TLS Error: TLS handshake failed
sep 27 17:07:12 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 TLS: tls_multi_process: killed expiring key
sep 27 17:08:12 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
sep 27 17:08:12 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 TLS Error: TLS handshake failed
sep 27 17:08:12 raspberrypi ovpn-server[507]: lgv40thinq/37.17.221.89:56693 SIGUSR1[soft,tls-error] received, client-instance restarting
sep 27 17:14:44 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:56963 SIGTERM[soft,remote-exit] received, client-instance exiting
sep 27 17:14:45 raspberrypi ovpn-server[507]: 83.162.2.169:40130 VERIFY OK: depth=0, CN=lgv40thinq
sep 27 17:14:45 raspberrypi ovpn-server[507]: 83.162.2.169:40130 [lgv40thinq] Peer Connection Initiated with [AF_INET]83.162.2.169:40130
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 MULTI_sva: pool returned IPv4=10.8.0.9, IPv6=(Not enabled)
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 MULTI: Learn: 10.8.0.9 -> lgv40thinq/83.162.2.169:40130
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 MULTI: primary virtual IP for lgv40thinq/83.162.2.169:40130: 10.8.0.9
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 PUSH: Received control message: 'PUSH_REQUEST'
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 SENT CONTROL [lgv40thinq]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DNS 1.1.1.1,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.9 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 Data Channel: using negotiated cipher 'AES-256-GCM'
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
sep 27 17:14:45 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
sep 27 17:14:50 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:40130 SIGTERM[soft,remote-exit] received, client-instance exiting
sep 27 17:14:52 raspberrypi ovpn-server[507]: 83.162.2.169:34918 VERIFY OK: depth=0, CN=lgv40thinq
sep 27 17:14:52 raspberrypi ovpn-server[507]: 83.162.2.169:34918 [lgv40thinq] Peer Connection Initiated with [AF_INET]83.162.2.169:34918
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 MULTI_sva: pool returned IPv4=10.8.0.9, IPv6=(Not enabled)
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 MULTI: Learn: 10.8.0.9 -> lgv40thinq/83.162.2.169:34918
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 MULTI: primary virtual IP for lgv40thinq/83.162.2.169:34918: 10.8.0.9
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 PUSH: Received control message: 'PUSH_REQUEST'
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 SENT CONTROL [lgv40thinq]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DNS 1.1.1.1,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.9 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 Data Channel: using negotiated cipher 'AES-256-GCM'
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
sep 27 17:14:52 raspberrypi ovpn-server[507]: lgv40thinq/83.162.2.169:34918 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

So it appears the TLS times out for some reason. But why would it then connect successfully the second time? Also, the raspberry pi on which openVPN is installed is connected via a cable to my router and I have a fiber connection, and I have these problems when in the same network as well as when I'm somewhere else.

[TinCanTech]

That is not a complete log, so unless you want my crystal ball reading, I cannot help.

keepalive 1800 3600

You should probably check what --keepalive does and it's default settings.