OpenVPN connection startup after 5min

[flush]

Hi guys

I got some problem with my OpenVPN setup, i searched on google but didn't find an answer. Maby you guys can help me out, probably something stupid:)
i'm running OpenVPN 2.1rc22, i tried to route all traffic trough the VPN tunnel, with the parameter: push "redirect gateway" But after this the problem started...
Client gets IP directly but it takes a minute of 5 before i can reach the other network. First i tried was installing OpenVPN 2.2.2 = problem still exists.

Atm the setup is running as test:

VPN server (10.10.0.101) --> |(trust interface 10.10.0.254) Juniper Firewall (untrust interface 192.168.2.105)| --> CLIENT 192.168.2.X

VPN server:
Windows xp 32 bit
OpenVPN 2.2.2

Code: Select all

port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" 
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

VPN client:
Windows 7 32bit
OpenVPN 2.2.2
CONFIG:

Code: Select all

client
dev tun
proto udp
remote 192.168.2.105 1194
nobind
persist-key
persist-tun
ca "c:\\Program Files\\OpenVpn\\config\\ca.crt"
cert "c:\\Program Files\\OpenVpn\\config\\client1.crt"
key "c:\\Program Files\\OpenVpn\\config\\client1.key"
ns-cert-type server
comp-lzo
verb 3

I'm running the VPN client as Administrator

Log of client:

Code: Select all

Wed Jun 27 15:15:21 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Jun 27 15:15:21 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 27 15:15:22 2012 LZO compression initialized
Wed Jun 27 15:15:22 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 27 15:15:22 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 27 15:15:22 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 27 15:15:22 2012 Local Options hash (VER=V4): '41690919'
Wed Jun 27 15:15:22 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 27 15:15:22 2012 UDPv4 link local: [undef]
Wed Jun 27 15:15:22 2012 UDPv4 link remote: 192.168.2.105:1194
Wed Jun 27 15:15:22 2012 TLS: Initial packet from 192.168.2.105:1194, sid=733b2bc9 fdaa0c1f
Wed Jun 27 15:15:22 2012 VERIFY OK: ...
Wed Jun 27 15:15:22 2012 VERIFY OK: nsCertType=SERVER
Wed Jun 27 15:15:22 2012 VERIFY OK: ...
Wed Jun 27 15:15:22 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 15:15:22 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 15:15:22 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 15:15:22 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 15:15:22 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 27 15:15:22 2012 [W2008VPN] Peer Connection Initiated with 192.168.2.105:1194
Wed Jun 27 15:15:24 2012 SENT CONTROL [W2008VPN]: 'PUSH_REQUEST' (status=1)
Wed Jun 27 15:15:24 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 27 15:15:24 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 27 15:15:24 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 27 15:15:24 2012 OPTIONS IMPORT: route options modified
Wed Jun 27 15:15:24 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 27 15:15:24 2012 ROUTE default_gateway=192.168.2.254
Wed Jun 27 15:15:24 2012 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{E9206817-E63D-4CEF-8DA3-BE18D2384E0E}.tap
Wed Jun 27 15:15:24 2012 TAP-Win32 Driver Version 9.9 
Wed Jun 27 15:15:24 2012 TAP-Win32 MTU=1500
Wed Jun 27 15:15:24 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {E9206817-E63D-4CEF-8DA3-BE18D2384E0E} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 27 15:15:24 2012 Successful ARP Flush on interface [15] {E9206817-E63D-4CEF-8DA3-BE18D2384E0E}
Wed Jun 27 15:15:29 2012 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Wed Jun 27 15:15:29 2012 C:\WINDOWS\system32\route.exe ADD 192.168.2.105 MASK 255.255.255.255 192.168.2.254
Wed Jun 27 15:15:29 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Wed Jun 27 15:15:29 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 27 15:15:29 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 27 15:15:29 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 27 15:15:29 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 27 15:15:29 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 27 15:15:29 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 27 15:15:29 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 27 15:15:29 2012 C:\WINDOWS\system32\route.exe ADD 10.10.0.0 MASK 255.255.255.0 10.8.0.5
Wed Jun 27 15:15:29 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 27 15:15:29 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 27 15:15:29 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 27 15:15:29 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 27 15:15:29 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 27 15:15:29 2012 Initialization Sequence Completed

here it restarts, then it works...

Code: Select all

Wed Jun 27 15:21:27 2012 [W2008VPN] Inactivity timeout (--ping-restart), restarting
Wed Jun 27 15:21:27 2012 TCP/UDP: Closing socket
Wed Jun 27 15:21:27 2012 SIGUSR1[soft,ping-restart] received, process restarting
Wed Jun 27 15:21:27 2012 Restart pause, 2 second(s)
Wed Jun 27 15:21:29 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 27 15:21:29 2012 Re-using SSL/TLS context
Wed Jun 27 15:21:29 2012 LZO compression initialized
Wed Jun 27 15:21:29 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 27 15:21:29 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 27 15:21:29 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 27 15:21:29 2012 Local Options hash (VER=V4): '41690919'
Wed Jun 27 15:21:29 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 27 15:21:29 2012 UDPv4 link local: [undef]
Wed Jun 27 15:21:29 2012 UDPv4 link remote: 192.168.2.105:1194
Wed Jun 27 15:21:29 2012 TLS: Initial packet from 192.168.2.105:1194, sid=e768eb2f 38351c2a
Wed Jun 27 15:21:29 2012 VERIFY OK: ...
Wed Jun 27 15:21:29 2012 VERIFY OK: nsCertType=SERVER
Wed Jun 27 15:21:29 2012 VERIFY OK: ...
Wed Jun 27 15:21:29 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 15:21:29 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 15:21:29 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 15:21:29 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 15:21:29 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 27 15:21:29 2012 [W2008VPN] Peer Connection Initiated with 192.168.2.105:1194
Wed Jun 27 15:21:31 2012 SENT CONTROL [W2008VPN]: 'PUSH_REQUEST' (status=1)
Wed Jun 27 15:21:31 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 27 15:21:31 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 27 15:21:31 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 27 15:21:31 2012 OPTIONS IMPORT: route options modified
Wed Jun 27 15:21:31 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 27 15:21:31 2012 Preserving previous TUN/TAP instance: LAN-verbinding 2
Wed Jun 27 15:21:31 2012 Initialization Sequence Completed

What's the problem here:) ?
thanks!

[janjust]

might be that you need a delay before bringing up the tap-win32 adapter; try adding

Code: Select all

tap-delay 5 30

to see if that helps; I've personally not seen this before.

[flush]

thanks for the reply already

Code: Select all

tap-delay 5 30

gives error:

Code: Select all

Options error: Unrecognized option or missing parameter(s) in client.ovpn:3: tap-delay (2.2.2)
Use --help for more information.

[janjust]

I'm mixing options here
try adding

Code: Select all

tap-sleep 5
route-delay 5 30

[flush]

The problem still exists :s

my route table looks a little bit strange:

maby here is something wrong.

The metric for the 0.0.0.0 (mask) 0.0.0.0 is lower, but the http trafic goes trough the tunnel. Or is this normal ?

edit:
i tried:
- a new client with a good as fresh windows/openVPN install
- working with the tcp protocol --> works directly but slower

why would tcp work directly but is udp so slow on startup?

[flush]

Hi again guys,

I was tired the slow start-up so I installed Ubuntu 12.04 (on a ESXi server, but that can't be the problem. Previous one was physical). Ubuntu is probably more secure then using windows as server.But on-topic I hoped this would also fix this problem but it didn't.
Config files (see first post) didn't change: (only made more linux C:\\Program Files etc replaced).
The VPN tunnel still works perfect after a minute of 5...

(maby someone can tell if the route-tabel above is normal or just strange, and maby why ).

I also did some more tests, and the VPN works directly when i don't route ALL traffic through the VPN tunnel. So when i add:

Code: Select all

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

the problem starts.

Someone can help or give some more advise?

thanks,
Wouter