OpenVPN Client cannot auto-reconnect

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 1:50 am

Hi all,

I'm having problems with auto-reconnecting on OVPN Client. In my setup, I've configured OVPN Server running on an EdgeRouter device and OVPN Client running on another OVPN EdgeRouter device. Everything works properly so far. The problems happened when the connection was dropped unexpectedly.

Case #1: I deliberately try to power off the Client device, wait for a few minutes to make sure the Client completely lost its VPN connection (by reading logs on OVPN Server), then I power on the Client device again. After waiting for about 60s, the connection is established successfully and both ends can communicate properly. This case is working normal as I expected.

Case #2: I deliberately unplug the network cable from the Client device, wait for a few minutes just like case #1, check the log on Server to make sure the VPN connection was lost completely, then plug in the network cable again into Client device. Now the problem is I cannot see any attempt to auto-reconnect on the Client device. I checked log on the Server and cannot see any failed connection or reattempt that come from the Client device.

So I guess when powering off then on, the OVPN Client device tries to re-establish the connection to the OVPN Server device. But when unplug and plug in the network cable, the OVPN Client still keep its running connection status and therefore cannot create proper VPN connection between two ends.

The OVPN log file shows nothing special but please let me know if you would like to have a look at it.

Are there any solutions to this issue?

Thank you.

server

1

openvpn vtun0 {

2

description "OpenVPN Server

3

encryption aes256

4

hash sha256

5

mode server

6

openvpn-option "--port 1194"

7

openvpn-option "--proto udp"

8

openvpn-option --ccd-exclusive

9

openvpn-option "--client-config-dir /config/auth/ccd"

10

openvpn-option "--verb 4"

11

openvpn-option "--cipher AES-256-CBC"

12

openvpn-option "--tls-auth /config/auth/ta.key 0"

13

openvpn-option "--tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA"

14

openvpn-option "--user nobody"

15

openvpn-option "--group nogroup"

16

openvpn-option "--keepalive 10 60"

17

openvpn-option "--log-append /var/log/openvpn.log"

18

openvpn-option "--crl-verify /config/auth/crl.pem"

19

openvpn-option --tls-server

20

openvpn-option --persist-key

21

openvpn-option --persist-tun

22

server {

23

subnet x.x.x.x/24

24

}

25

tls {

26

ca-cert-file /config/auth/ca.crt

27

cert-file /config/auth/server.pem

28

dh-file /config/auth/dh2048.pem

29

key-file /config/auth/server.key

30

}

client

1

client

2

dev tun

3

proto udp

4

remote x.x.x.x 1194

5

resolv-retry infinite

6

nobind

7

persist-key

8

persist-tun

9

remote-cert-tls server

10

cipher AES-256-CBC

11

auth SHA256

12

key-direction 1

13

verb 3

14

<key>

15

--STRIPPED INLINE KEY--

16

</key>

17

<cert>

18

--STRIPPED INLINE CERT--

19

</cert>

20

<ca>

21

--STRIPPED INLINE CA CERT--

22

</ca>

23

<tls-auth>

24

--STRIPPED INLINE TLS-AUTH KEY--

25

</tls-auth>

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 2:07 am

By the way, below are the logs from both OVPN Server and Client for case #2...

OVPN Server

1

[xxxxxx] Inactivity timeout (--ping-restart), restarting

2

SIGUSR1[soft,ping-restart] received, client-instance restarting

OVPN Client

1

ubnt openvpn[1851]: [server] Inactivity timeout (--ping-restart), restarting

2

ubnt openvpn[1851]: SIGUSR1[soft,ping-restart] received, process restarting

3

ubnt openvpn[1851]: Restart pause, 5 second(s)

4

ubnt openvpn[1851]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194

5

ubnt openvpn[1851]: Socket Buffers: R=[294912->294912] S=[294912->294912]

6

ubnt openvpn[1851]: UDP link local: (not bound)

7

ubnt openvpn[1851]: UDP link remote: [AF_INET]x.x.x.x:1194

8

ubnt openvpn[1851]: [UNDEF] Inactivity timeout (--ping-restart), restarting

9

ubnt openvpn[1851]: SIGUSR1[soft,ping-restart] received, process restarting

10

ubnt openvpn[1851]: Restart pause, 5 second(s)

11

ubnt openvpn[1851]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194

12

ubnt openvpn[1851]: Socket Buffers: R=[294912->294912] S=[294912->294912]

13

ubnt openvpn[1851]: UDP link local: (not bound)

14

ubnt openvpn[1851]: UDP link remote: [AF_INET]x.x.x.x:1194

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 2:18 am

FYI, even when I deliberately disable then re-enable the OVPN interface on EdgeRouter Client device, the VPN connection is still able to auto-reconnect by itself successfully.

So long story short, the only case OVPN Client device fails to auto-reconnect is when I unplug the network cable (break Internet connection) then plug it again after a few minutes. In this specific case, OVPN Client device seems like it could not establish the VPN connection by itself...

TinCanTech · Post by **TinCanTech** » Mon Jun 24, 2019 3:11 am

Which version of openvpn are you using ?

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 3:33 am

Hi TinCanTech,

Please refer to the info on both OVPN Server and Client as follows:

OpenVPN Version

1

sudo openvpn --help

2

OpenVPN 2.4.0 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018

Thank you.

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 10:51 am

@TinCanTech: I wonder can we write a script in Linux (Debian-based EdgeRouter) to auto-check the up/down state of VPN connection then automatically disable and re-enable the interface vtun0 whenever VPN connection losing connection? Such as up/down scripts in OVPN...

TinCanTech · Post by **TinCanTech** » Mon Jun 24, 2019 12:32 pm

plax.kart wrote: ↑
Mon Jun 24, 2019 10:51 am
can we write a script in Linux (Debian-based EdgeRouter) to auto-check the up/down state of VPN connection

Probably but the script would have to be run outside of openvpn.

plax.kart wrote: ↑
Mon Jun 24, 2019 3:33 am
OpenVPN 2.4.0

This is a little out of date ..

plax.kart wrote: ↑
Mon Jun 24, 2019 10:51 am
Linux (Debian-based EdgeRouter

You should find out if you can update your version of openvpn or not.

plax.kart wrote: ↑
Mon Jun 24, 2019 1:50 am
Case #2: I deliberately unplug the network cable from the Client device, wait for a few minutes just like case #1, check the log on Server to make sure the VPN connection was lost completely, then plug in the network cable again into Client device. Now the problem is I cannot see any attempt to auto-reconnect on the Client device. I checked log on the Server and cannot see any failed connection or reattempt that come from the Client device.

Please post your complete client log at verb 4 so we can see what the client is doing.

Post by **Pippin** » Mon Jun 24, 2019 4:20 pm

Case #2:

Do you see recursive routing detected in the client log?
Do not use --persist-tun on the client...

plax.kart · Post by **plax.kart** » Mon Jun 24, 2019 10:22 pm

Pippin wrote: ↑
Mon Jun 24, 2019 4:20 pm

Case #2:
Do you see recursive routing detected in the client log?
Do not use --persist-tun on the client...

@Pippin: Amazing! It just works beautifully and auto-reconnect every time I power off or unplug the cable. Thanks a lot

There is some small issues though...firstly, when I leave the VPN connection running idle (inactivity) for about 5', the Client seems auto-disconnected but it can auto-reconnect right after that and everything keep working fine. Just wonder is it normal (with --keepalive 10 60 option on the Server ) or do we need to always keep the VPN connection up without any downtime during inactivity?

Second minor issue is the OVPN Client seems taking a bit long time to auto-reconnect. I saw the following information keep increasing 2 times from 5s to 10s, 20s, 40s, 80s, 160s... in the Client log, is this the reason why OVPN Client takes quite some time to auto-reconnect?

Code: Select all

ubnt openvpn[1915]: Restart pause, 5 second(s)

Lastly, when I issue the command to restart OVPN Server instance sudo /etc/init.d/openvpn restart I got the some errors as follows and could not auto-reconnect for about 2-3 minutes, but eventually the Client was still able to auto-reconnect but it took some time and I don't think it's good...

Client

1

Jun 24 21:52:44 ubnt openvpn[1887]: /sbin/ip route add 0.0.0.0/1 via x.x.x.x

2

Jun 24 21:52:44 ubnt openvpn[1887]: /sbin/ip route add 128.0.0.0/1 via x.x.x.x

3

Jun 24 21:52:44 ubnt openvpn[1887]: Initialization Sequence Completed

4