OpenVPN Support Forum

Hello,

I have a server with windows7 on my homelan configured as openvpn client to vyprvpn provider.
it works fine. I configured it as a service with the following configuration :

client
dev tun
proto udp
remote eu1.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.vyprvpn.com.crt
auth-user-pass passfile.txt
tls-remote eu1.vpn.giganews.com
comp-lzo
verb 3
route-method exe
route-delay 2

So when the PC restart the tunnel comes up automatically.
However sometimes, the tunnel goes down. I have to go in services and restart openvpn services.
I am looking for some tips and ideas to restart automatically the service (periodically) when the tunnel goes down.
If it does not come up right away, it should attemps a reconnect periodically.
and if the tunnel does not come up, i would like that no traffic is sent via the local gateway if the tunnel is not up.
Ideally, it would be better if openvpnsrv could handle this by itself.

Thx in advance,

Jean.

Yeah, I think we need it.
My connect resets usually every hour or so, so that really limits my VPN use; it means it can't be left on when I'm not at the computer. I don't want to have to stay at the computer whenever I am downloading something just in case the connection drops.

SubJunk wrote:Yeah, I think we need it.
My connect resets usually every hour or so, so that really limits my VPN use; it means it can't be left on when I'm not at the computer. I don't want to have to stay at the computer whenever I am downloading something just in case the connection drops.

Hello,

EVeryhour is strange, we my config above it can last for 24 Hours or more.
In the openvpn log i noticed that when it fails i have an authentification error.
In the log below i see every hour, it seems that it renegotiate. However the tunnel itself does not go down

Sun May 08 10:02:45 2011 TLS: tls_process: killed expiring key
Sun May 08 10:02:49 2011 TLS: soft reset sec=0 bytes=238426/0 pkts=1270/0
Sun May 08 10:02:49 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 08 10:02:49 2011 VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
Sun May 08 10:02:49 2011 VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Sun May 08 10:02:49 2011 VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Sun May 08 10:02:51 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 08 10:02:51 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 08 10:02:51 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun May 08 10:02:51 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May 08 10:02:51 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

When it fails i have :
Fri May 06 12:40:00 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 06 12:40:00 2011 TLS Error: TLS handshake failed
Fri May 06 12:40:00 2011 TCP/UDP: Closing socket
Fri May 06 12:40:00 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri May 06 12:40:00 2011 Restart pause, 2 second(s)
Fri May 06 12:40:02 2011 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri May 06 12:40:02 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 06 12:40:02 2011 Re-using SSL/TLS context
Fri May 06 12:40:02 2011 LZO compression initialized
Fri May 06 12:40:02 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri May 06 12:40:02 2011 TCP/UDP: Preserving recently used remote address: 138.199.67.17:1194
Fri May 06 12:40:02 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 06 12:40:02 2011 Local Options hash (VER=V4): '41690919'
Fri May 06 12:40:02 2011 Expected Remote Options hash (VER=V4): '530fdded'
Fri May 06 12:40:02 2011 Socket Buffers: R=[8192->262144] S=[8192->8192]
Fri May 06 12:40:02 2011 UDPv4 link local: [undef]
Fri May 06 12:40:02 2011 UDPv4 link remote: 138.199.67.17:1194
Fri May 06 12:40:02 2011 TLS: Initial packet from 138.199.67.17:1194, sid=a03c98f8 e5b9fbad
Fri May 06 12:40:02 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 06 12:40:02 2011 VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
Fri May 06 12:40:02 2011 VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Fri May 06 12:40:02 2011 VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=eu1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Fri May 06 12:40:06 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 06 12:40:06 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 06 12:40:06 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 06 12:40:06 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 06 12:40:06 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri May 06 12:40:06 2011 [eu1.vpn.giganews.com] Peer Connection Initiated with 138.199.67.17:1194
Fri May 06 12:40:08 2011 SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Fri May 06 12:40:08 2011 AUTH: Received AUTH_FAILED control message
Fri May 06 12:40:08 2011 SIGTERM received, sending exit notification to peer
Fri May 06 12:40:13 2011 SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Fri May 06 12:40:13 2011 TCP/UDP: Closing socket
Fri May 06 12:40:13 2011 C:\WINDOWS\system32\route.exe DELETE 138.199.67.17 MASK 255.255.255.255 192.168.1.254
Fri May 06 12:40:14 2011 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.9.0.1
Fri May 06 12:40:14 2011 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.9.0.1
Fri May 06 12:40:14 2011 Closing TUN/TAP interface
Fri May 06 12:40:14 2011 SIGTERM[soft,exit-with-notification] received, process exiting

What i did is to tune the openvpn service to autorestart in case of failure. I will let you know if it is better.
Jean.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

suggests a networking/firewalling issue. The AUTH_FAILED message is more serious - if the client cannot connect it will abort , which causes the automatic restart to also stop; you have to figure out the real reason of these AUTH_FAILED messages. what is printed on the server side?

in fact i have a openvpn provider (goldenfrog/giganews/vyprvpn) so i have no access to what happens on the server side.
i suspect an issue with my ISP.
Let's says i loose my internet connectivity for 3 minutes, will the openvpn tunnel goes down and the openserv.exe exit ?

jean.

if the connection is already established and the tunnel goes down then openvpn will try to reconnect as long as things like 'keepalive' or 'ping-restart' are set, as well as 'persist-key' and authentication caching.

janjust wrote:if the connection is already established and the tunnel goes down then openvpn will try to reconnect as long as things like 'keepalive' or 'ping-restart' are set, as well as 'persist-key' and authentication caching.

So i should add in my config keepalive and ping-restart.

Thx.

Hello,

where should i use keepalive and ping restart.
Should they be use in the client configuration ? or the server ?
Should they be used in the configuration file or as an option for command openserv.exe ?

Thx in advance,

Jean.

In fact when looking in the log i see :
Fri May 06 22:01:13 2011 SENT CONTROL [eu1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Fri May 06 22:01:13 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-notify 5,rcvbuf 262144,route-gateway 12.43.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 12.43.0.134 255.255.0.0'

So i understand the server has the option....

indeed it looks as if the server is configured correctly; when the connection restarts the client needs to re-authenticate with the server: if this fails the entire openvpn session stops. There's little that can be done about this, as it's on purpose (and for a good reason).

The 1 hour window is normal: every hour new session keys are negotiated, which explains the message

Sun May 08 10:02:45 2011 TLS: tls_process: killed expiring key
Sun May 08 10:02:49 2011 TLS: soft reset sec=0 bytes=238426/0 pkts=1270/0
Sun May 08 10:02:49 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

again, there's little that can be done about that.

Try contacting your VPN provider to find out why the reauth fails.