OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: gothbert on December 29, 2017, 08:55:41 am

Title: OpenVPN connection dropped every 30 minutes
Post by: gothbert on December 29, 2017, 08:55:41 am
Hi,

I recently noticed that the OpenVPN connection from OPNsense (client) to server drops exactly every 30 minutes.

Since the OpenVPN server process complains about a reconnect of the same client when the OPNsense re-initiates the connection, I assume that the disconnect is triggered on the client end of the connection, but not necessarily caused by OPNsense or the running OpenVPN client process.

keepalive option is set. No 1800 (seconds) or 30 (minutes) in any config.

client log only shows the reconnect even at verbosity 5.

Could this be related to Issues https://github.com/opnsense/core/issues/2010 (https://github.com/opnsense/core/issues/2010) and https://github.com/opnsense/core/issues/1931 (https://github.com/opnsense/core/issues/1931) and an internal 30 minute timer at OPNsense trying to restart the client?

Regards,
Boris




client configuration (OPNsense):

Code: [Select]
root@opnsense:/var/etc # less openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.178.2
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote s1.4nv.de 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
passtos
resolv-retry infinite
reneg-sec 0
#fragment 1428                                                                                                                                                 
mssfix 1428                                                                                                                                     

server configuration:

Code: [Select]
verb 3
#verb 6

proto udp
port 1194

dev vpn-s1
dev-type tun
# fragment 1428 # does not work with android
# mssfix
mssfix 1428
keepalive 10 60
passtos
fast-io
#compress lz4
comp-lzo adaptive

# test
reneg-sec 7200

tls-server
key /etc/openvpn/........
cert /etc/openvpn/........
ca /etc/openvpn/........
dh /etc/openvpn/........
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
tls-auth /etc/openvpn/........ 0

float  # Allow remote peer to change its IP address and/or port number, such as due to DHCP

topology subnet
server 192.168.38.0 255.255.255.0
client-config-dir /etc/openvpn/......../clients
route 192.168.30.0 255.255.255.0
route 192.168.31.0 255.255.255.0
route 192.168.178.0 255.255.255.0
client-to-client
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"

push "dhcp-option DNS 192.168.31.1"

management localhost 7505