Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
openvpn unstable
« previous
next »
Print
Pages: [
1
]
Author
Topic: openvpn unstable (Read 644 times)
amastrangelo
Newbie
Posts: 7
Karma: 0
openvpn unstable
«
on:
September 15, 2023, 03:53:42 pm »
hello, after update to 23.7 openvpn is very unstable: client disconnect, and discard packets
this is my conf
dev ovpns1
verb 3
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon openvpn_server1
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
multihome
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
tls-server
server 10.96.115.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
verify-client-cert none
username-as-common-name
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '1'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 200
push "route xxxxxxxxxxxxx 255.255.255.192"
push "route xxxxxxxxxxx 255.240.0.0"
push "route xxxxxxxxxxxx 255.255.0.0"
push "route xxxxxxxxxxxx 255.0.0.0"
push "route xxxxxxxxxxxx 255.255.255.255"
push "route xxxxxxxxxxxxx 255.255.255.255"
push "route xxxxxxxxxxx 255.255.255.255"
push "route xxxxxxxxxxxxx 255.255.255.0"
push "dhcp-option DOMAIN test.local"
push "dhcp-option DNS XXXXXXXXXXX"
push "dhcp-option DNS xxxxxxxxxxx"
push "register-dns"
push "block-outside-dns"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
tls-auth /var/etc/openvpn/server1.tls-auth 0
compress lz4
persist-remote-ip
float
reneg-sec 0
status /var/etc/openvpn/openvpn.log
this is my client
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-128-CBC
auth SHA1
verb 5
client
resolv-retry infinite
remote xxxxxxxxxxxxxx 1197 udp
lport 0
verify-x509-name "C=xx, ST=xxxxxxxxx, L=xxxxxx, O=xxxxxxxxxxxxx, emailAddress=xx@xx.xx, CN=OVPN-SERVER" subject
remote-cert-tls server
auth-user-pass
static-challenge "Enter Authenticator Code" 1
compress lz4
dhcp-option DNS xxxxxxxxx
dhcp-option DNS Xxxxxxxxx
dhcp-option DOMAIN test.local
register-dns
reneg-sec 0
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
key-direction 1
omit ca, cert, key etc
openvpn version
root@sii-opnsense02:~ # openvpn --version
OpenVPN 2.6.6 amd64-portbld-freebsd13.2 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
library versions: OpenSSL 1.1.1v 1 Aug 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=no enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
netstat -s
OpenVPN 2.6.6 amd64-portbld-freebsd13.2 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
library versions: OpenSSL 1.1.1v 1 Aug 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=no enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
root@sii-opnsense02:~ # netstat -s
tcp:
51836 packets sent
22801 data packets (18500203 bytes)
331 data packets (297846 bytes) retransmitted
2 data packets unnecessarily retransmitted
0 resends initiated by MTU discovery
22246 ack-only packets (0 delayed)
0 URG only packets
0 window probe packets
0 window update packets
6789 control packets
47584 packets received
30349 acks (for 18507255 bytes)
168 duplicate acks
0 UDP tunneled pkts
0 UDP tunneled pkt cnt with errors
0 acks for unsent data
15739 packets (1062024 bytes) received in-sequence
60 completely duplicate packets (4270 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
8 out-of-order packets (373 bytes)
0 packets (0 bytes) of data after window
0 window probes
0 window update packets
3 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
0 discarded due to full reassembly queue
375 connection requests
6124 connection accepts
0 bad connection attempts
0 listen queue overflows
2 ignored RSTs in the windows
6421 connections established (including accepts)
277 times used RTT from hostcache
277 times used RTT variance from hostcache
17 times used slow-start threshold from hostcache
11231 connections closed (including 244 drops)
185 connections updated cached RTT on close
185 connections updated cached RTT variance on close
9 connections updated cached ssthresh on close
0 embryonic connections dropped
22165 segments updated rtt (of 10159 attempts)
251 retransmit timeouts
4 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
0 Connections (fin_wait_2) dropped because of timeout
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
8852 correct ACK header predictions
8683 correct data packet header predictions
6124 syncache entries added
8 retransmitted
5 dupsyn
0 dropped
6124 completed
0 bucket overflow
0 cache overflow
0 reset
0 stale
0 aborted
0 badack
0 unreach
0 zone failures
6124 cookies sent
0 cookies received
6 hostcache entries added
0 bucket overflow
2 SACK recovery episodes
13 segment rexmits in SACK recovery episodes
16880 byte rexmits in SACK recovery episodes
123 SACK options (SACK blocks) received
130 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
0 packets with ECN CE bit set
0 packets with ECN ECT(0) bit set
0 packets with ECN ECT(1) bit set
0 successful ECN handshakes
0 times ECN reduced the congestion window
0 packets with matching signature received
0 packets with bad signature received
0 times failed to make signature due to no SA
0 times unexpected signature received
0 times no signature provided by segment
0 Path MTU discovery black hole detection activations
0 Path MTU discovery black hole detection min MSS activations
0 Path MTU discovery black hole detection failures
0 times connection in TIME-WAIT responded with ACK
17 times connection in TIME-WAIT was actively recycled
0 times connection in TIME-WAIT responded with RST
TCP connection count by state:
0 connections in CLOSED state
8 connections in LISTEN state
0 connections in SYN_SENT state
0 connections in SYN_RCVD state
2 connections in ESTABLISHED state
0 connections in CLOSE_WAIT state
0 connections in FIN_WAIT_1 state
0 connections in CLOSING state
0 connections in LAST_ACK state
0 connections in FIN_WAIT_2 state
72 connections in TIME_WAIT state
udp:
5450661 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
100 with no checksum
82263 dropped due to no socket
11510 broadcast/multicast datagrams undelivered
124359 dropped due to full socket buffers
0 not for hashed pcb
5232529 delivered
19545556 datagrams output
0 times multicast source filter matched
ip:
23943316 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
4264 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
2132 packets reassembled ok
5531504 packets for this host
0 packets for unknown/unsupported protocol
8984047 packets forwarded (8984047 packets fast forwarded)
8 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
19602952 packets sent from this host
0 packets sent with fabricated ip header
219672 output packets dropped due to no bufs, etc.
17 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
icmp:
1121 calls to icmp_error
0 errors not generated in response to an icmp message
Output histogram:
echo reply: 4075
destination unreachable: 8
time exceeded: 1113
0 messages with bad code fields
0 messages less than the minimum length
8138 messages with bad checksum
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
destination unreachable: 3555
routing redirect: 4082
echo: 4075
time exceeded: 10
4075 message responses generated
0 invalid return addresses
0 no return routes
ICMP address mask responses are disabled
igmp:
13399 messages received
0 messages received with too few bytes
0 messages received with wrong TTL
0 messages received with bad checksum
0 V1/V2 membership queries received
0 V3 membership queries received
0 membership queries received with invalid field(s)
0 general queries received
0 group queries received
0 group-source queries received
0 group-source queries dropped
14 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 V3 reports received without Router Alert
0 membership reports sent
pim:
0 messages received
0 bytes received
0 messages received with too few bytes
0 messages received with bad checksum
0 messages received with bad version
0 data register messages received
0 data register bytes received
0 data register messages received on wrong iif
0 bad registers received
0 data register messages sent
0 data register bytes sent
carp:
0 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for bad vhid
0 discarded because of a bad address list
0 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
pfsync:
0 packets received (IPv4)
0 packets received (IPv6)
0 clear all requests received
0 state inserts received
0 state inserted acks received
0 state updates received
0 compressed state updates received
0 uncompressed state requests received
0 state deletes received
0 compressed state deletes received
0 fragment inserts received
0 fragment deletes received
0 bulk update marks received
0 TDB replay counter updates received
0 end of frame marks received
/0 packets discarded for bad interface
0 packets discarded for bad ttl
0 packets shorter than header
0 packets discarded for bad version
0 packets discarded for bad HMAC
0 packets discarded for bad action
0 packets discarded for short packet
0 states discarded for bad values
0 stale states
0 failed state lookup/inserts
0 packets sent (IPv4)
0 packets sent (IPv6)
0 clear all requests sent
0 state inserts sent
0 state inserted acks sent
0 state updates sent
0 compressed state updates sent
0 uncompressed state requests sent
0 state deletes sent
0 compressed state deletes sent
0 fragment inserts sent
0 fragment deletes sent
0 bulk update marks sent
0 TDB replay counter updates sent
0 end of frame marks sent
0 failures due to mbuf memory error
0 send errors
arp:
4006 ARP requests sent
1515 ARP requests failed to sent
52264 ARP replies sent
68127 ARP requests received
5 ARP replies received
68132 ARP packets received
5256 total packets dropped due to no ARP entry
741 ARP entrys timed out
0 Duplicate IPs seen
ip6:
0 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 atomic fragments
0 packets reassembled ok
0 packets for this host
0 packets forwarded
0 packets not forwardable
0 redirects sent
0 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
12 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
0 multicast packets which we don't join
Mbuf statistics:
0 one mbuf
0 one ext mbuf
0 two or more ext mbuf
0 packets whose headers are not contiguous
0 tunneling packets that can't find gif
0 packets discarded because of too many headers
1 failure of source address selection
source addresses on a non-outgoing I/F
1 addresses scope=0xf
Source addresses selection rule applied:
1 same address
icmp6:
0 calls to icmp6_error
0 errors not generated in response to an icmp6 message
0 errors not generated because of rate limitation
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 total packets dropped due to failed NDP resolution
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
0 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 default routers overflows
0 prefix overflows
0 neighbour entries overflows
0 redirect overflows
0 messages with invalid hop limit
0 path MTU changes
rip6:
0 messages received
0 checksum calculations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
can you help me ?
«
Last Edit: September 15, 2023, 04:00:46 pm by amastrangelo
»
Logged
axsdenied
Full Member
Posts: 199
Karma: 9
Re: openvpn unstable
«
Reply #1 on:
September 16, 2023, 12:21:25 am »
You're using UDP. Are you using that over a dedicated connection or over the internet? If the later, use TCP.
Logged
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
openvpn unstable