[Solved] vpn connection drops after update

[Joergen]

Hey there
I am a very happy user of OPN for aprox 2 years now. However, I am not a programmer. I am using the firewall via the webguide. I have set up VPN according to the guide "Setup SSL VPN Road Warrior" and use Visocity to connect from remote locations. I use two factor login with google Autentificering as described in the guide.
Until now it has worked fantastic. I could stay online on VPN for hours without problems. The Firewall is an A10 from Deciso.
After the latest updates – the VNP connection have started to drop. Its not at a specific time some times after 5 min other times after 20 minutes or more.
I have checked Renegoation time on the server side – its still set to 0. I have not changed anything in the setup the last 6 month - everything is how it used to be.
The logs looks like this
____
Viscosity
feb 04 13:49:25: [SSLVPN Server Certificate 2018] Inactivity timeout (--ping-restart), restarting
feb 04 13:49:25: SIGUSR1[soft,ping-restart] received, process restarting
feb 04 13:49:26: Tilstand ændret til Forbinder

Opnsense
Feb 4 13:49:28   openvpn[89317]: XX.XX.XX.XX:43026 [USERXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:43026
Feb 4 13:49:28   openvpn[89317]: XX.XX.XX.XX:43026 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 4 13:49:28   openvpn[89317]: XX.XX.XX.XX:43026 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
Feb 4 13:49:28   openvpn: user 'USERXX' could not authenticate.
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_GUI_VER=Viscosity_1.7.14_1595
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_TCPNL=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_COMP_STUBv2=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_COMP_STUB=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZO=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZ4v2=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_LZ4=1
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_NCP=2
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_PROTO=2
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_PLAT=win
Feb 4 13:49:27   openvpn[89317]: XX.XX.XX.XX:43026 peer info: IV_VER=2.4.6
Feb 4 13:48:32   openvpn[89317]: Initialization Sequence Completed
Feb 4 13:48:32   openvpn[89317]: UDPv4 link remote: [AF_UNSPEC]
Feb 4 13:48:32   openvpn[89317]: UDPv4 link local (bound): [AF_INET]5.103.15.154:1194
Feb 4 13:48:32   openvpn[89317]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Feb 4 13:48:31   openvpn[89317]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1622 10.10.0.1 10.10.0.2 init
Feb 4 13:48:31   openvpn[89317]: /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up
________
Any ideas what could be wrong.
I doubt there is anything with my connections. I have a very stabil fiber in both ends.
Best regards
Joergen

[herwinjan]

Hi,

Same here, added some options. I can do this because I have only one road user. This does not work with more users I think.

- Fase1:
  - Dead Peer Detection: 20/5
  - enabled: Disable Rekey
  - enabled: Disable Reauth
- Fase2:
  - Automatically ping host: to host on other side

Hope it will be fixed soon.

Herwin Jan

[Joergen]

Any other solutions for more users. Is it something that will be fixed in 19.1.1?

Joergen

[tbandixen]

Same here...

The VPN connection drops latest after 20 minutes.
The logs from the web gui are looking like this:

Code Select Expand

Feb 5 13:00:55 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Success) No change in IP address
Feb 5 13:00:55 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_wan_bg-net.dyndns.org_0.cache: ***
Feb 5 13:00:50 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Feb 5 13:00:50 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns2'

Feb 5 13:00:49 kernel: ovpns2: link state changed to UP
Feb 5 13:00:44 kernel: ovpns2: link state changed to DOWN
Feb 5 13:00:44 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.

Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '***'
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to ***
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv6 default gateway set to wan
Feb 5 13:00:40 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Feb 5 13:00:39 opnsense: /usr/local/etc/rc.newwanip: On (IP address: ***) (interface: WAN[wan]) (real interface: re1_vlan10).
Feb 5 13:00:39 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 're1_vlan10'

This is realy annoying if you are using TOTP for your vpn user account.

My Viscosity logs looks the same as Joergen's

Is it an opnsense 19.1 thing?

I am running opnsense with an apu1d from pc-engines since multiple years without any issues (thanks for that!!)

[qinohe]

Hi all, I don't have an answer here just a heads up :P

The server is setup to use 2FA.
My connection drops after one hour, nothing changed with 19.1, it has always done this because standard renegotiation time is 3600 secs.
I'm connecting (CLI , no manager) with my (Arch) machine and it has 'auth-nocache', so I need to authenticate after.. 3600 secs. because it doesn't cache these credentials for better security of course...
You could to set renegotiation time to a higher number, however keep in mind they are there for a reason (3600 secs.) If you do change it both server & client need to be 'aware'

Greetings, mark

[tbandixen]

thanks. Both server and client have renegotiation time of 0 (so it should be disabled).

I set up my server and client like it is described in https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

[qinohe]

Maybe try ' keepalive reneg-sec 0' ...

[tbandixen]

This client setting didn't change anything.
The interface on the serverside gets its state changed every 20 minute.

The script that is running before (and while) the state changes is

Code Select Expand

opnsense: /usr/local/etc/rc.newwanip

I just upgraded from 18.7.10_4 to 19.1 and 19.1.1.
This is the only config change...

Could this be something with the change to HardenedBSD? I stayd connected with the 18.7.x version over hours

[Joergen]

Just updated to the new 19.1.1 version

The connection still drop after maximum 30 minuttes. Typical after around 22 minutes.

The logs still shows like in my first post over here.
I even tried to make a new export to Viscosity to see if it would help with a new export. Its the same problem.

The connection just drop.

Any solutions out there

Joergen

[qinohe]

Hi, I would say there's something with the config, I don't know what is different on you guys side but there must be something

Because I would like to know if I could get beyond one hour I tried it, though, the easy way with NetworkManager & openvpn plugin which I installed for this test (ArchLinux), also without OTP because far as I can tell there's no working patch for that, anyway, no problem here it just keeps on running...
Using OTP will always drop the connection btw., I haven't tried but a reset of the connection may be necessary   ;)
Greetings, mark

[Joergen]

Hey Mark

If you take the time to read my first post you would see it has been working fine with OTP.
I made the setup in march 2017.
Only change since then is an update of the cerfificates in March 2018.
I use the vpn quite often and it has always been with OTP for the ekstra security.
In oktober 2018 I was away from my country and was working remotely via VPN. That time i had sessions up to 10 hours via VPN - there was no proplem at all - it just worked perfekt.

Just to see if there was a problem with Viscosity I tried to connect from my android device via open vnp to android.
Its the same problem the connection drops after some time because of inactivity in the certificate. Same message as when connecting via Viscosity. You can see the log in my first post.

So there most clearly be a bug in opnsense

Joergen

[subivoodoo]

I have the same VPN issue with link DOWN/UP like tbandixen but in my case every 30 seconds with 19.1.1
Here it seams to be the WAN IP renewal sccript:

Code Select Expand

opnsense: /usr/local/etc/rc.newwanip
...
opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
kernel: ovpns1: link state changed to DOWN
kernel: ovpns1: link state changed to UP
opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'

In my case I think first of all it's a DHCP issue of my ISP... it looks like IP lease time of 60s and renew time of 30s. But nevertheless, this ISP usse was probalby also present with 18.7 and it's no real public IP change. So why is a Resyncing of OpenVPN needed without real public IP change?

Regards
Adrian

[tbandixen]

Ok, I need to update my case... It is not just the VPN connection that drops, the whole WAN connection gets disconnected every 20 minutes (I watch TV over the internet and every 20 minutes the stream hangs, i have to rewind to build up the new stream).

It has to be something with DHCP and the rc.newwanip script that runs every 20 minutes...

How can I help to debug this issue?

[drakosha]

After 10-20 minutes of uptime all incoming connections are blocked!

So, OpenVPN tunnels are dropped too, it was fine on 18.7.10 is it possible to downgrade may be?

19.1 seems to be very unstable

[tbandixen]

That is exactly what I also have monitored.