OpenVPN Instaces Road Warrior Setup - Keepalive necessary

Started by jhw, November 20, 2024, 10:42:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 20, 2024, 10:42:07 AM
Hello OPNsense Community,

I recently migrated 12 OpenVPN servers from the legacy configuration to the new "Instances" setup, following the updated documentation:

OPNsense SSL VPN Road Warrior (Instance Configuration)
https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

After the migration, many users experienced frequent disconnections after a short period. Although there were no error messages in the server logs, the client logs consistently displayed the following line:

SIGUSR1[soft,ping-restart] received, process restarting

To resolve this, I adjusted the Keep Alive settings in the advanced options. I set the Keep Alive Interval to 10 and the Keep Alive Timeout to 120. Following these changes, all disconnection issues were resolved.

I hope this information helps anyone facing similar problems.

Best regards,
JHW
December 03, 2024, 05:38:48 PM #1
Hello!
I had the same issue (dusconnecting after 30 seconds), and solved it the same way today.
This should be included in the How-To article.
Thanks for the post, I am sure it will help someone in the future.
March 05, 2025, 12:48:44 PM #2
Hi jhw! I have the same problem, thanks for sharing. I will try the solution. Regards.
Martin Pedros
May 28, 2025, 09:29:20 PM #3
Thank you for the hint. I wasted a lot of time trying to understand why OpenVPN clients on OPNsense were reconnecting every two minutes, each time receiving a new IP address. The issue was that the server wasn't sending pings, and the client has a default ping-restart value of 120 seconds. As a result, the client restarted the connection every 120 seconds.

Setting the keepalive helper on the server to keepalive 10 60 should really be the default, as it is in pfSense and other products. When configured on the server, this setting is also pushed to the client—there's no need to define a keepalive on the client side.

The keepalive X Y option can be enabled in OPNsense by editing the OpenVPN server instance in advanced mode and setting both the "Keep alive interval" and "Keep alive timeout".

Additionally, enabling explicit-exit-notify on both client and server by default would be a good idea. For example, when a client disconnects, the allocated IP on the server is immediately released, without having to wait for the ping-exit timer to expire.
Again, explicit-exit-notify is enabled by default on pfSense clients and WatchGuard Firebox clients.
Print
Go Up Pages1
User actions