B
B
baden5552019-03-29 13:40:53
openvpn
baden555, 2019-03-29 13:40:53

OpenVPN client reconnects every 15 minutes, by timeout?

There is a VDS server with OpenVPN installed on it. Clients on Windows and a router with Padavan firmware are connected to it.
Connections are established normally, but the router reconnects every 15 minutes (there is no pattern, maybe 5, maybe 20, but on average once every 15 minutes). In all cases, there is a line in the logs about resetting the connection by timeout.
Here is the router log:


Mar 29 12:41:09 openvpn-cli[4178]: [server] Inactivity timeout (--ping-restart), restarting
Mar 29 12:41:09 openvpn-cli[4178]: /sbin/route del -net 192.168 .1.0 netmask 255.255.255.0
Mar 29 12:41:09 openvpn-cli[4178]: /sbin/route del -net 192.168.31.0 netmask 255.255.255.0
Mar 29 12:41:09 openvpn-cli[4178]: Closing TUN /TAP interface
Mar 29 12:41:09 openvpn-cli[4178]: /sbin/ifconfig tun0 0.0.0.0
Mar 29 12:41:09 openvpn-cli[4178]: ovpnc.script tun0 1500 1552 10.8.0.3 255.255. 255.0 init
Mar 29 12:41:09 vpnc-script: tun0 down
Mar 29 12:41:09 openvpn-cli[4178]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 29 12:41:09 openvpn- cli[4178]: Restart pause, 5 second(s)
Mar 29 12:41:14 openvpn-cli[4178]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 29 12:41:14 openvpn-cli[4178]: TCP/ UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Mar 29 12:41:14 openvpn-cli[4178]: Socket Buffers: R=[155648->155648] S=[155648- >155648]
Mar 29 12:41:14 openvpn-cli[4178]: UDP link local: (not bound)
Mar 29 12:41:14 openvpn-cli[4178]: UDP link remote: [AF_INET]X.X. X.X:1194
Mar 29 12:41:14 openvpn-cli[4178]: TLS: Initial packet from [AF_INET] X.X.X.X:1194, sid=f0ed64be bc5f2af5
Mar 29 12:41:14 openvpn- cli[4178]: VERIFY OK: depth=1, CN=ChangeMe
Mar 29 12:41:14 openvpn-cli[4178]: VERIFY KU OK
Mar 29 12:41:14 openvpn-cli[4178]: Validating certificate extended key usage
Mar 29 12:41:14 openvpn-cli[4178]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 29 12:41:14 openvpn-cli[4178]: VERIFY EKU OK
Mar 29 12:41:14 openvpn-cli[4178]: VERIFY OK: depth=0, CN=server
Mar 29 12:41:15 openvpn -cli[4178]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 29 12:41:15 openvpn-cli[4178]: [server] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Mar 29 12:41:16 openvpn-cli[4178]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mar 29 12:41:16 openvpn-cli[4178]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.31.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 5,ping-restart 180,ifconfig 10.8.0.3 255.255.255.0,peer-id 2,cipher AES-256-GCM'
Mar 29 12:41:16 openvpn-cli[4178]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 29 12:41:16 openvpn-cli[4178]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 29 12:41:16 openvpn-cli[4178]: OPTIONS IMPORT: route options modified
Mar 29 12:41: 16 openvpn-cli[4178]: OPTIONS IMPORT: route-related options modified
Mar 29 12:41:16 openvpn-cli[4178]: OPTIONS IMPORT: peer-id set
Mar 29 12:41:16 openvpn-cli[4178] : OPTIONS IMPORT: adjusting link_mtu to 1624
Mar 29 12:41:16 openvpn-cli[4178]: OPTIONS IMPORT: data channel crypto options modified
Mar 29 12:41:16 openvpn-cli[4178]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 29 12:41:16 openvpn-cli[4178]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 29 12:41:16 openvpn-cli[4178]: Incoming Data Channel: Cipher ' AES-256-GCM' initialized with 256 bit key
Mar 29 12:41:16 openvpn-cli[4178]: TUN/TAP device tun0 opened
Mar 29 12:41:16 openvpn-cli[4178]: TUN/TAP TX queue length set to 100
Mar 29 12:41:16 openvpn-cli[4178]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 29 12:41:16 openvpn-cli[4178]: /sbin/ifconfig tun0 10.8.0.3 netmask 255.255 .255.0 mtu 1500 broadcast 10.8.0.255
Mar 29 12:41:16 openvpn-cli[4178]: ovpnc.script tun0 1500 1552 10.8.0.3 255.255.255.0 init
Mar 29 12:41:16 vpnc-script: tun0 up
Mar 29 12:41:16 openvpn-cli [4178] : /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1
Mar 29 12:41:16 openvpn-cli gw 10.8.0.1
Mar 29 12:41:16 openvpn-cli[4178]: Initialization Sequence Completed
Mar 29 12:55:56 openvpn-cli[4178]: [server] Inactivity timeout (--ping-restart), restarting

Server log:

Fri Mar 29 12:41:15 2019 YYYY:2312 TLS: Initial packet from [AF_INET]YYYY:2312, sid=611c4a72 ac01b3c8
Fri Mar 29 12:41:16 2019 YYYY:2312 VERIFY OK: depth=1, CN=ChangeMe
Fri Mar 29 12:41:16 2019 YYYY:2312 VERIFY OK: depth=0, CN=client-rx
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_VER=2.4.4
Fri Mar 29 12:41 :16 2019 YYYY:2312 peer info: IV_PLAT=linux
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_PROTO=2
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_NCP=2
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_LZ4=1
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_LZ4v2=1
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_LZO =1
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_COMP_STUB=1
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info: IV_COMP_STUBv2=1
Fri Mar 29 12:41:16 2019 YYYY:2312 peer info : IV_TCPNL=1
Fri Mar 29 12:41:16 2019 YYYY:2312 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Mar 29 12:41:16 2019 YYYY :2312 [client-rx] Peer Connection Initiated with [AF_INET]YYYY:2312
Fri Mar 29 12:41:16 2019 MULTI: new connection by client 'client-rx' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Mar 29 12:41:16 2019 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client-rx
Fri Mar 29 12:41:16 2019 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=( Not enabled)
Fri Mar 29 12:41:16 2019 MULTI: Learn: 10.8.0.3 -> client-rx/YYYY:2312
Fri Mar 29 12:41:16 2019 MULTI: primary virtual IP for client-rx/YYYY:2312 : 10.8.0.3
Fri Mar 29 12:41:16 2019 MULTI: internal route 192.168.2.0/24 -> client-rx/YYYY:2312
Fri Mar 29 12:41:16 2019 MULTI: Learn: 192.168.2.0/24 - > client-rx/YYYY:2312
Fri Mar 29 12:41:16 2019 REMOVE PUSH ROUTE: 'route 192.168.2.0 255.255.255.0'
Fri Mar 29 12:41:17 2019 client-rx/YYYY:2312 PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 29 12:41:17 2019 client-rx/YYYY:2312 SENT CONTROL [client-rx]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.31.0 255.255.255.0,route-gateway 10.8.0. topology subnet,ping 5,ping-restart 180,ifconfig 10.8.0.3 255.255.255.0,peer-id 2,cipher AES-256-GCM' (status=1)
Fri Mar 29 12:41:17 2019 client-rx/YYYY :2312 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 29 12:41:17 2019 client-rx/YYYY:2312 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

Client
5c9df49935cb4930271481.png
settings: Server settings:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir / etc/openvpn/ccd
client-to-client
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"
route 192.168.2.0
5.0 keepalive 5.0 2825
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
crl-verify crl.pem

I don't need to run all traffic through VPN, I just need device access/network bonding. Now everything works as it should, only reconnecting the router every 15 minutes, with the loss of the Internet for all its clients for a minute, gets it. Tell me what can be done?
PS Each client connects with its own certificates.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
R
res2001, 2019-03-29
@res2001

Configure keepalive on the router with the same values ​​as on the server.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question