OpenVPN fails to reconnect when network adapter reconnects to WiFiProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingPfsense OpenVPN tunnelStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?

Is tuition reimbursement a good idea if you have to stay with the job

The best in flight meal option for those suffering from reflux

Placement of positioning lights on A320 winglets

Am I allowed to determine tenets of my contract as a warlock?

How to deal with an excess of white-space in a CRM UI?

Which are the methodologies for interpreting Vedas?

Can an escape pod land on Earth from orbit and not be immediately detected?

Can we decompose every group element to elements of order 2? (using Cayley's theorem to identificate the group with permutations)

What does BREAD stand for while drafting?

Part of my house is inexplicably gone

Must a CPU have a GPU if the motherboard provides a display port (when there isn't any separate video card)?

What is the theme of analysis?

Dedicated bike GPS computer over smartphone

How to import .txt file with missing data?

Undocumented incompatibility between changes and siunitx?

Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes

When editor does not respond to the request for withdrawal

Is it advisable to add a location heads-up when a scene changes in a novel?

Was the Lonely Mountain, where Smaug lived, a volcano?

Can I get a photo of an Ancient Arrow?

As easy as Three, Two, One... How fast can you go from Five to Four?

usage of mir gefallen

Harley Davidson clattering noise from engine, backfire and failure to start

What do I need to do, tax-wise, for a sudden windfall?



OpenVPN fails to reconnect when network adapter reconnects to WiFi


Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingPfsense OpenVPN tunnelStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).



dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3


I have two issues.




keepalive takes a long time to trigger a reconnect



As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.



Wed May 29 01:26:50 2019 Initialization Sequence Completed
Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting


Reconnection hangs



If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at



Wed May 29 01:06:56 2019 Initialization Sequence Completed
Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:08:03 2019 UDP link local: (not bound)
Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194


My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.



Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed May 29 01:34:31 2019 Exiting due to fatal error


What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.



TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.










share|improve this question




























    0















    I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).



    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/pki/ca.crt
    cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
    key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
    dh none
    topology subnet
    server 10.8.0.0 255.255.255.0
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    push "block-outside-dns"
    push "redirect-gateway def1"
    client-to-client
    keepalive 10 60
    remote-cert-tls client
    tls-version-min 1.2
    tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
    cipher AES-256-CBC
    auth SHA256
    user nobody
    group nogroup
    persist-key
    persist-tun
    crl-verify /etc/openvpn/crl.pem
    status /var/log/openvpn-status.log 20
    status-version 3
    syslog
    verb 3


    I have two issues.




    keepalive takes a long time to trigger a reconnect



    As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.



    Wed May 29 01:26:50 2019 Initialization Sequence Completed
    Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting


    Reconnection hangs



    If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at



    Wed May 29 01:06:56 2019 Initialization Sequence Completed
    Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
    Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
    Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
    Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
    Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
    Wed May 29 01:08:03 2019 UDP link local: (not bound)
    Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194


    My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.



    Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
    Wed May 29 01:34:31 2019 Exiting due to fatal error


    What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.



    TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.










    share|improve this question
























      0












      0








      0








      I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).



      dev tun
      proto udp
      port 1194
      ca /etc/openvpn/easy-rsa/pki/ca.crt
      cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
      key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
      dh none
      topology subnet
      server 10.8.0.0 255.255.255.0
      push "dhcp-option DNS 8.8.8.8"
      push "dhcp-option DNS 8.8.4.4"
      push "block-outside-dns"
      push "redirect-gateway def1"
      client-to-client
      keepalive 10 60
      remote-cert-tls client
      tls-version-min 1.2
      tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
      cipher AES-256-CBC
      auth SHA256
      user nobody
      group nogroup
      persist-key
      persist-tun
      crl-verify /etc/openvpn/crl.pem
      status /var/log/openvpn-status.log 20
      status-version 3
      syslog
      verb 3


      I have two issues.




      keepalive takes a long time to trigger a reconnect



      As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.



      Wed May 29 01:26:50 2019 Initialization Sequence Completed
      Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting


      Reconnection hangs



      If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at



      Wed May 29 01:06:56 2019 Initialization Sequence Completed
      Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
      Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
      Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
      Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
      Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
      Wed May 29 01:08:03 2019 UDP link local: (not bound)
      Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194


      My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.



      Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
      Wed May 29 01:34:31 2019 Exiting due to fatal error


      What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.



      TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.










      share|improve this question














      I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).



      dev tun
      proto udp
      port 1194
      ca /etc/openvpn/easy-rsa/pki/ca.crt
      cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
      key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
      dh none
      topology subnet
      server 10.8.0.0 255.255.255.0
      push "dhcp-option DNS 8.8.8.8"
      push "dhcp-option DNS 8.8.4.4"
      push "block-outside-dns"
      push "redirect-gateway def1"
      client-to-client
      keepalive 10 60
      remote-cert-tls client
      tls-version-min 1.2
      tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
      cipher AES-256-CBC
      auth SHA256
      user nobody
      group nogroup
      persist-key
      persist-tun
      crl-verify /etc/openvpn/crl.pem
      status /var/log/openvpn-status.log 20
      status-version 3
      syslog
      verb 3


      I have two issues.




      keepalive takes a long time to trigger a reconnect



      As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.



      Wed May 29 01:26:50 2019 Initialization Sequence Completed
      Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting


      Reconnection hangs



      If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at



      Wed May 29 01:06:56 2019 Initialization Sequence Completed
      Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
      Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
      Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
      Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
      Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
      Wed May 29 01:08:03 2019 UDP link local: (not bound)
      Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194


      My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.



      Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
      Wed May 29 01:34:31 2019 Exiting due to fatal error


      What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.



      TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.







      openvpn






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 28 at 23:42









      vrdevrde

      1012




      1012




















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969240%2fopenvpn-fails-to-reconnect-when-network-adapter-reconnects-to-wifi%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969240%2fopenvpn-fails-to-reconnect-when-network-adapter-reconnects-to-wifi%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company