OpenVPN fails to reconnect when network adapter reconnects to WiFiProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingPfsense OpenVPN tunnelStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
Is tuition reimbursement a good idea if you have to stay with the job
The best in flight meal option for those suffering from reflux
Placement of positioning lights on A320 winglets
Am I allowed to determine tenets of my contract as a warlock?
How to deal with an excess of white-space in a CRM UI?
Which are the methodologies for interpreting Vedas?
Can an escape pod land on Earth from orbit and not be immediately detected?
Can we decompose every group element to elements of order 2? (using Cayley's theorem to identificate the group with permutations)
What does BREAD stand for while drafting?
Part of my house is inexplicably gone
Must a CPU have a GPU if the motherboard provides a display port (when there isn't any separate video card)?
What is the theme of analysis?
Dedicated bike GPS computer over smartphone
How to import .txt file with missing data?
Undocumented incompatibility between changes and siunitx?
Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes
When editor does not respond to the request for withdrawal
Is it advisable to add a location heads-up when a scene changes in a novel?
Was the Lonely Mountain, where Smaug lived, a volcano?
Can I get a photo of an Ancient Arrow?
As easy as Three, Two, One... How fast can you go from Five to Four?
usage of mir gefallen
Harley Davidson clattering noise from engine, backfire and failure to start
What do I need to do, tax-wise, for a sudden windfall?
OpenVPN fails to reconnect when network adapter reconnects to WiFi
Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingPfsense OpenVPN tunnelStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
I have two issues.
keepalive takes a long time to trigger a reconnect
As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.
Wed May 29 01:26:50 2019 Initialization Sequence Completed
Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Reconnection hangs
If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at
Wed May 29 01:06:56 2019 Initialization Sequence Completed
Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:08:03 2019 UDP link local: (not bound)
Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.
Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed May 29 01:34:31 2019 Exiting due to fatal error
What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.
TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.
openvpn
asked May 28 at 23:42
vrdevrde
1012
add a comment |
I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
I have two issues.
keepalive takes a long time to trigger a reconnect
As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.
Wed May 29 01:26:50 2019 Initialization Sequence Completed
Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Reconnection hangs
If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at
Wed May 29 01:06:56 2019 Initialization Sequence Completed
Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:08:03 2019 UDP link local: (not bound)
Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.
Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed May 29 01:34:31 2019 Exiting due to fatal error
What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.
TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.
openvpn
asked May 28 at 23:42
vrdevrde
1012
add a comment |
I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
I have two issues.
keepalive takes a long time to trigger a reconnect
As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.
Wed May 29 01:26:50 2019 Initialization Sequence Completed
Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Reconnection hangs
If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at
Wed May 29 01:06:56 2019 Initialization Sequence Completed
Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:08:03 2019 UDP link local: (not bound)
Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.
Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed May 29 01:34:31 2019 Exiting due to fatal error
What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.
TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.
openvpn
asked May 28 at 23:42
vrdevrde
1012
I'm using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I've only changed the values of keepalive).
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt
key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
I have two issues.
keepalive takes a long time to trigger a reconnect
As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.
Wed May 29 01:26:50 2019 Initialization Sequence Completed
Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Reconnection hangs
If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at
Wed May 29 01:06:56 2019 Initialization Sequence Completed
Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed May 29 01:07:58 2019 Restart pause, 5 second(s)
Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194
Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:08:03 2019 UDP link local: (not bound)
Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
My guess is that the option persist-tun doesn't play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I'd like to run my openvpn process as user nobody, but this setting doesn't allow to create a new tun interface.
Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed May 29 01:34:31 2019 Exiting due to fatal error
What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.
TL;DR: is there an openvpn way to reconnect without relying on a custom script? I'd like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.
openvpn
openvpn
asked May 28 at 23:42
vrdevrde
1012
asked May 28 at 23:42
vrdevrde
1012
asked May 28 at 23:42
vrdevrde
1012
asked May 28 at 23:42
vrdevrde
1012
asked May 28 at 23:42
vrdevrde
1012
1012
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969240%2fopenvpn-fails-to-reconnect-when-network-adapter-reconnects-to-wifi%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969240%2fopenvpn-fails-to-reconnect-when-network-adapter-reconnects-to-wifi%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
