Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-08-07 Thread Marc SCHAEFER
Hello,

I now think my VPN is running reliably: a ping every 5 minutes over the
last 15 hours has shown 100% success.

The bug was in the UPC router firmware, blocking from time to time trafic on
port 4998/UDP where I run my multi-site VPN.  The funny thing is that the bug
showed itself not only on Internet traffic but ALSO on the internal switch of
that router for two machines on the same public IPv4 subnet, and disappeared
when connecting them through an independant switch.

I could however clean up a bit my OpenVPN configuration, which was
a good thing.

Thank you for your help.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-07-26 Thread Marc SCHAEFER
On Sat, Jul 25, 2020 at 10:40:47AM +0200, Gert Doering wrote:
> Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings
> that are non-default.

Definitely, there was a server-side client script pushing that, it is
commented now.

Still testing to see if the problem reproduces itself.

Thanks.


signature.asc
Description: Digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-07-25 Thread Gert Doering
HI,

On Fri, Jul 24, 2020 at 11:20:24PM +0200, Marc SCHAEFER wrote:
> Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
> Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
> Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
> Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

This is definitely not right.

Not sure what the default value for AES is (for BF-CBC it's 60 minutes),
but it should be in the "many hours" range.

Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings
that are non-default.

(If this is not fruitful, try re-running with "verb 4" and see if there
is more insight)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-07-25 Thread Marc SCHAEFER
On Fri, Jul 24, 2020 at 11:20:32PM +0100, tincanteksup wrote:
> not sure how you have your configs setup (maybe post further details) but ..
> Using --verb 4 may help with extra log details.

Thank you,

will collect more information.

It now suspiciously looks like a firewall issue.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-07-24 Thread tincanteksup

Hi Marc,

not sure how you have your configs setup (maybe post further details) but ..

Using --verb 4 may help with extra log details.

Regards.


On 24/07/2020 22:20, Marc SCHAEFER wrote:

Hello,

I have an OpenVPN server on a fixed IP address, using the CA mode.
I have 3 clients, two on dynamic IP and behind CGNAT, and one on
fixed IP.

I observe frequent downtimes, that's why I have investigated a bit.
They heal by themselves, but sometimes they last more than 10 minutes,
which triggers an alarm on my monitoring system. I run the Debian buster
version of OpenVPN everywhere.

I tried the server config:

keepalive 10 60

However, it did not really help: I have frequent downtimes of all of
the clients.  AFAIK this command also set ping on the clients.

Thinking that the problem could be NAT related, at least partly,
I tried just a simple `ping 10' on the server. It did not help.

I have now configured a ping 10 on the server and one of the client
to see what happens.

My question: is it normal that the key exchange / negociation is very
frequent ?

See: (every minute): that one is on fixed IP

Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

However, the others (on NAT) also do the same every minute.

But the `Peer Connection Initiated' is much more rare (e.g. once a day).

So far I have not seen any specific error message when the connection ceases to 
work or starts again.

Any idea ?

Thank you :)


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


[Openvpn-users] OpenVPN frequent renegociation and sometimes downtime

2020-07-24 Thread Marc SCHAEFER
Hello,

I have an OpenVPN server on a fixed IP address, using the CA mode.
I have 3 clients, two on dynamic IP and behind CGNAT, and one on
fixed IP.

I observe frequent downtimes, that's why I have investigated a bit.
They heal by themselves, but sometimes they last more than 10 minutes,
which triggers an alarm on my monitoring system. I run the Debian buster
version of OpenVPN everywhere.

I tried the server config: 

   keepalive 10 60

However, it did not really help: I have frequent downtimes of all of
the clients.  AFAIK this command also set ping on the clients.

Thinking that the problem could be NAT related, at least partly,
I tried just a simple `ping 10' on the server. It did not help.

I have now configured a ping 10 on the server and one of the client
to see what happens.

My question: is it normal that the key exchange / negociation is very
frequent ?

See: (every minute): that one is on fixed IP

Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

However, the others (on NAT) also do the same every minute.

But the `Peer Connection Initiated' is much more rare (e.g. once a day).

So far I have not seen any specific error message when the connection ceases to 
work or starts again.

Any idea ?

Thank you :)


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users