Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
Hello, I now think my VPN is running reliably: a ping every 5 minutes over the last 15 hours has shown 100% success. The bug was in the UPC router firmware, blocking from time to time trafic on port 4998/UDP where I run my multi-site VPN. The funny thing is that the bug showed itself not only on Internet traffic but ALSO on the internal switch of that router for two machines on the same public IPv4 subnet, and disappeared when connecting them through an independant switch. I could however clean up a bit my OpenVPN configuration, which was a good thing. Thank you for your help. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
On Sat, Jul 25, 2020 at 10:40:47AM +0200, Gert Doering wrote: > Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings > that are non-default. Definitely, there was a server-side client script pushing that, it is commented now. Still testing to see if the problem reproduces itself. Thanks. signature.asc Description: Digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
HI, On Fri, Jul 24, 2020 at 11:20:24PM +0200, Marc SCHAEFER wrote: > Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key > Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key This is definitely not right. Not sure what the default value for AES is (for BF-CBC it's 60 minutes), but it should be in the "many hours" range. Check your config for "reneg-bytes", "reneg-pkts" and "reneg-sec" settings that are non-default. (If this is not fruitful, try re-running with "verb 4" and see if there is more insight) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
On Fri, Jul 24, 2020 at 11:20:32PM +0100, tincanteksup wrote: > not sure how you have your configs setup (maybe post further details) but .. > Using --verb 4 may help with extra log details. Thank you, will collect more information. It now suspiciously looks like a firewall issue. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
Hi Marc, not sure how you have your configs setup (maybe post further details) but .. Using --verb 4 may help with extra log details. Regards. On 24/07/2020 22:20, Marc SCHAEFER wrote: Hello, I have an OpenVPN server on a fixed IP address, using the CA mode. I have 3 clients, two on dynamic IP and behind CGNAT, and one on fixed IP. I observe frequent downtimes, that's why I have investigated a bit. They heal by themselves, but sometimes they last more than 10 minutes, which triggers an alarm on my monitoring system. I run the Debian buster version of OpenVPN everywhere. I tried the server config: keepalive 10 60 However, it did not really help: I have frequent downtimes of all of the clients. AFAIK this command also set ping on the clients. Thinking that the problem could be NAT related, at least partly, I tried just a simple `ping 10' on the server. It did not help. I have now configured a ping 10 on the server and one of the client to see what happens. My question: is it normal that the key exchange / negociation is very frequent ? See: (every minute): that one is on fixed IP Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key However, the others (on NAT) also do the same every minute. But the `Peer Connection Initiated' is much more rare (e.g. once a day). So far I have not seen any specific error message when the connection ceases to work or starts again. Any idea ? Thank you :) ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN frequent renegociation and sometimes downtime
Hello, I have an OpenVPN server on a fixed IP address, using the CA mode. I have 3 clients, two on dynamic IP and behind CGNAT, and one on fixed IP. I observe frequent downtimes, that's why I have investigated a bit. They heal by themselves, but sometimes they last more than 10 minutes, which triggers an alarm on my monitoring system. I run the Debian buster version of OpenVPN everywhere. I tried the server config: keepalive 10 60 However, it did not really help: I have frequent downtimes of all of the clients. AFAIK this command also set ping on the clients. Thinking that the problem could be NAT related, at least partly, I tried just a simple `ping 10' on the server. It did not help. I have now configured a ping 10 on the server and one of the client to see what happens. My question: is it normal that the key exchange / negociation is very frequent ? See: (every minute): that one is on fixed IP Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:04:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:05:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:06:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:07:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:08:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:09:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:10:45 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:11:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:12:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:13:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 23:14:46 virtual ovpn-multiple[6235]: client05/some-fixed-IP:4998 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key However, the others (on NAT) also do the same every minute. But the `Peer Connection Initiated' is much more rare (e.g. once a day). So far I have not seen any specific error message when the connection ceases to work or starts again. Any idea ? Thank you :) ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users