Hi, team.
We're facing the issue with clients disconnects in 60 mins even when "openvpn-option --reneg-sec 0" and "persistent-tunnel" openvpn-options are on. Also, replacing "persistent-tunnel" with "openvpn-option --persistent-tun" didn't helped as well.
FYI, Client IP was replaced in log to 3.3.3.3, server IP to 5.5.5.5.
Also, notice different timezones between client and server, that's OK.
Interface config:
openvpn vtun1 { local-port 1195 mode server openvpn-option "--script-security 2 system" openvpn-option duplicate-cn openvpn-option "log-append /var/log/openvpn.log" openvpn-option "--cipher AES-256-CBC" openvpn-option client-cert-not-required openvpn-option comp-lzo openvpn-option "plugin /config/auth/openvpn-auth-ldap.so /config/auth/auth-ldap.conf" openvpn-option "tun-mtu 1500" openvpn-option "tun-mtu-extra 32" openvpn-option "fragment 1400" openvpn-option --persist-tun openvpn-option --persist-key openvpn-option "--keepalive 10 20" openvpn-option "--reneg-sec 0" persistent-tunnel server { name-server 10.10.1.11 push-route 10.10.1.0/24 push-route 10.10.4.0/22 push-route 10.10.8.0/22 push-route 10.10.12.0/24 subnet 10.10.7.0/24 } tls { ca-cert-file /config/rsa2/keys/ca.crt cert-file /config/rsa2/keys/vyos-vpn-msk.crt dh-file /config/rsa2/keys/dh2048.pem key-file /config/rsa2/keys/vyos-vpn-msk.key }
Error log(server side):
Mon Jul 15 15:09:09 2019 3.3.3.3:6083 TLS: Initial packet from [AF_INET]3.3.3.3:6083, sid=6a3d15ce 40b71dbb Mon Jul 15 15:09:11 2019 3.3.3.3:6083 PLUGIN_CALL: POST /config/auth/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Mon Jul 15 15:09:11 2019 3.3.3.3:6083 TLS: Username/Password authentication succeeded for username 'kkulbatskiy' Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA Mon Jul 15 15:09:11 2019 3.3.3.3:6083 [] Peer Connection Initiated with [AF_INET]3.3.3.3:6083 Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI_sva: pool returned IPv4=10.10.7.2, IPv6=(Not enabled) Mon Jul 15 15:09:11 2019 3.3.3.3:6083 PLUGIN_CALL: POST /config/auth/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0 Mon Jul 15 15:09:11 2019 3.3.3.3:6083 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_971bf988a671101deff97e9192beebbd.tmp Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI: Learn: 10.10.7.2 -> 3.3.3.3:6083 Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI: primary virtual IP for 3.3.3.3:6083: 10.10.7.2 Mon Jul 15 15:09:12 2019 3.3.3.3:6083 PUSH: Received control message: 'PUSH_REQUEST' Mon Jul 15 15:09:12 2019 3.3.3.3:6083 send_push_reply(): safe_cap=940 Mon Jul 15 15:09:12 2019 3.3.3.3:6083 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 10.10.1.11,route 10.10.1.0 255.255.255.0,route 10.10.4.0 255.255.252.0,route 10.10.8.0 255.255.252.0,route 10.10.12.0 255.255.255.0,dhcp-option DOMAIN iponweb.lan,route-gateway 10.10.7.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.7.2 255.255.255.0' (status=1) Mon Jul 15 16:09:45 2019 3.3.3.3:7394 TLS: Initial packet from [AF_INET]3.3.3.3:7394, sid=43f7efba 8989c044 Mon Jul 15 16:10:25 2019 3.3.3.3:7394 [UNDEF] Inactivity timeout (--ping-restart), restarting Mon Jul 15 16:10:25 2019 3.3.3.3:7394 SIGUSR1[soft,ping-restart] received, client-instance restarting
Client log:
kkul@vpn-test-lnd-1:/etc/openvpn$ sudo openvpn --config msk-vpn-linux.ovpn [sudo] password for kkul: Mon Jul 15 13:09:03 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019 Mon Jul 15 13:09:03 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08 Enter Auth Username: kkulbatskiy Enter Auth Password: ********** Mon Jul 15 13:09:09 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Jul 15 13:09:09 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jul 15 13:09:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]5.5.5.5:1195 Mon Jul 15 13:09:09 2019 UDP link local: (not bound) Mon Jul 15 13:09:09 2019 UDP link remote: [AF_INET]5.5.5.5:1195 Mon Jul 15 13:09:11 2019 [server] Peer Connection Initiated with [AF_INET]5.5.5.5:1195 Mon Jul 15 13:09:12 2019 TUN/TAP device tun0 opened Mon Jul 15 13:09:12 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Mon Jul 15 13:09:12 2019 /sbin/ip link set dev tun0 up mtu 1500 Mon Jul 15 13:09:12 2019 /sbin/ip addr add dev tun0 10.10.7.2/24 broadcast 10.10.7.255 Mon Jul 15 13:09:12 2019 /etc/openvpn/update-resolv-conf tun0 1500 1594 10.10.7.2 255.255.255.0 init Mon Jul 15 13:09:12 2019 Initialization Sequence Completed Mon Jul 15 14:09:10 2019 [server] Inactivity timeout (--ping-restart), restarting Mon Jul 15 14:09:11 2019 SIGUSR1[soft,ping-restart] received, process restarting Mon Jul 15 14:09:11 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Jul 15 14:09:12 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jul 15 14:09:12 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]5.5.5.5:1195 Mon Jul 15 14:09:12 2019 UDP link local: (not bound) Mon Jul 15 14:09:12 2019 UDP link remote: [AF_INET]5.5.5.5:1195 Enter Auth Username: Failed to query password: Timer expired Enter Auth Password: Failed to query password: Timer expired Mon Jul 15 14:09:12 2019 ERROR: Failed retrieving username or password Mon Jul 15 14:09:12 2019 Exiting due to fatal error Mon Jul 15 14:09:12 2019 /sbin/ip addr del dev tun0 10.10.7.2/24 Mon Jul 15 14:09:12 2019 /etc/openvpn/update-resolv-conf tun0 1500 1658 10.10.7.2 255.255.255.0 init
Let me know if you'll need an additional info\logs.
Thanks