Join Log in
Score:0
yeralin avatar Server

Windows 11: OpenVPN service failing to stat at boot

br flag
yeralin

I have an OpenVPN profile installed in config-auto directory on my Windows 11 machine, so that it connects to my OpenVPN server at boot.

The problem is that sometimes at system startup, it starts failing to connect with:

2022-03-11 09:27:38 [server] Inactivity timeout (--ping-restart), restarting
2022-03-11 09:27:38 SIGUSR1[soft,ping-restart] received, process restarting
2022-03-11 09:27:38 Restart pause, 5 second(s)
2022-03-11 09:27:43 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-11 09:27:43 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-11 09:27:43 TCP/UDP: Preserving recently used remote address: [AF_INET]<REDACTED>:1194
2022-03-11 09:27:43 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-03-11 09:27:43 UDP link local: (not bound)
2022-03-11 09:27:43 UDP link remote: [AF_INET]<REDACTED>:1194
2022-03-11 09:28:43 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-03-11 09:28:43 TLS Error: TLS handshake failed
2022-03-11 09:28:43 SIGUSR1[soft,tls-error] received, process restarting

As if there is no internet connection, however you can see that my ethernet interface up and connected to the internet:

As soon as I restart OpenVPN service: enter image description here

Everything starts working fine:

2022-03-11 09:28:43 TLS Error: TLS handshake failed
2022-03-11 09:28:43 SIGUSR1[soft,tls-error] received, process restarting

2022-03-11 10:16:36 NOTE: --user option is not implemented on Windows
2022-03-11 10:16:36 NOTE: --group option is not implemented on Windows
2022-03-11 10:16:36 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-03-11 10:16:36 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-03-11 10:16:36 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-03-11 10:16:36 Windows version 10.0 (Windows 10 or greater) 64bit
2022-03-11 10:16:36 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-03-11 10:16:36 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-11 10:16:36 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-03-11 10:16:36 TCP/UDP: Preserving recently used remote address: [AF_INET]<REDACTED>:1194
2022-03-11 10:16:36 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-03-11 10:16:36 UDP link local: (not bound)
2022-03-11 10:16:36 UDP link remote: [AF_INET]<REDACTED>:1194
2022-03-11 10:16:36 TLS: Initial packet from [AF_INET]<REDACTED>:1194, sid=7818afbf 7c74fa3b
2022-03-11 10:16:36 VERIFY OK: depth=1, <REDACTED>
2022-03-11 10:16:36 VERIFY KU OK
2022-03-11 10:16:36 Validating certificate extended key usage
2022-03-11 10:16:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

I presume, it is some kinda race condition between my OpenVPN and ethernet interfaces. I tried reducing InterfaceMetric for my ethernet interface and increasing it for OpenVPN interface to no avail:

Get-NetIPInterface

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
29      vEthernet (WSL)                 IPv6                  1500              15 Enabled  Connected       ActiveStore
12      Ethernet 3                      IPv6                  1500               5 Disabled Disconnected    ActiveStore
10      Local Area Connection* 2        IPv6                  1500              25 Disabled Disconnected    ActiveStore
24      Ethernet                        IPv6                  1500               6 Enabled  Connected       ActiveStore
22      Local Area Connection* 1        IPv6                  1500              25 Disabled Disconnected    ActiveStore
23      OpenVPN                         IPv6                  1500              25 Enabled  Connected       ActiveStore
8       Ethernet 2                      IPv6                  1500               5 Disabled Disconnected    ActiveStore
13      OpenVPN Wintun                  IPv6                 65535               5 Disabled Disconnected    ActiveStore
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
29      vEthernet (WSL)                 IPv4                  1500              15 Disabled Connected       ActiveStore
12      Ethernet 3                      IPv4                  1500               5 Enabled  Disconnected    ActiveStore
10      Local Area Connection* 2        IPv4                  1500              25 Enabled  Disconnected    ActiveStore
24      Ethernet                        IPv4                  1500               1 Enabled  Connected       ActiveStore
22      Local Area Connection* 1        IPv4                  1500              25 Enabled  Disconnected    ActiveStore
23      OpenVPN                         IPv4                  1500             100 Enabled  Connected       ActiveStore
8       Ethernet 2                      IPv4                  1500               5 Enabled  Disconnected    ActiveStore
13      OpenVPN Wintun                  IPv4                 65535               5 Disabled Disconnected    ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

I also tried setting a recovery strategy on OpenVPN service, but it seems like Windows does not treat OpenVPN service failing to connect as broken thus is not restarting it: enter image description here

Again, it only happens 1 in 5 boots, most of the time it works fine.

Searched all over the internet, but couldn't find anyone else having this issue.

176
0 + 0
Score:0
yeralin avatar Server
br flag
yeralin

None of the solution helped resolve the problem.

Ended up uninstalling OpenVPN Community Edition, and installing OpenVPN Connect app instead.

To start OpenVPN Connect at boot:

enter image description here

0 + 0
Score:0
avatar Server
ng flag
Natsuki.HX

Try setting the service startup to "Delayed". It might be delayed, but at least it works. If that still does not work, try using another VPN client.

0 + 0
yeralin avatar
br flag
yeralin
Hi, yep also tried that. Did not help. Problem is it is an official OpenVPN community client. Idk if I could trust other unofficial builds :(
0
Reply
Score:0
willnode avatar Server
us flag
willnode

I notice Inactivity timeout there so maybe this helps.

Open the startup folder (hit Windows+R then type shell:startup), create a shortcut run ping to somewhere on the internet, say ping 1.1.1.1 (ping is the app to run and 1.1.1.1 is the argument) just to make sure VPN doesn't get cut on startup.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.