Join Log in
Score:0
PouJa avatar Server

Why are my openvpn clients experiencing interruptions every now and then?

in flag
PouJa

I have an openvpn server installed on my Ubuntu 20.04 VPS and a number of clients (let's say 50 clients who mostly are behind NAT) connect to it successfully and can browse the web.

I used this Angristan script to install openvpn on my VPS and didn't change anything in the server and even client configurations. They are:

/etc/openvpn/server.conf :

port 1194
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_YXNlqYbUsPv1Qn2V.crt
key server_YXNlqYbUsPv1Qn2V.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 4

##script login-connect-disconnect
script-security 3
client-disconnect /etc/openvpn/logTraffic.sh

#link-mtu 1551
#link-mtu 1523
#tun-mtu 1500
#push "link-mtu 1551"

/etc/openvpn/client.ovpn :

client
proto tcp-client
remote ***.***.***.*** 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_Z6P9eMj5MYH8s50M name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***************************************************************
***************************************************************
***************************************************************
***************************************************************
**************************************
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***************************************************************
***************************************************************
***************************************************************
***************************************************************
**************************************
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***************************************************************
***************************************************************
***************************************************************
***************************************************************
**************************************
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
a1053daa99533ebbdc363e1c56a239cc
********************************
********************************
********************************
********************************
********************************
********************************
********************************
**********
-----END OpenVPN Static key V1-----
</tls-crypt>

Now you see the configurations and I would explain what the problem is. The problem is that my clients experience interruptions in their connections every now and then. Each interruption takes a few minutes. During the interruption their openvpn client software shows connected status, but they cannot surf the web. If they manually disconnect and try to connect again the connection will fail. The situation will continue up until the interruption finishes. If they do not touch the status button connection will go back to normal behavior after few minutes.

As I read in the logs with verbosity level 4 two things are bold to me. There is a warning about mtu inconsistency and an error regarding tls handshake failure. You can see their examples below:

journalctl -xe -f :

Feb 05 20:18:51 Jamali-3100 ovpn-server[1223370]: TCP connection established with [AF_INET]127.0.0.1:35644
Feb 05 20:18:51 Jamali-3100 ovpn-server[1223370]: TCPv4_SERVER link local: (not bound)
Feb 05 20:18:51 Jamali-3100 ovpn-server[1223370]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:35644
Feb 05 20:18:51 Jamali-3100 stunnel[1217268]: LOG5[711]: s_connect: connected 127.0.0.1:1194
Feb 05 20:18:51 Jamali-3100 stunnel[1217268]: LOG5[711]: Service [openvpn_server0] connected remote server from 127.0.0.1:35644
Feb 05 20:18:51 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 TLS: Initial packet from [AF_INET]127.0.0.1:35644, sid=0aaae698 b2067a08
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35628 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35628 TLS Error: TLS handshake failed
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35628 Fatal TLS error (check_tls_errors_co), restarting
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35628 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: TCP/UDP: Closing socket
Feb 05 20:18:52 Jamali-3100 stunnel[1217268]: LOG3[703]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Feb 05 20:18:52 Jamali-3100 stunnel[1217268]: LOG5[703]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 VERIFY OK: depth=1, CN=cn_StVSMP0WnIq0Aa8S
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 VERIFY OK: depth=0, CN=abs
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_VER=3.git::081bfebe
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_PLAT=ios
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_NCP=2
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_TCPNL=1
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_PROTO=30
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_AUTO_SESS=1
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.3.2-5086
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 peer info: IV_SSO=webauth,openurl,crtext
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Feb 05 20:18:52 Jamali-3100 ovpn-server[1223370]: 127.0.0.1:35644 [abs] Peer Connection Initiated with [AF_INET]127.0.0.1:35644

In the first place I thought it might be because of link-mtu inconsistency that tls handshake fails randomly. So I tried to add link-mtu 1500 to both server and client configurations but it didn't help and the warning did not vanish either. A second warning regarding tun-mtu also started to appear.

journalctl -xe -f :

Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: 127.0.0.1:38046 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: 127.0.0.1:38046 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1428', remote='tun-mtu 1500'
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: 127.0.0.1:38048 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: 127.0.0.1:38048 [abs] Peer Connection Initiated with [AF_INET]127.0.0.1:38048
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 MULTI: Learn: 10.8.0.10 -> abs/127.0.0.1:38048
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 MULTI: primary virtual IP for abs/127.0.0.1:38048: 10.8.0.10
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 PUSH: Received control message: 'PUSH_REQUEST'
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 SENT CONTROL [abs]: 'PUSH_REPLY,dhcp-option DNS 94.140.14.14,dhcp-option DNS 94.140.15.15,redirect-gateway def1 bypass-dhcp,link-mtu 1551,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.10 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:394 ET:0 EL:3 ]
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: abs/127.0.0.1:38048 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Feb 05 21:20:33 Jamali-3100 stunnel[1217268]: LOG5[1917]: s_connect: connected 127.0.0.1:1194
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: MULTI: multi_create_instance called
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: Re-using SSL/TLS context
Feb 05 21:20:33 Jamali-3100 ovpn-server[1231310]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1428)

In order to give the complete figure, I have to say that I'm using openvpn over stunnel for my own reasons. I don't think the problem is originating from stunnel, however I cannot confirm that because without stunnel my clients cannot connect at all (It is because I am behind a very restrictive firewall).

stunnel configs are:

/etc/stunnel/stunnel.conf :

client = no
[openvpn_server0]
accept = :::443
connect = 127.0.0.1:1194
cert = /etc/stunnel/stunnel.pem

On the client machine which is also ubuntu 20.04 /etc/stunnel/stunnel.conf:

[openvpn_client0]
accept = ***.***.***.***:443
connect = ***.***.***.***:443
cert = /etc/stunnel/stunnel.pem
client = yes

If I increase logging verbosity to level 5 during interruptions I also see the following error which I don't know why is it happening:

Feb 05 21:43:20 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:20 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:20 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:21 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:21 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:21 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped
Feb 05 21:43:21 Jamali-3100 ovpn-server[1233275]: abs/127.0.0.1:38892 MULTI: bad source address from client [21.178.35.48], packet dropped

Please guide me find and tackle the problem.

153
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.