OpenVPN stops working after network restart

Author:

Encountering the following problem – OpenVPN works perfectly when started or restarted, but when the network connection of the computer restarts or for example, the WIFI device resets (or loses the wifi network and connects again when it becomes available) the VPN never recovers. All networks routed via the VPN never seem to work again and they become dead ends to the computer despite the Internet connectivity is OK.
The logs show only attempts to connect again to the servers, but apparently with no success:

....
Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET]111.111.111.111:12345 [nonblock]
....
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET]111.111.111.111:12345 failed: Connection timed out
....
Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET]111.111.111.111:12345 [nonblock]
....
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET]111.111.111.111:12345 failed: Connection timed out

The server 111.111.111.111 is unreachable and it stays unreachable even the network connectivity recovered and the Internet of the computer is OK.
In this case, the OpenVPN server is part of a route network push to the client, and the OpenVPN IP is part of the pushed network to be routed via the VPN. And when the client’s network connection resets, the additional server’s IP route to the gateway disappears, but the pushed route does not, and now the OpenVPN server’s IP is part of a VPN route, which is dead because the VPN channel is dead. A restart of all OpenVPN routes is required (remove the special VPN device tun device with its routes and then add the device and routes again after successful reconnection to the OpenVPN server), but when an OpenVPN client option persist-tun is in the configuration, the restart won’t happen in the mentioned way. Only a restart of the service will remove the tun and its routes and then add them after a successful reconnection to the OpenVPN server.

Removing the persist-tun from the client’s configuration will trigger a full restart of the VPN channel – remove the special tun device and all OpenVPN routes and then reconnect and initialize the special tun device and then add the pushed routes.

Here is the example:

  • The OpenVPN server’s IP is 111.111.111.111.
  • The OpenVPN server pushes several networks to the client. Networks, which must be routed via the VPN. One of them happened to be 111.111.111.0/24, which includes the OpenVPN server’s IP.
  • The OpenVPN server adds a route for its IP to be routed via the default client’s gateway, which is 192.168.0.1. This is how the VPN channel works despite it pushed the whole network 111.111.111.0/24 via the VPN.

The problem appears when the network resets and the client’s OpenVPN process removes the route for the OpenVPN IP via the gateway because the gateway is not valid anymore! With persist-tun the pushed OpenVPN routes won’t be removed only reconnect attempts will be tried. But the OpenVPN IP now routes via the pushed server’s route via the dead VPN channel.

The routes when all is good:

ip ro|grep 111.111.111
111.111.111.0/24 via 10.10.0.21 dev tun0 
111.111.111.111 via 192.168.0.1 dev eth0

After network resets the server’s IP route is removed:

ip ro|grep 111.111.111
111.111.111.0/24 via 10.10.0.21 dev tun0 

And if the persist-tun option is enabled in the client’s OpenVPN configurations, the VPN stays dead till the OpenVPN service is restarted manually!
Removing the persist-tun option will cause the OpenVPN client process to remove the special (tun) VPN channel device, remove all pushed routes and then reconnect to the server and only after a successful reconnection to the OpenVPN server, the pushed routes will be added in the client’s routing table where the exception route to the OpenVPN server’s IP has been already added.
To speed up this process of OpenVPN restart the following option could be used:

ping-restart 30

After 30 seconds it will restart the VPN channel as described above.
The default path of client’s configuration file is /etc/openvpn/openvpn.conf or /etc/openvpn/[vpn_name].conf.

Unsuccessful attempts to reconnect because of persist-tun

The pushed routes and the special tun device are never removed.

Oct 13 02:22:50 www openvpn[7744]: TCP/UDP: Closing socket
Oct 13 02:22:50 www openvpn[7744]: /etc/openvpn/down.sh tun0 1500 1555 10.10.0.22 10.10.0.21 restart
Oct 13 02:22:50 www openvpn[7744]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 02:22:50 www openvpn[7744]: Restart pause, 5 second(s)
....
....
Oct 13 02:22:55 www openvpn[7744]: TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:12345
Oct 13 02:22:55 www openvpn[7744]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET]111.111.111.111:12345 [nonblock]
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET]111.111.111.111:12345 failed: Connection timed out
Oct 13 02:22:50 www openvpn[7744]: TCP/UDP: Closing socket
Oct 13 02:22:50 www openvpn[7744]: /etc/openvpn/down.sh tun0 1500 1555 10.10.0.22 10.10.0.21 restart
Oct 13 02:22:50 www openvpn[7744]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 02:22:50 www openvpn[7744]: Restart pause, 5 second(s)
....
....
Oct 13 02:22:55 www openvpn[7744]: TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:12345
Oct 13 02:22:55 www openvpn[7744]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Oct 13 02:22:55 www openvpn[7744]: Attempting to establish TCP connection with [AF_INET]111.111.111.111:12345 [nonblock]
Oct 13 02:24:55 www openvpn[7744]: TCP: connect to [AF_INET]111.111.111.111:12345 failed: Connection timed out

Successful attempt to reconnect without persist-tun

The pushed routes and the special tun device are removed and then added again upon successful reconnect to the OpenVPN server.

Oct 13 03:04:50 www openvpn[10157]: [111.111.111.111] Inactivity timeout (--ping-restart), restarting
Oct 13 03:04:50 www openvpn[10157]: TCP/UDP: Closing socket
Oct 13 03:04:50 www openvpn[10157]: /bin/ip route del 111.111.111.0/24
Oct 13 03:04:50 www openvpn[10157]: /bin/ip route del 112.112.112.0/24
Oct 13 03:04:50 www openvpn[10157]: /etc/openvpn/down.sh tun0 1500 1555 10.10.0.22 10.10.0.21 init
Oct 13 03:04:50 www openvpn[10157]: Closing TUN/TAP interface
Oct 13 03:04:50 www openvpn[10157]: /bin/ip addr del dev tun0 local 10.10.0.22 peer 10.10.0.21
Oct 13 03:04:50 www dhcpcd[6258]: tun0: carrier lost
Oct 13 03:04:50 www openvpn[10157]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 13 03:04:50 www openvpn[10157]: Restart pause, 5 second(s)
....
....
Oct 13 03:04:55 www openvpn[10157]: Attempting to establish TCP connection with [AF_INET]111.111.111.111:12345 [nonblock]
Oct 13 03:04:55 www openvpn[10157]: TCP connection established with [AF_INET]111.111.111.111:12345
Oct 13 03:04:55 www openvpn[10157]: TCP_CLIENT link local: (not bound)
Oct 13 03:04:55 www openvpn[10157]: TCP_CLIENT link remote: [AF_INET]111.111.111.111:12345
Oct 13 03:04:55 www openvpn[10157]: TLS: Initial packet from [AF_INET]111.111.111.111:12345, sid=76f24c36 0552b5db
Oct 13 03:04:55 www openvpn[10157]: VERIFY OK: depth=1, CN=my-vpn.example.com
Oct 13 03:04:55 www openvpn[10157]: VERIFY KU OK
Oct 13 03:04:55 www openvpn[10157]: Validating certificate extended key usage
Oct 13 03:04:55 www openvpn[10157]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 13 03:04:55 www openvpn[10157]: VERIFY EKU OK
Oct 13 03:04:55 www openvpn[10157]: VERIFY OK: depth=0, CN=my-vpn.example.com
Oct 13 03:04:56 www openvpn[10157]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Oct 13 03:04:56 www openvpn[10157]: [my-vpn.example.com] Peer Connection Initiated with [AF_INET]111.111.111.111:12345
Oct 13 03:04:57 www openvpn[10157]: SENT CONTROL [my-vpn.example.com]: 'PUSH_REQUEST' (status=1)
....
....
Oct 13 03:04:57 www openvpn[10157]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=60:57:18:9a:f9:5c
Oct 13 03:04:57 www openvpn[10157]: TUN/TAP device tun0 opened
Oct 13 03:04:57 www openvpn[10157]: do_ifconfig, ipv4=1, ipv6=0
Oct 13 03:04:57 www openvpn[10157]: /bin/ip link set dev tun0 up mtu 1500
Oct 13 03:04:57 www openvpn[10157]: /bin/ip link set dev tun0 up
Oct 13 03:04:57 www openvpn[10157]: /bin/ip addr add dev tun0 local 10.10.0.22 peer 10.10.0.21
Oct 13 03:04:57 www openvpn[10157]: /etc/openvpn/up.sh tun0 1500 1555 10.10.0.22 10.10.0.21 init
Oct 13 03:04:57 www dhcpcd[6258]: tun0: IAID 74:75:6e:30
Oct 13 03:04:57 www dhcpcd[6258]: tun0: waiting for 3rd party to configure IP address
Oct 13 03:04:57 www openvpn[10157]: /bin/ip route add 111.111.111.111/32 via 192.168.0.1
Oct 13 03:04:57 www openvpn[10157]: /bin/ip route add 111.111.111.0/24 via 10.10.0.21
Oct 13 03:04:57 www openvpn[10157]: /bin/ip route add 112.112.112.0/24 via 10.10.0.21

Leave a Reply

Your email address will not be published. Required fields are marked *