When using OpenVPN 2.4.7 on my server (Ubuntu Server 20.04) and connecting from a 2.5.6 client (also Ubuntu 20.04), I can connect with no issue. However, when I try to use OpenVPN 2.5.6 on the server, I run into a big problem where at seemingly random intervals I get reconnected and therefore lose network connection in those few seconds it reconnects. This happens when using exactly the same server and client configurations, only difference is the 2.4.7 server doesn't disconnect (I want to upgrade to a 2.5 server in order to utilize its IPv6 functionality).
Here is my full server log containing when this error occurs (I manually disconnect at the end after the reconnection occured):
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
Current Parameter Settings:
config = 'server2.conf'
mode = 1
persist_config = DISABLED
persist_mode = 1
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
genkey_filename = '[UNDEF]'
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
connect_retry_max = 0
Connection profiles [0]:
proto = tcp-server
local = '192.168.0.27'
local_port = '443'
remote = '[UNDEF]'
remote_port = '443'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
bind_ipv6_only = DISABLED
connect_retry_seconds = 5
connect_timeout = 120
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
tun_mtu = 1500
tun_mtu_defined = ENABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
tls_auth_file = '[UNDEF]'
key_direction = not set
tls_crypt_file = '[INLINE]'
tls_crypt_v2_file = '[UNDEF]'
Connection profiles END
remote_random = DISABLED
ipchange = '[UNDEF]'
dev = 'tun1'
dev_type = '[UNDEF]'
dev_node = '[UNDEF]'
lladdr = '[UNDEF]'
topology = 3
ifconfig_local = '10.8.2.1'
ifconfig_remote_netmask = '255.255.254.0'
ifconfig_noexec = DISABLED
ifconfig_nowarn = DISABLED
ifconfig_ipv6_local = '[UNDEF]'
ifconfig_ipv6_netbits = 0
ifconfig_ipv6_remote = '[UNDEF]'
shaper = 0
mtu_test = 0
mlock = DISABLED
keepalive_ping = 0
keepalive_timeout = 0
inactivity_timeout = 0
inactivity_minimum_bytes = 0
ping_send_timeout = 10
ping_rec_timeout = 120
ping_rec_timeout_action = 2
ping_timer_remote = ENABLED
remap_sigusr1 = 0
persist_tun = ENABLED
persist_local_ip = DISABLED
persist_remote_ip = DISABLED
persist_key = ENABLED
passtos = DISABLED
resolve_retry_seconds = 1000000000
resolve_in_advance = DISABLED
username = '[UNDEF]'
groupname = '[UNDEF]'
chroot_dir = '[UNDEF]'
cd_dir = '[UNDEF]'
writepid = '[UNDEF]'
up_script = '[UNDEF]'
down_script = '[UNDEF]'
down_pre = DISABLED
up_restart = DISABLED
up_delay = DISABLED
daemon = DISABLED
inetd = 0
log = ENABLED
suppress_timestamps = ENABLED
machine_readable_output = DISABLED
nice = 0
verbosity = 5
mute = 0
status_file = 'openvpn-status2.log'
status_file_version = 2
status_file_update_freq = 60
occ = ENABLED
rcvbuf = 0
sndbuf = 0
mark = 0
sockflags = 0
fast_io = DISABLED
comp.alg = 0
comp.flags = 0
route_script = '[UNDEF]'
route_default_gateway = '10.8.2.2'
route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
allow_pull_fqdn = DISABLED
management_addr = 'localhost'
management_port = '7506'
management_user_pass = '[UNDEF]'
management_log_history_cache = 250
management_echo_buffer_size = 100
management_write_peer_info_file = '[UNDEF]'
management_client_user = '[UNDEF]'
management_client_group = '[UNDEF]'
management_flags = 0
shared_secret_file = '[UNDEF]'
key_direction = not set
ciphername = 'AES-256-CBC'
ncp_enabled = ENABLED
ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
authname = 'SHA512'
prng_hash = 'SHA1'
prng_nonce_secret_len = 16
keysize = 0
engine = DISABLED
replay = ENABLED
mute_replay_warnings = DISABLED
replay_window = 64
replay_time = 15
packet_id_file = '[UNDEF]'
test_crypto = DISABLED
tls_server = ENABLED
tls_client = DISABLED
ca_file = 'ca.crt'
ca_path = '[UNDEF]'
dh_file = 'dh.pem'
cert_file = 'server.crt'
extra_certs_file = '[UNDEF]'
priv_key_file = 'server.key'
pkcs12_file = '[UNDEF]'
cipher_list = '[UNDEF]'
cipher_list_tls13 = '[UNDEF]'
tls_cert_profile = '[UNDEF]'
tls_verify = '[UNDEF]'
tls_export_cert = '[UNDEF]'
verify_x509_type = 0
verify_x509_name = '[UNDEF]'
crl_file = 'crl.pem'
ns_cert_type = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_eku = '[UNDEF]'
ssl_flags = 1
tls_timeout = 2
renegotiate_bytes = -1
renegotiate_packets = 0
renegotiate_seconds = 3600
handshake_window = 60
transition_window = 3600
single_session = DISABLED
push_peer_info = DISABLED
tls_exit = DISABLED
tls_crypt_v2_metadata = '[UNDEF]'
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_protected_authentication = DISABLED
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_private_mode = 00000000
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_cert_private = DISABLED
pkcs11_pin_cache_period = -1
pkcs11_id = '[UNDEF]'
pkcs11_id_management = DISABLED
server_network = 10.8.2.0
server_netmask = 255.255.254.0
server_network_ipv6 = ::
server_netbits_ipv6 = 0
server_bridge_ip = 0.0.0.0
server_bridge_netmask = 0.0.0.0
server_bridge_pool_start = 0.0.0.0
server_bridge_pool_end = 0.0.0.0
push_entry = 'dhcp-option DNS 1.1.1.1'
push_entry = 'dhcp-option DNS 1.0.0.1'
push_entry = 'redirect-gateway def1 bypass-dhcp'
push_entry = 'route 192.168.0.0 255.255.0.0 net_gateway'
push_entry = 'route 172.16.0.0 255.240.0.0 net_gateway'
push_entry = 'ping 10'
push_entry = 'ping-restart 120'
push_entry = 'route-gateway 10.8.2.1'
push_entry = 'topology subnet'
ifconfig_pool_defined = ENABLED
ifconfig_pool_start = 10.8.2.2
ifconfig_pool_end = 10.8.3.254
ifconfig_pool_netmask = 255.255.254.0
ifconfig_pool_persist_filename = '[UNDEF]'
ifconfig_pool_persist_refresh_freq = 600
ifconfig_ipv6_pool_defined = DISABLED
ifconfig_ipv6_pool_base = ::
ifconfig_ipv6_pool_netbits = 0
n_bcast_buf = 256
tcp_queue_limit = 64
real_hash_size = 256
virtual_hash_size = 256
client_connect_script = '[UNDEF]'
learn_address_script = '[UNDEF]'
client_disconnect_script = '[UNDEF]'
client_config_dir = '[UNDEF]'
ccd_exclusive = DISABLED
tmp_dir = '/tmp'
push_ifconfig_defined = DISABLED
push_ifconfig_local = 0.0.0.0
push_ifconfig_remote_netmask = 0.0.0.0
push_ifconfig_ipv6_defined = DISABLED
push_ifconfig_ipv6_local = ::/0
push_ifconfig_ipv6_remote = ::
enable_c2c = DISABLED
duplicate_cn = DISABLED
cf_max = 0
cf_per = 0
max_clients = 100
max_routes_per_client = 256
auth_user_pass_verify_script = '/etc/openvpn/server/clientCheck.sh'
auth_user_pass_verify_script_via_file = DISABLED
auth_token_generate = DISABLED
auth_token_lifetime = 0
auth_token_secret_file = '[UNDEF]'
port_share_host = '[UNDEF]'
port_share_port = '[UNDEF]'
vlan_tagging = DISABLED
vlan_accept = all
vlan_pvid = 1
client = DISABLED
pull = DISABLED
auth_user_pass_file = '[UNDEF]'
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 1 2022
library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
WARNING: --keepalive option is missing from server config
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
CRL: loaded 1 CRLs from file crl.pem
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
TUN/TAP device tun1 opened
do_ifconfig, ipv4=1, ipv6=0
/sbin/ip link set dev tun1 up mtu 1500
/sbin/ip link set dev tun1 up
/sbin/ip addr add dev tun1 10.8.2.1/23
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]192.168.0.27:443
TCPv4_SERVER link local (bound): [AF_INET]192.168.0.27:443
TCPv4_SERVER link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=10.8.2.2 size=509
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]192.168.0.23:33260
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]192.168.0.23:33260
R192.168.0.23:33260 TLS: Initial packet from [AF_INET]192.168.0.23:33260, sid=88a1a810 57e425e0
WRRWWWRRR192.168.0.23:33260 peer info: IV_VER=2.5.6
192.168.0.23:33260 peer info: IV_PLAT=linux
192.168.0.23:33260 peer info: IV_PROTO=6
192.168.0.23:33260 peer info: IV_NCP=2
192.168.0.23:33260 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
192.168.0.23:33260 peer info: IV_LZ4=1
192.168.0.23:33260 peer info: IV_LZ4v2=1
192.168.0.23:33260 peer info: IV_LZO=1
192.168.0.23:33260 peer info: IV_COMP_STUB=1
192.168.0.23:33260 peer info: IV_COMP_STUBv2=1
192.168.0.23:33260 peer info: IV_TCPNL=1
192.168.0.23:33260 TLS: Username/Password authentication succeeded for username 'user'
WWRR192.168.0.23:33260 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
192.168.0.23:33260 [] Peer Connection Initiated with [AF_INET]192.168.0.23:33260
192.168.0.23:33260 MULTI_sva: pool returned IPv4=10.8.2.2, IPv6=(Not enabled)
192.168.0.23:33260 MULTI: Learn: 10.8.2.2 -> 192.168.0.23:33260
192.168.0.23:33260 MULTI: primary virtual IP for 192.168.0.23:33260: 10.8.2.2
192.168.0.23:33260 Data Channel: using negotiated cipher 'AES-256-GCM'
192.168.0.23:33260 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
192.168.0.23:33260 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,ping 10,ping-restart 120,route-gateway 10.8.2.1,topology subnet,ifconfig 10.8.2.2 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
WRRwrWRwrWRwrWRwrWRwrWW192.168.0.23:33260 Connection reset, restarting [0]
192.168.0.23:33260 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket
And on the client I get this message:
2022-04-01 11:56:18 us=284484 Connection reset command was pushed by server ('')
2022-04-01 11:56:18 us=284568 TCP/UDP: Closing socket
2022-04-01 11:56:18 us=284588 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
2022-04-01 11:56:18 us=284599 Restart pause, 5 second(s)
So for some reason the server is causing a connection reset, but I have no change in my server or client configurations.
My server config on both 2.4.7 and 2.5.6 versions is the following:
local 192.168.0.27
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.254.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.0.0 net_gateway"
push "route 172.16.0.0 255.240.0.0 net_gateway"
push "explicit-exit-notify 2"
cipher AES-256-CBC
persist-key
persist-tun
ping-exit 150
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 120"
ping-timer-rem
status openvpn-status.log
verb 4
crl-verify crl.pem
explicit-exit-notify
management localhost 7505
script-security 3
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert none
My client config (2.5.6) is the following:
client
dev tun
proto udp
remote 192.168.0.27 69
resolv-retry infinite
ignore-unknown-option block-outside-dns block-ipv6
nobind
persist-key
persist-tun
remote-random
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
explicit-exit-notify 2
verb 4
auth-user-pass
pull
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
What can I try to stop this reconnecting?
AES-256-CBC] is only a fallback when using TLS (EC TLS ciphers should be the default - double check to be certain, as it's significantly faster with a GCM ECDHE/ECDH TLS cipher; example for explicitly specifying thetls-cipher), AES128 is uncrackable, so all AES256 would do is massively slow throughput to a crawl if fallen back to - a better alternative is to rekey data blocks sooner, e.g. after 60s:reneg-sec 60(default is 1hr:3600seconds)600] and 30m [1800] (mine is set to600, but if there's a lot of clients, 15m - 30m may work better).