I am trying to use OpenVPN where the server has a stable connection, but the client has a somewhat unreliable one (a Wi-Fi hotspot with a dynamic IP). Sometimes the hotspot stays connected for 3-4 hours, other times it fails after a few minutes. While the VPN does work, once the hotspot's connection drops and restarts, it seems to take a few minutes for the two sides to be able to communicate again, generating a number of errors in the server's log. I want to see if there is a way to tweak the ping/ping-restart settings to cut out this delay, or otherwise reconfigure the server or client.
The pipe dream would be that even after the client's connection drops and the client gets a new Internet IP, upon reconnection, everything continues from where it left off, including any open tcp connections. The client is using a client certificate and a static inside-the-VPN IP. Here is a sample of one day's logs at the server side: Aug 3 08:01:07 gnat openvpn[1598]: XXX.XXX.XXX.92:5151 [wool] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.92:5151 Aug 3 08:01:09 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 09:57:29 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 12:03:38 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:03:38 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:04:40 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:04:40 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:04:40 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:40 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:42 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:43 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:04:44 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5151 (si=3 op=P_ACK_V1) Aug 3 12:05:59 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:05:59 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:06:10 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 12:24:11 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:24:11 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:24:19 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 12:42:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:42:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:43:58 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 12:43:58 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 12:44:13 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 13:45:10 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 13:45:10 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 13:46:10 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 13:46:10 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 13:47:25 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 13:47:25 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 TLS Error: TLS handshake failed Aug 3 13:47:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 13:48:27 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 send_push_reply(): safe_cap=940 Aug 3 13:48:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5151 [wool] Inactivity timeout (--ping-restart), restarting Aug 3 13:50:23 gnat openvpn[1598]: XXX.XXX.XXX.92:5128 [wool] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.92:5128 Aug 3 13:50:25 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 send_push_reply(): safe_cap=940 Aug 3 14:18:49 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 14:18:49 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS handshake failed Aug 3 14:18:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:57 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:58 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:18:58 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:09 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 14:20:09 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS handshake failed Aug 3 14:20:11 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:13 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:13 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:14 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:14 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:14 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:15 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:15 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:16 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:16 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:16 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:16 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:20:19 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.92:5128 (si=3 op=P_ACK_V1) Aug 3 14:21:28 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 14:21:28 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 TLS Error: TLS handshake failed Aug 3 14:21:51 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 [wool] Inactivity timeout (--ping-restart), restarting Aug 3 14:22:29 gnat openvpn[1598]: XXX.XXX.XXX.92:5128 [wool] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.92:5128 Aug 3 14:22:31 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 send_push_reply(): safe_cap=940 Aug 3 15:38:48 gnat openvpn[1598]: wool/XXX.XXX.XXX.92:5128 send_push_reply(): safe_cap=940 Aug 3 16:57:25 gnat openvpn[1598]: XXX.XXX.XXX.96:8038 [wool] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.96:8038 Aug 3 16:57:27 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:8038 send_push_reply(): safe_cap=940 Aug 3 16:58:53 gnat openvpn[1598]: XXX.XXX.XXX.96:9369 [wool] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.96:9369 Aug 3 16:58:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 send_push_reply(): safe_cap=940 Aug 3 17:22:04 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 3 17:22:04 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 TLS Error: TLS handshake failed Aug 3 17:22:04 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.96:9369 (si=3 op=P_ACK_V1) Aug 3 17:22:04 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.96:9369 (si=3 op=P_ACK_V1) Aug 3 17:22:04 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 TLS Error: Unroutable control packet received from [AF_INET]XXX.XXX.XXX.96:9369 (si=3 op=P_ACK_V1) Aug 3 17:22:25 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 send_push_reply(): safe_cap=940 Aug 3 17:30:56 gnat openvpn[1598]: wool/XXX.XXX.XXX.96:9369 [wool] Inactivity timeout (--ping-restart), restarting Here is the server's config file: dev tun topology subnet script-security 2 up /usr/local/etc/openvpn/printer comp-lzo yes client-config-dir /usr/local/etc/openvpn/client-config server 172.16.0.0 255.255.255.0 nopool push "route 10.1.215.0 255.255.255.0 172.16.0.1" ping 5 ping-restart 30 push "ping 5" push "ping-restart 15" auth SHA256 cipher AES-128-CBC prng SHA256 tls-server dh /usr/local/etc/openvpn/dhparam ca /usr/local/etc/pki/CA/cacert.pem cert /usr/local/etc/pki/tls/certs/server.pem key /usr/local/etc/pki/tls/private/server.key tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-RSA-WITH-AES-128-GCM-SHA256:TLS-RSA-WITH-AES-128-CBC-SHA256 remote-cert-tls client Here is the client-config file on the server for this client: ifconfig-push 172.16.0.2 255.255.255.0 iroute 172.16.1.0 255.255.255.0 Here is the client's config file: dev tun client comp-lzo yes remote redacted.example.com auth SHA256 cipher AES-128-CBC prng SHA256 ca cacert.pem key woole.key cert wool.pem tls-version-min 1.2 remote-cert-tls server Thanks ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
