?
Solved

Open VPN Linux clients loose their ip address when connected

Posted on 2010-04-09
12
Medium Priority
?
522 Views
Last Modified: 2012-05-09
Hello,
many clients connected to the open VPN obtain an IP address, but once they connect to Outlook and a connection is made with Exchange, they sometimes loose their ip address. Their adapter keeps searching for an IP address. I am not completly sure if this only happens when Outlook is initiated, but users usually only connect to the VPN to access email Outlook.

I dont know too much about openvpn, but I looked in the config file and noticed that openvpn is handing out IP addresses, not our internal DHCP server.

Remember this is very random, I will get 1 user a day having this issue out of about 25 users who use VPN.

I can post my config file if needed.

Thanks in advance
0
Comment
Question by:mancoi
  • 6
  • 6
12 Comments
 
LVL 12

Expert Comment

by:HappyCactus
ID: 30410883
Openvpn assigns his own internal IPs, because it implement a private subnet and a point-to-point connection between the server and each client.
In the config file you specify the pool and address class of the subnet. For each client, the server reserve 4 ip. Each ip is allocated to a specific client, but it can be reused if neccessary.
Can you provide the config file? and maybe some other information about the environment, for example, are the client  roadwarriors? which kind of connection they use? who assign the ip (apart the vpn server) ?
0
 

Author Comment

by:mancoi
ID: 30411932
I will have to get you the config file tomorrow or later on tonight.

I noticed that I had issues after my server went down hard one day. It was working perfectly.

each client is a road warrior. Even myself when working from home connected to the openvpn, I loose connection after about 20 minutes and my vpn connection starts looking for a new IP address, which it never finds.
It is strange that it will obtain an ip address and after 20 minutes, it will just out of no where start looking for another ip address, which it never succeeds.

My connection at home is a pretty good cable connection which I never have issues with the internet on any other computer in my house. I never loose connection here. I only have issues when connected to the openvpn.
0
 
LVL 12

Expert Comment

by:HappyCactus
ID: 30412468
what kind of authentication are you using? Pre shared key or X.509?
Have you seen the server logs?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:mancoi
ID: 30412779
No I cannot find the server logs, where should I look?
I think I am using a pre shared key, but unsure of that.
How could I check?
0
 
LVL 12

Expert Comment

by:HappyCactus
ID: 30413038
If the server is a linux box, you should look in /var/log/openvpn.log .
if you are using an X.509 certificate, you should have some .crt file somewhere in the configuration directory.
0
 

Author Comment

by:mancoi
ID: 30413495
Yes I do have many .crt files in my openvpn directory.

I did see the server log file, but it is very large. I guess in the log will tell me what is the issue?
0
 
LVL 12

Expert Comment

by:HappyCactus
ID: 30414399
It could. You can filter out the lines you do not need in the logfile, taking just the lines just before and just after the loss-of-connection.

Just a side note, since I had a similar issue with clients that had the realtime clock not working properly. OpenVpn is very sensible to time changes. If the client had the time calendar updated (by user intervention or by automated clock update program), the connection can be taken down unexpectedly.

But you need the logfiles to tell what happens during the loss of connection...
0
 

Author Comment

by:mancoi
ID: 30513346
here are my findings in my log.

I am getting a bunch of the below, it is filled with just these lines:

AUTH-PAM: BACKGROUND: user 'jdacko' failed to authenticate: User not known to the underlying authentication module
Mon Apr 12 09:16:47 2010 68.81.210.75:1063 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/openvpn-auth-pam.so



I get these too randomly:

Thu Apr  8 15:23:18 2010 66.27.114.189:48409 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/openvpn-auth-pam.so
AUTH-PAM: BACKGROUND: user 'lgreenberg' failed to authenticate: User not known to the underlying authentication module


I am getting a few of these too:

Mon Apr  5 11:15:45 2010 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Mon Apr  5 11:49:14 2010 MANAGEMENT: Socket bind failed on local address 10.10.10.3:7505: Address already in use
AUTH-PAM: Error signaling background process to exit
Mon Apr  5 11:49:31 2010 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Mon Apr  5 11:53:32 2010 xx.xx.xxx.xxx:43819 WARNING: Bad encapsulated packet length from peer (19025), which must be > 0 and <= 1576 -- please ensure that --tun-mtu or --link-mtu is equal on both$
Mon Apr  5 12:11:12 2010 xx.xx.xxx.xxx:54087 WARNING: Bad encapsulated packet length from peer (19025), which must be > 0 and <= 1576 -- please ensure that --tun-mtu or --link-mtu is equal on both$
A

0
 
LVL 12

Accepted Solution

by:
HappyCactus earned 375 total points
ID: 30513902
If you are using x.509 certificates, you should avoid using the same common name (CN) in each certificate. the CN is like the "username" in a user/password authentication. the WARNING you see just tells you that by using duplicate CN the server cannot "reserve" the ip for each user (is like a "lease" in a dhcp). In this case it must assign a new IP each time the client request a new connection. But if the connection are frequently falling, the ip pool can be consumed very fast.
So, try to remove the --duplicate-cn option for the server.
But be aware that if you are sharing the same cn (the same certificate), the server can only accept one connection from each cn at a time, so the second arriving user cannot authenticate. In this case you should provide new certificates to each user.
I do not know if this solve your issue (I am not sure, but in effect that could explain your problem), but I think you should check.

Hope that helps.  
0
 

Author Comment

by:mancoi
ID: 30518030
I just commented out the duplicate-cn option  and I was unable to connect to the VPN.

I
0
 
LVL 12

Expert Comment

by:HappyCactus
ID: 30520359
You have many duplicate common names, i.e. you are sharing the same certificate between many users.
You should create new certificates with different cn, and send it to the users.
But I repeat, I do not know if this can solve the original issue.
0
 

Author Closing Comment

by:mancoi
ID: 31712709
I will keep monitoring the event logs, thanks
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question