Solved

Openvpn - After Local Area Connection DHCP Release and Renew Network is Not working vpn is up

Posted on 2010-09-15
4
1,248 Views
Last Modified: 2012-05-10
Hello ALL,

I am using openvpn 2.0.9. Everything is working and no problem. I have 600 connections. Some clients using dsl modems and dhcp. Some modems setting dhcp lease time 7-8 days.

when my clients renew new dhcp local network ip, vpn gateway lost and not answer any tcpip packets. But vpn is up and running. (Change the gateway local network adsl modem ip)

How recover this problem. ? I cant touch our clients. I cant reboot manuel. I need restart openvpn instance maybe, or restart network connections maybe.

I try ping, ping-exit, ping-restart commands but no effect, because vpn is up and running.

Thank you.




My Server Conf
------------------



port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 172.220.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "route 172.17.1.0 255.255.255.0"
client-config-dir ccd
route 172.220.0.0 255.255.0.0
push "redirect-gateway"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log-append  /etc/openvpn/logs/openvpn.log
verb 3

My Client Conf;
---------------------------------------




##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.yy.zz.yyy 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
;persist-key
;persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca \\keys\\ca.crt
cert \\keys\\key.crt
key \\keys\\key.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.

tls-timeout 15

tls-auth \\keys\\ta.key 1


# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Open in new window

0
Comment
Question by:gorhon
  • 3
4 Comments
 
LVL 2

Accepted Solution

by:
jon47 earned 500 total points
ID: 33685833
This sounds like a known bug, upgrade to 2.1.3 and it'll probably go away.

I can't see anything else that would cause the problem.  I have "ping 60" in my configs, but all this should do is keep the link up, I wouldn't expect it to resolve the symptoms you see.

Jon
Fixed a client-side bug on Windows that occurred when the
  "dhcp-pre-release" or "dhcp-renew" options were combined with
  "route-gateway dhcp".  The release/renew would not occur
  because the Windows DHCP renew function is blocking and
  therefore must be called from another process or thread
  so as not to stall the tunnel.

Open in new window

0
 
LVL 3

Author Comment

by:gorhon
ID: 33699956
No effect 2.1.3 version. Some problem. Thank you for help, but not solved.
0
 
LVL 3

Author Comment

by:gorhon
ID: 33707159
I found this problem!!!!

config file on the windows client pc, this line solve this problem,,


p-win32 netsh

and if you speed reconnections windows pc's

route-method exe

Explain This


Windows-Specific Options:
--ip-win32 method
When using --ifconfig on Windows, set the TAP-Win32 adapter IP address and netmask using method. Don't use this option unless you are also using --ifconfig.
manual -- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to.

dynamic [offset] [lease-time] -- (Default) Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in --dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > -256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The lease-time parameter controls the lease time of the DHCP assignment given to the TAP-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year.

netsh -- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000.

ipapi -- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."

--route-method m
Which method m to use for adding routes on Windows?
ipapi (default) -- Use IP helper API.
exe -- Call the route.exe shell command.

 
0
 
LVL 3

Author Closing Comment

by:gorhon
ID: 33707169
I am using thish commands clients config file,

Windows-Specific Options:
--ip-win32 method
When using --ifconfig on Windows, set the TAP-Win32 adapter IP address and netmask using method. Don't use this option unless you are also using --ifconfig.
manual -- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to.

dynamic [offset] [lease-time] -- (Default) Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in --dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > -256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The lease-time parameter controls the lease time of the DHCP assignment given to the TAP-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year.

netsh -- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000.

ipapi -- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."

--route-method m
Which method m to use for adding routes on Windows?
ipapi (default) -- Use IP helper API.
exe -- Call the route.exe shell command.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question