Solved

Openvpn - After Local Area Connection DHCP Release and Renew Network is Not working vpn is up

Posted on 2010-09-15
4
1,197 Views
Last Modified: 2012-05-10
Hello ALL,

I am using openvpn 2.0.9. Everything is working and no problem. I have 600 connections. Some clients using dsl modems and dhcp. Some modems setting dhcp lease time 7-8 days.

when my clients renew new dhcp local network ip, vpn gateway lost and not answer any tcpip packets. But vpn is up and running. (Change the gateway local network adsl modem ip)

How recover this problem. ? I cant touch our clients. I cant reboot manuel. I need restart openvpn instance maybe, or restart network connections maybe.

I try ping, ping-exit, ping-restart commands but no effect, because vpn is up and running.

Thank you.




My Server Conf

------------------







port 1194

proto udp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh1024.pem

server 172.220.0.0 255.255.0.0

ifconfig-pool-persist ipp.txt

push "route 172.17.1.0 255.255.255.0"

client-config-dir ccd

route 172.220.0.0 255.255.0.0

push "redirect-gateway"

keepalive 10 120

tls-auth /etc/openvpn/keys/ta.key 0

cipher AES-256-CBC

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status /etc/openvpn/logs/openvpn-status.log

log-append  /etc/openvpn/logs/openvpn.log

verb 3



My Client Conf;

---------------------------------------









##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################



# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client



# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun



# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap



# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp



# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote xx.yy.zz.yyy 1194

;remote my-server-2 1194



# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random



# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite



# Most clients don't need to bind to

# a specific local port number.

nobind



# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody



# Try to preserve some state across restarts.

;persist-key

;persist-tun



# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]



# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings



# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca \\keys\\ca.crt

cert \\keys\\key.crt

key \\keys\\key.key



# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server



# If a tls-auth key is used on the server

# then every client must also have the key.



tls-timeout 15



tls-auth \\keys\\ta.key 1





# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

cipher AES-256-CBC



# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo



# Set log file verbosity.

verb 3



# Silence repeating messages

;mute 20

Open in new window

0
Comment
Question by:gorhon
  • 3
4 Comments
 
LVL 2

Accepted Solution

by:
jon47 earned 500 total points
ID: 33685833
This sounds like a known bug, upgrade to 2.1.3 and it'll probably go away.

I can't see anything else that would cause the problem.  I have "ping 60" in my configs, but all this should do is keep the link up, I wouldn't expect it to resolve the symptoms you see.

Jon
Fixed a client-side bug on Windows that occurred when the
  "dhcp-pre-release" or "dhcp-renew" options were combined with
  "route-gateway dhcp".  The release/renew would not occur
  because the Windows DHCP renew function is blocking and
  therefore must be called from another process or thread
  so as not to stall the tunnel.

Open in new window

0
 
LVL 3

Author Comment

by:gorhon
ID: 33699956
No effect 2.1.3 version. Some problem. Thank you for help, but not solved.
0
 
LVL 3

Author Comment

by:gorhon
ID: 33707159
I found this problem!!!!

config file on the windows client pc, this line solve this problem,,


p-win32 netsh

and if you speed reconnections windows pc's

route-method exe

Explain This


Windows-Specific Options:
--ip-win32 method
When using --ifconfig on Windows, set the TAP-Win32 adapter IP address and netmask using method. Don't use this option unless you are also using --ifconfig.
manual -- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to.

dynamic [offset] [lease-time] -- (Default) Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in --dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > -256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The lease-time parameter controls the lease time of the DHCP assignment given to the TAP-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year.

netsh -- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000.

ipapi -- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."

--route-method m
Which method m to use for adding routes on Windows?
ipapi (default) -- Use IP helper API.
exe -- Call the route.exe shell command.

 
0
 
LVL 3

Author Closing Comment

by:gorhon
ID: 33707169
I am using thish commands clients config file,

Windows-Specific Options:
--ip-win32 method
When using --ifconfig on Windows, set the TAP-Win32 adapter IP address and netmask using method. Don't use this option unless you are also using --ifconfig.
manual -- Don't set the IP address or netmask automatically. Instead output a message to the console telling the user to configure the adapter manually and indicating the IP/netmask which OpenVPN expects the adapter to be set to.

dynamic [offset] [lease-time] -- (Default) Automatically set the IP address and netmask by replying to DHCP query messages generated by the kernel. This mode is probably the "cleanest" solution for setting the TCP/IP properties since it uses the well-known DHCP protocol. There are, however, two prerequisites for using this mode: (1) The TCP/IP properties for the TAP-Win32 adapter must be set to "Obtain an IP address automatically," and (2) OpenVPN needs to claim an IP address in the subnet for use as the virtual DHCP server address. By default in --dev tap mode, OpenVPN will take the normally unused first address in the subnet. For example, if your subnet is 192.168.4.0 netmask 255.255.255.0, then OpenVPN will take the IP address 192.168.4.0 to use as the virtual DHCP server address. In --dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is an integer which is > -256 and < 256 and which defaults to 0. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP address at broadcast address + offset. The Windows ipconfig /all command can be used to show what Windows thinks the DHCP server address is. OpenVPN will "claim" this address, so make sure to use a free address. Having said that, different OpenVPN instantiations, including different ends of the same connection, can share the same virtual DHCP server address. The lease-time parameter controls the lease time of the DHCP assignment given to the TAP-Win32 adapter, and is denoted in seconds. Normally a very long lease time is preferred because it prevents routes involving the TAP-Win32 adapter from being lost when the system goes to sleep. The default lease time is one year.

netsh -- Automatically set the IP address and netmask using the Windows command-line "netsh" command. This method appears to work correctly on Windows XP but not Windows 2000.

ipapi -- Automatically set the IP address and netmask using the Windows IP Helper API. This approach does not have ideal semantics, though testing has indicated that it works okay in practice. If you use this option, it is best to leave the TCP/IP properties for the TAP-Win32 adapter in their default state, i.e. "Obtain an IP address automatically."

--route-method m
Which method m to use for adding routes on Windows?
ipapi (default) -- Use IP helper API.
exe -- Call the route.exe shell command.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now