OpenVPN client - won't connect?"

David1234 · January 31, 2023, 7:33am

Hello ,
I have a Mikrotik router with Openvpn server on it
I’m trying to connect using a openvpn clients on my Raspberry PIs (I have 5 of them)
sometime the PI unable to connect for a long time time , and only after reboot he is able to connect to the vpn
I do see some times , networks issue with the pi (unable to go out to the internet - then he get disconnect from the vpn, but when the network return - he is unable to reconnect)

what can cause this problem and how to fix it ?

change something in the openvpn file in the PI? timeout \ reconnect option ?
change something in the router? reduce keep alive?

Thanks ,

MickeyT · February 1, 2023, 8:29am

It sounds like you haven’t configured the RPis to close the failed connections and then reconnect.

Please post the config for your MikroTik (see code below) and a copy of the RPi OpenVPN config (you’ll need to manually redact the sensistive parts yourself) so that we can see just how you’ve got things setup.

/export hide-sensitive file=MyConfig

David1234 · February 22, 2023, 9:54am

this is the router setup:

/ppp profile
add name=OpenVPN-Profile only-one=no use-encryption=yes
/system logging action
add name=openvpn target=memory
add name=test target=memory
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    enabled=yes keepalive-timeout=30 require-client-certificate=yes
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
/ppp secret
add disabled=yes local-address=192.168.133.254 name=Unit2 profile=\
    OpenVPN-Profile remote-address=192.168.133.2 service=ovpn
add local-address=192.168.133.254 name=DavidPhone profile=OpenVPN-Profile \
    remote-address=192.168.133.13 service=ovpn
add local-address=192.168.133.254 name=TestUnit profile=OpenVPN-Profile \
    remote-address=192.168.133.250 service=ovpn
add local-address=192.168.133.254 name=David_PI_Test profile=OpenVPN-Profile \
    remote-address=192.168.133.249 service=ovpn
add local-address=192.168.133.254 name=David_Samsung profile=OpenVPN-Profile \
    remote-address=192.168.133.16 service=ovpn

/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tel_Aviv
/system identity
set name=L2TP-Test
/system logging
add action=openvpn prefix=info topics=ovpn,!packet,!account,!debug
add action=test topics=ovpn
/system ntp client
set enabled=yes primary-ntp=185.57.191.229

this is the openvpn.conf file I’m running on boot

client
dev tun

proto tcp
remote 1.1.1.1 8888

#resolv-retry infinite
nobind

#user nobody
#group nogroup

persist-key
persist-tun

route 192.168.200.0 255.255.255.0
# Path to your certificates (ca.crt, client.crt, and client.key)
ca /home/pi/Documents/CRT/ca.crt
cert /home/pi/Documents/CRT/client.crt
key /home/pi/Documents/CRT/client.key

remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass /etc/openvpn/.secrets
#redirect-gateway def1
pull-filter ignore "redirect-gateway"
verb 3

MickeyT · February 24, 2023, 7:10am

I don’t use the automatic reconnect feature of OpenVPN so I’m basing the following on what I’ve read and can’t guarantee that it will help you.

On the MikroTik OpenVPN Server:

The keepalive-timeout is set for 30 seconds. This means that the unit won’t kill the connection, if it fails, for about 1 minute (could be longer depending on network issues).
The OpenVPN profile has the only-one option set to no, which is what it should be for your scenario.

On the Raspberry Pi Client:

You haven’t defined the connect-retry value so it uses the defaults (this means that, depending on the default configuration specified by the installer, it might not even retry to connect. - I don’t know).
If the OpenVPN client is using the defaults listed in the OpenVPN documentation, the connect-retry time might have increased to as much as 5 minutes.

My suggestions:

Reduce the keepalive-timeout on the MikroTik to 15 seconds, and/or
Put these lines in your OpenVPN client config file of:

keepalive 10 60
connect-retry 5 10

The connect-retry will cause the client to retry 5 seconds after the initial failure and every 10 seconds after that. The keepalive is more relevant to UDP connections but doesn’t hurt TCP ones.

I haven’t tried any of these things so don’t know if they’ll help. Let me know if they do and good luck.

–
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

/export hide-sensitive file=MyConfig

David1234 · February 26, 2023, 7:39am

I have added in the openvpn profile the 2 lines you wrote
and also reduce the timeout to 15 seconds

I will let it run for few days and let you know if it fix the problem

Thank you for the help,

David1234 · February 26, 2023, 3:24pm

I have notice this today

Feb 26 17:22:04 raspberrypi systemd[1]: Failed to start OpenVPN connection to client.
Feb 26 17:22:09 raspberrypi systemd[1]: openvpn@client.service: Service RestartSec=5s expired, scheduling restart.
Feb 26 17:22:09 raspberrypi systemd[1]: openvpn@client.service: Scheduled restart job, restart counter is at 142.
Feb 26 17:22:09 raspberrypi systemd[1]: Stopped OpenVPN connection to client.
Feb 26 17:22:09 raspberrypi systemd[1]: Starting OpenVPN connection to client...
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: Options error: --ca fails with '/home/pi/Documents/CRT/ca.crt': No such file or directory (errno=2)
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: Options error: --cert fails with '/home/pi/Documents/CRT/client.crt': No such file or directory (errno=2)
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: WARNING: cannot stat file '/home/pi/Documents/CRT/client.key': No such file or directory (errno=2)
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: Options error: --key fails with '/home/pi/Documents/CRT/client.key': No such file or directory (errno=2)
Feb 26 17:22:09 raspberrypi systemd[1]: openvpn@client.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: WARNING: file '/etc/openvpn/.secrets' is group or others accessible
Feb 26 17:22:09 raspberrypi systemd[1]: openvpn@client.service: Failed with result 'exit-code'.
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: Options error: Please correct these errors.
Feb 26 17:22:09 raspberrypi systemd[1]: Failed to start OpenVPN connection to client.
Feb 26 17:22:09 raspberrypi ovpn-client[18097]: Use --help for more information.

2 things are not clear :

I’m connect to the unit using VPN - so how could it be that it say “Failed to start OpenVPN connection to client”
why it say “cannot stat file ‘/home/pi/Documents/CRT/client.key’: No such file or directory (errno=2)” ? the files are there 100000%

Thanks ,

MickeyT · February 27, 2023, 6:49am

The “Failed to start OpenVPN connection to client” error means that the OpenVPN service couldn’t start the connection specified in the client.conf file. If you had called the file myserver.conf it would have reported “Failed to start OpenVPN connection to myserver”.

The certificate errors are to do with the permissions on the files and can be resolved by running the following commands:

sudo cp /home/pi/Documents/CRT/ca.crt /etc/openvpn/ca.crt
sudo cp /home/pi/Documents/CRT/client.crt /etc/openvpn/client.crt
sudo cp /home/pi/Documents/CRT/client.key  /etc/openvpn/client.key
sudo chown root:root /etc/openvpn/ca.crt /etc/openvpn/client.crt /etc/openvpn/client.key
sudo chmod 444 /etc/openvpn/ca.crt /etc/openvpn/client.crt
sudo chmod 400 /etc/openvpn/client.key
sudo chmod go-rwx /etc/openvpn/.secrets

You will then need to edit the client.conf file and replace the following lines:

ca /home/pi/Documents/CRT/ca.crt
cert /home/pi/Documents/CRT/client.crt
key /home/pi/Documents/CRT/client.key

With these:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

I hope this helps.

–
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

David1234 · February 28, 2023, 10:43am

I did what you told me ,
but now it’s seem that the PI is reset the connection every 10 seconds

Tue Feb 28 12:42:22 2023 Restart pause, 10 second(s)
Tue Feb 28 12:42:32 2023 TCP/UDP: Preserving recently used remote address: [AF_I                                                                                                                                          NET]132.145.78.182:1194
Tue Feb 28 12:42:32 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Feb 28 12:42:32 2023 Attempting to establish TCP connection with [AF_INET]13                                                                                                                                          2.145.78.182:1194 [nonblock]
Tue Feb 28 12:42:33 2023 TCP connection established with [AF_INET]1.1.1.2                                                                                                                                         :1194
Tue Feb 28 12:42:33 2023 TCP_CLIENT link local: (not bound)
Tue Feb 28 12:42:33 2023 TCP_CLIENT link remote: [AF_INET]1.1.1.2:1194
Tue Feb 28 12:42:33 2023 TLS: Initial packet from [AF_INET]1.1.1.2:1194,                                                                                                                                           sid=53a1738d 07fd2100
Tue Feb 28 12:42:35 2023 VERIFY OK: depth=1, CN=Server.com
Tue Feb 28 12:42:35 2023 VERIFY KU OK
Tue Feb 28 12:42:35 2023 Validating certificate extended key usage
Tue Feb 28 12:42:35 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Feb 28 12:42:35 2023 VERIFY EKU OK
Tue Feb 28 12:42:35 2023 VERIFY OK: depth=0, CN=*.Server.com
Tue Feb 28 12:42:35 2023 Connection reset, restarting [0]
Tue Feb 28 12:42:35 2023 SIGUSR1[soft,connection-reset] received, process restarting
Tue Feb 28 12:42:35 2023 Restart pause, 10 second(s)

and also it Mikrotik I can see many connections \ tryig to connect every 10 seconds

**when I return to the old files in the Documents - I don’t have this problem
Strange , no ?

MickeyT · March 1, 2023, 10:03am

Very strange and I can’t explain it. I’ve had the same problem with certificates that you had and what I said about them is how I corrected the problem.

I found some details on a Reddit post that might help. You already have lines for persist-key and persist-tun but the post seems to indicate that adding a keepalive satement in the client config would help. They suggest:

keepalive 2 10

With the explanation: “The keepalive pings every 2 seconds and after twice waiting 10 seconds will restart the connection process.”

Good luck.

David1234 · March 1, 2023, 2:13pm

yes
now I don’t get any errors on syslog \ openvpn log

Thanks

Qbaakr · March 6, 2023, 8:37am

I don’t know if this will help you… but… I reinstalled my system (windows) last month. I installed openvpn - which was working fine before. By the way, I wanted to check something on the router and I restored it to factory settings, later I restored it from a backup. And the vpn was throwing errors. “unknown cipher alg or key size”. I tried 100 different ways and nothing. Finally, somewhere I came across a problem in which the incompatibility of protocols and versions was described. I installed a version of OpenVPN from a year ago - and the magic worked right away.