Keeping OpenVPN Tunnel Alive

mmccmmcc
in VPN Setup Support
Hi - I'm trying to get a persistent connection to PIA set up on a headless Ubuntu 14.04 server with OpenVPN. It works OK so far, but if the connection is idle for a couple of days, it stops working - tun0 still exists and it has an IP address, but I can't ping anything.

My current config is below. I thought adding the keepalive line would fix it, but it apparently did not.

Any thoughts?

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.pem
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
keepalive 10 60

Comments

  • OmniNegroOmniNegro
    I think the numbers after keepalive need to be inflated greatly to do this. I honestly have no idea what exact unit of time they measure, but I would start by setting them as high as possible without an error showing in the log.

    I am thinking of something like this:
    "keepalive 3600 65535"

    (These numbers are just randomly chosen by me, use whatever you think should work and see if it helps.)
  • mmccmmcc
    Thanks for the suggestion. From what I've read, keepalive 10 60 means something like "send a ping every 10 seconds, and if no data is received after 60 seconds, restart the connection".

    I would think that making the values large would make it even less effective. No?
  • OmniNegroOmniNegro
    Yes and no. It depends upon if you are actively using the connection or not. If not, then obviously no data will be received, and it will timeout. Reconnecting does not always work, so you may be better off with an idle connection that stays for much longer.

    Nonetheless it is your config to play with as you want. If it works for you as you configure it, I am certainly not thinking it should be changed.

    3600 would in this case mean that it only bothers to ping the server every hour. So that may be a bad idea upon thinking some more. But every ten seconds is likely to be too often to maintain a connection. (Meaning lots of wasted data.)

    Perhaps 60 3600 would be a better ratio?
  • mmccmmcc
    I'll play around with that. I also noticed that sending manually sending a SIGUSR1 to the OpenVPN process shows the same behavior. After the signal is sent, I can no longer send data through the tunnel.
  • mmccmmcc
    I think I figured it out. When a SIGUSR1 signal is sent to reset the connection, the server name, nl.privateinternetaccess.com, can't be resolved. I think that's because I'm using "up /etc/openvpn/update-resolv-conf" to set the name servers to the PIA name servers.

    My workaround was to get rid of "persist-tun" in the config, which causes the tunnel to be taken down and restarted when a SIGUSR1 signal is sent.

    We'll see if this works.
  • cheechcheech
    I'm having the same problem with the DNS.  Did removing persist-tun fix it for you?
  • DrFinkDrFink
    edited January 2016
    I deleted the "persist-tun" in the config, and it works!

    Before I did that, once or twice a day there was reconnect - even when I used a static IP address in the config (downloaded from here https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip). But after deleting "persist-tun", the connection stays online for several days! And I didn't add the "keepalive" command to the config, I just deleted "persist-tun".

    Ses also this page regarding persist-key/persist-tun: https://openvpn.net/index.php/open-source/documentation/howto.html:
    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.
    Interestingly, there aren't restarts when NOT having "persist-tun" in the config, whereas the description says that restarts are tried to be avoided when there are the persist-commands in the config.
  • chalky-sitcomchalky-sitcom
    Hi,

    I am experiencing the same issue. I would like to try your solution. However, I am experiencing troubles creating a new VPN connection. Is there a way to modify an existing, working VPN connection to turn off persist-tun via the network-manager-gnome interface?
  • PiaVipperPiaVipper
    OmniNegro said:
     It depends upon if you are actively using the connection or not. If not, then obviously no data will be received, and it will timeout.

    I don't think this is correct, as the server should continue to "keep-alive" the connection indefinitely.
  • itskamelitskamel
    I am having the same issues, my vpn on router #2 used to stay up for weeks at a time. now i cant even get 24 hours out of it. I can post logs if anyone is willing to help me out. Thank you in advance.
  • itskamelitskamel
    DrFink said:
    I deleted the "persist-tun" in the config, and it works!

    Before I did that, once or twice a day there was reconnect - even when I used a static IP address in the config (downloaded from here https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip). But after deleting "persist-tun", the connection stays online for several days! And I didn't add the "keepalive" command to the config, I just deleted "persist-tun".

    Ses also this page regarding persist-key/persist-tun: https://openvpn.net/index.php/open-source/documentation/howto.html:
    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.
    Interestingly, there aren't restarts when NOT having "persist-tun" in the config, whereas the description says that restarts are tried to be avoided when there are the persist-commands in the config.
    This did not work for me, any other suggestions?
Sign In or Register to comment.