# OpenVPN cannot ping after reconnect



## Trigve (Mar 13, 2021)

Hi,
I'm wondering if anyone has encountered the problem I'm having.

I have OpenVPN 2.5.1 server on FreeBSD 12.2 using UDP. Then I'm using Windows 10 client to connect to the server. Now, I connect to the openvpn. Everything works fine, I can ping/ssh/whatsoever. Then I disconnect the VPN and connect once more. Now, connection is estabilished (no error in OpenVPN console) but I cannot ping or connect to anything. If I disconnect and wait for 10 minutes then everythings is back to normal and works. Also if I VNC to the server and restart the service, everything then works OK. Note that I've used (and am using) OpenVPN on debian also and I never had this kind of  problem.

I've tried to search for the solutions but without success. Anyone knows what's going on? 

Thank You


----------



## VladiBG (Mar 13, 2021)

There's no enough information given to diagnose the problem. Can you share your  openvpn.conf, ccd config and client.ovpn. It's look like that there's some routing issue but without any more information i can't tell for sure. You can tweak your keepalive on the server so it will drop disconnected client faster.

`keepalive 10 120`
will ping every 10 sec and if no response is received in 120 sec the client session will be drop.


----------



## Trigve (Mar 13, 2021)

Thank You for the reply VladiBG.

Server:

```
port XXX
proto udp
dev tun
ca ...
cert ...
key ...
dh ...
topology subnet
server 10.8.X.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir server/ccd
keepalive 10 120
tls-auth ...
cipher ...
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth ...
remote-cert-tls client
```

Client:

```
client
tls-client
dev tun
proto udp
remote ...
ca ...
cert ...
key ...
tls-auth ... 1
cipher ...
auth ...
verb 3
mute 20
```

There is no CCD for the given client.


----------



## VladiBG (Mar 14, 2021)

To your client config add

```
nobind
remote-cert-tls server
```

Note: you are missing crl in your server config. When you need to disable some client cert that are no longer valid/used you need to generate a crl and include it in your server config.
Note2: in your server config you have persist-key/tun and you don't have same opt in your client.


----------



## Trigve (Mar 14, 2021)

VladiBG said:


> To your client config add
> 
> ```
> nobind
> ...



Thank you for the reply. I've added the given options to the config and it looks like it's working 

Also thanks for the notes, I've implemented them.


----------



## VladiBG (Mar 14, 2021)

My configuration is a bit different. I'm using the default server.conf and client.conf with some small changes only to the push routes, bridge with tap and networks.
Do you observe any difference in performance using some other auth alg which by default is SHA1 HMAC. The Manual of openvpn(8) said it add 16 or 20 bytes on top of the data pkg.

My installation is done like this:


```
pkg install openvpn
mkdir /usr/local/etc/openvpn
cp -R /usr/local/share/easy-rsa/ /usr/local/etc/openvpn/easy-rsa/
cd /usr/local/share/examples/openvpn/sample-config-files/
cp server.conf /usr/local/etc/openvpn/
cd /usr/local/etc/openvpn/easy-rsa/
./easyrsa.real init-pki
./easyrsa.real build-ca nopass
./easyrsa.real build-server-full server nopass
./easyrsa.real build-client-full client1 nopass
./easyrsa.real gen-dh
./easyrsa.real gen-crl

cd /usr/local/etc/openvpn/easy-rsa/pki
openvpn --genkey --secret ta.key

mv /usr/local/etc/openvpn/server.conf /usr/local/etc/openvpn/openvpn.conf
ee /usr/local/etc/openvpn/openvpn.conf
```



```
ca /usr/local/etc/openvpn/easy-rsa/pki/ca.crt
cert /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt
key /usr/local/etc/openvpn/easy-rsa/pki/private/server.key
crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem
dh /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /usr/local/etc/openvpn/easy-rsa/pki/ta.key
```



```
mkdir /usr/local/etc/newsyslog.conf.d
ee /usr/local/etc/newsyslog.conf.d/openvpn.conf
```



```
/var/log/openvpn/openvpn.log root:wheel 640 3 1000 * JC
```



```
mkdir /usr/local/etc/syslog.d
ee /usr/local/etc/syslog.d/openvpn.conf
```


```
!openvpn
*.*    /var/log/openvpn/openvpn.log
!-openvpn
```


```
newsyslog -vC
service syslogd reload
sysrc openvpn_enable=yes
service openvpn start
```


----------



## Trigve (Mar 15, 2021)

For auth I'm using sha512. I haven't tested the performance but my subjective feeling is that sha512 is a little bit slower (based on another OpenVPN setup which is using default auth). But I haven't made any side to side comparsions, only some iperf3 test (which were useless in the end).


----------

