Opened 3 years ago

Closed 3 years ago

#883 closed Bug / Defect (notabug)

server connection leak

Reported by: zealot Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Client has been stopped for days, but server still sending packet to client.

Config:

port 1194
proto udp
dev tun9
ca XXX
cert XXX
key XXX
dh XXX
topology subnet
server 172.28.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
float
push "topology subnet"
push "route 10.0.0.0 255.0.0.0 net_gateway"
push "route 172.16.0.0 255.240.0.0 net_gateway"
push "route 192.168.0.0 255.255.0.0 net_gateway"
push "route 224.0.0.0 224.0.0.0 net_gateway"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
tls-auth tls.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
replay-window 8192
verb 4
mssfix 1400

Server log:

Wed May  3 18:46:29 2017 us=2559 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May  3 18:46:29 2017 us=2619 user/client:57594 TLS Error: TLS handshake failed
Wed May  3 18:47:45 2017 us=43050 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May  3 18:47:45 2017 us=43099 user/client:57594 TLS Error: TLS handshake failed
Wed May  3 18:49:00 2017 us=403452 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May  3 18:49:00 2017 us=403515 user/client:57594 TLS Error: TLS handshake failed

Tcpdump:

18:46:44.121138 IP server.openvpn > client.57594: UDP, length 42
18:46:46.289049 IP server.openvpn > client.57594: UDP, length 42
18:46:50.077733 IP server.openvpn > client.57594: UDP, length 42
18:46:58.610614 IP server.openvpn > client.57594: UDP, length 42
18:47:14.461792 IP server.openvpn > client.57594: UDP, length 42
18:48:00.094284 IP server.openvpn > client.57594: UDP, length 42
18:48:02.058499 IP server.openvpn > client.57594: UDP, length 42
18:48:06.308484 IP server.openvpn > client.57594: UDP, length 42
18:48:14.283636 IP server.openvpn > client.57594: UDP, length 42
18:48:30.052212 IP server.openvpn > client.57594: UDP, length 42
18:49:16.006188 IP server.openvpn > client.57594: UDP, length 42
18:49:19.098406 IP server.openvpn > client.57594: UDP, length 42
18:49:24.066512 IP server.openvpn > client.57594: UDP, length 42

Packet content:

OpenVPN Protocol
    Type: 0x40 [opcode/key_id]
        0100 0... = Opcode: P_CONTROL_HARD_RESET_SERVER_V2 (0x08)
        .... .000 = Key ID: 0
    Session ID: 3110211901374068699
    HMAC: cdcdd7e5fd57d571f6b2bb9689fbe46df473be1e
    Packet-ID: 1
    Net Time: May  3, 2017 18:46:44.000000000 CST
    Message Packet-ID Array Length: 0
    Message Packet-ID: 0

Change History (3)

comment:1 Changed 3 years ago by David Sommerseth

Are you really using OpenVPN v2.3.4? That must be upgraded to at least v2.3.13. Preferably v2.4.1.

Also, try to add --keepalive to your configuration. That is how you tell OpenVPN how long a client can be away without responding.

comment:2 Changed 3 years ago by Gert Döring

Right - what dazo says. Unless there is a keepalive, *or* the client has told the server (when using --explicit-exit-notify the server doesn't know the client "has been stopped". As far as the server is concerned, it's just hiding behind a broken router etc. and could be back any minute.

No need to set float in server mod, btw, won't do anything :-)

comment:3 Changed 3 years ago by Gert Döring

Priority: majorminor
Resolution: notabug
Status: newclosed
Note: See TracTickets for help on using tickets.