OpenVPN fails to reconnect when network adapter reconnects to WiFi

I’m using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I’ve only changed the values of keepalive).

dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key dh none topology subnet server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "block-outside-dns" push "redirect-gateway def1" client-to-client keepalive 10 60 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3 

I have two issues.

keepalive takes a long time to trigger a reconnect

As far as I understand the keepalive 10 60 option triggers a ping-restart that sends a SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.

Wed May 29 01:26:50 2019 Initialization Sequence Completed Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting 

Reconnection hangs

If I trigger a reconnection with SIGUSR1 or if I wait 3 minutes, the openvpn process stops at

Wed May 29 01:06:56 2019 Initialization Sequence Completed Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting Wed May 29 01:07:58 2019 Restart pause, 5 second(s) Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]52.29.18.70:1194 Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed May 29 01:08:03 2019 UDP link local: (not bound) Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194 

My guess is that the option persist-tun doesn’t play well when a network interface disconnects (maybe a dependency between tun and wlan0). I tried to disable persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I’d like to run my openvpn process as user nobody, but this setting doesn’t allow to create a new tun interface.

Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Wed May 29 01:34:31 2019 Exiting due to fatal error 

What I did at the end was to build a custom script to ping the VPN server, and trigger a systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as nobody.

TL;DR: is there an openvpn way to reconnect without relying on a custom script? I’d like to rely only on keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as nobody and have permission to create a tunnel interface.