I’m using pivpn to set up a VPN between my computer and an AWS instance. This is the autogenerated configuration file for the server (I’ve only changed the values of
dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server_VzlgR4iTajic3eep.crt key /etc/openvpn/easy-rsa/pki/private/server_VzlgR4iTajic3eep.key dh none topology subnet server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" push "block-outside-dns" push "redirect-gateway def1" client-to-client keepalive 10 60 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3
I have two issues.
keepalive takes a long time to trigger a reconnect
As far as I understand the
keepalive 10 60 option triggers a
ping-restart that sends a
SIGUSR1 to the process, to reconnect to the server. If I start openvpn on my client and I turn off and on the network interface, it takes up to 3 minutes to trigger a reconnect, while I would expect to happen in 60 seconds.
Wed May 29 01:26:50 2019 Initialization Sequence Completed Wed May 29 01:29:54 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting
If I trigger a reconnection with
SIGUSR1 or if I wait 3 minutes, the openvpn process stops at
Wed May 29 01:06:56 2019 Initialization Sequence Completed Wed May 29 01:07:58 2019 [server_VzlgR4iTajic3eep] Inactivity timeout (--ping-restart), restarting Wed May 29 01:07:58 2019 SIGUSR1[soft,ping-restart] received, process restarting Wed May 29 01:07:58 2019 Restart pause, 5 second(s) Wed May 29 01:08:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]126.96.36.199:1194 Wed May 29 01:08:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed May 29 01:08:03 2019 UDP link local: (not bound) Wed May 29 01:08:03 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
My guess is that the option
persist-tun doesn’t play well when a network interface disconnects (maybe a dependency between
wlan0). I tried to disable
persist-tun on the client configuration, and it reconnects as expected. Even if this seems like a solution, I’d like to run my
openvpn process as user
nobody, but this setting doesn’t allow to create a new
Wed May 29 01:34:31 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Wed May 29 01:34:31 2019 Exiting due to fatal error
What I did at the end was to build a custom script to ping the VPN server, and trigger a
systemctl restart openvpn@pivpn if the ping fails. To me, this seems the only reasonable approach if you want to start openvpn as
TL;DR: is there an openvpn way to reconnect without relying on a custom script? I’d like to rely only on
keepalive but it seems to not work as expected. Also, I think there is no way to run openvpn as
nobody and have permission to create a tunnel interface.