Upgrading OpenVPN 2.4.7 to 2.5.6 results in frequent disconnects
Mia Lopez 
When using OpenVPN 2.4.7 on my server (Ubuntu Server 20.04) and connecting from a 2.5.6 client (also Ubuntu 20.04), I can connect with no issue. However, when I try to use OpenVPN 2.5.6 on the server, I run into a big problem where at seemingly random intervals I get reconnected and therefore lose network connection in those few seconds it reconnects. This happens when using exactly the same server and client configurations, only difference is the 2.4.7 server doesn't disconnect (I want to upgrade to a 2.5 server in order to utilize its IPv6 functionality).
Here is my full server log containing when this error occurs (I manually disconnect at the end after the reconnection occured):
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
Current Parameter Settings: config = 'server2.conf' mode = 1 persist_config = DISABLED persist_mode = 1 show_ciphers = DISABLED show_digests = DISABLED show_engines = DISABLED genkey = DISABLED genkey_filename = '[UNDEF]' key_pass_file = '[UNDEF]' show_tls_ciphers = DISABLED connect_retry_max = 0
Connection profiles [0]: proto = tcp-server local = '192.168.0.27' local_port = '443' remote = '[UNDEF]' remote_port = '443' remote_float = DISABLED bind_defined = DISABLED bind_local = ENABLED bind_ipv6_only = DISABLED connect_retry_seconds = 5 connect_timeout = 120 socks_proxy_server = '[UNDEF]' socks_proxy_port = '[UNDEF]' tun_mtu = 1500 tun_mtu_defined = ENABLED link_mtu = 1500 link_mtu_defined = DISABLED tun_mtu_extra = 0 tun_mtu_extra_defined = DISABLED mtu_discover_type = -1 fragment = 0 mssfix = 1450 explicit_exit_notification = 0 tls_auth_file = '[UNDEF]' key_direction = not set tls_crypt_file = '[INLINE]' tls_crypt_v2_file = '[UNDEF]'
Connection profiles END remote_random = DISABLED ipchange = '[UNDEF]' dev = 'tun1' dev_type = '[UNDEF]' dev_node = '[UNDEF]' lladdr = '[UNDEF]' topology = 3 ifconfig_local = '10.8.2.1' ifconfig_remote_netmask = '255.255.254.0' ifconfig_noexec = DISABLED ifconfig_nowarn = DISABLED ifconfig_ipv6_local = '[UNDEF]' ifconfig_ipv6_netbits = 0 ifconfig_ipv6_remote = '[UNDEF]' shaper = 0 mtu_test = 0 mlock = DISABLED keepalive_ping = 0 keepalive_timeout = 0 inactivity_timeout = 0 inactivity_minimum_bytes = 0 ping_send_timeout = 10 ping_rec_timeout = 120 ping_rec_timeout_action = 2 ping_timer_remote = ENABLED remap_sigusr1 = 0 persist_tun = ENABLED persist_local_ip = DISABLED persist_remote_ip = DISABLED persist_key = ENABLED passtos = DISABLED resolve_retry_seconds = 1000000000 resolve_in_advance = DISABLED username = '[UNDEF]' groupname = '[UNDEF]' chroot_dir = '[UNDEF]' cd_dir = '[UNDEF]' writepid = '[UNDEF]' up_script = '[UNDEF]' down_script = '[UNDEF]' down_pre = DISABLED up_restart = DISABLED up_delay = DISABLED daemon = DISABLED inetd = 0 log = ENABLED suppress_timestamps = ENABLED machine_readable_output = DISABLED nice = 0 verbosity = 5 mute = 0 status_file = 'openvpn-status2.log' status_file_version = 2 status_file_update_freq = 60 occ = ENABLED rcvbuf = 0 sndbuf = 0 mark = 0 sockflags = 0 fast_io = DISABLED comp.alg = 0 comp.flags = 0 route_script = '[UNDEF]' route_default_gateway = '10.8.2.2' route_default_metric = 0 route_noexec = DISABLED route_delay = 0 route_delay_window = 30 route_delay_defined = DISABLED route_nopull = DISABLED route_gateway_via_dhcp = DISABLED allow_pull_fqdn = DISABLED management_addr = 'localhost' management_port = '7506' management_user_pass = '[UNDEF]' management_log_history_cache = 250 management_echo_buffer_size = 100 management_write_peer_info_file = '[UNDEF]' management_client_user = '[UNDEF]' management_client_group = '[UNDEF]' management_flags = 0 shared_secret_file = '[UNDEF]' key_direction = not set ciphername = 'AES-256-CBC' ncp_enabled = ENABLED ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC' authname = 'SHA512' prng_hash = 'SHA1' prng_nonce_secret_len = 16 keysize = 0 engine = DISABLED replay = ENABLED mute_replay_warnings = DISABLED replay_window = 64 replay_time = 15 packet_id_file = '[UNDEF]' test_crypto = DISABLED tls_server = ENABLED tls_client = DISABLED ca_file = 'ca.crt' ca_path = '[UNDEF]' dh_file = 'dh.pem' cert_file = 'server.crt' extra_certs_file = '[UNDEF]' priv_key_file = 'server.key' pkcs12_file = '[UNDEF]' cipher_list = '[UNDEF]' cipher_list_tls13 = '[UNDEF]' tls_cert_profile = '[UNDEF]' tls_verify = '[UNDEF]' tls_export_cert = '[UNDEF]' verify_x509_type = 0 verify_x509_name = '[UNDEF]' crl_file = 'crl.pem' ns_cert_type = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_eku = '[UNDEF]' ssl_flags = 1 tls_timeout = 2 renegotiate_bytes = -1 renegotiate_packets = 0 renegotiate_seconds = 3600 handshake_window = 60 transition_window = 3600 single_session = DISABLED push_peer_info = DISABLED tls_exit = DISABLED tls_crypt_v2_metadata = '[UNDEF]' pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_pin_cache_period = -1 pkcs11_id = '[UNDEF]' pkcs11_id_management = DISABLED server_network = 10.8.2.0 server_netmask = 255.255.254.0 server_network_ipv6 = :: server_netbits_ipv6 = 0 server_bridge_ip = 0.0.0.0 server_bridge_netmask = 0.0.0.0 server_bridge_pool_start = 0.0.0.0 server_bridge_pool_end = 0.0.0.0 push_entry = 'dhcp-option DNS 1.1.1.1' push_entry = 'dhcp-option DNS 1.0.0.1' push_entry = 'redirect-gateway def1 bypass-dhcp' push_entry = 'route 192.168.0.0 255.255.0.0 net_gateway' push_entry = 'route 172.16.0.0 255.240.0.0 net_gateway' push_entry = 'ping 10' push_entry = 'ping-restart 120' push_entry = 'route-gateway 10.8.2.1' push_entry = 'topology subnet' ifconfig_pool_defined = ENABLED ifconfig_pool_start = 10.8.2.2 ifconfig_pool_end = 10.8.3.254 ifconfig_pool_netmask = 255.255.254.0 ifconfig_pool_persist_filename = '[UNDEF]' ifconfig_pool_persist_refresh_freq = 600 ifconfig_ipv6_pool_defined = DISABLED ifconfig_ipv6_pool_base = :: ifconfig_ipv6_pool_netbits = 0 n_bcast_buf = 256 tcp_queue_limit = 64 real_hash_size = 256 virtual_hash_size = 256 client_connect_script = '[UNDEF]' learn_address_script = '[UNDEF]' client_disconnect_script = '[UNDEF]' client_config_dir = '[UNDEF]' ccd_exclusive = DISABLED tmp_dir = '/tmp' push_ifconfig_defined = DISABLED push_ifconfig_local = 0.0.0.0 push_ifconfig_remote_netmask = 0.0.0.0 push_ifconfig_ipv6_defined = DISABLED push_ifconfig_ipv6_local = ::/0 push_ifconfig_ipv6_remote = :: enable_c2c = DISABLED duplicate_cn = DISABLED cf_max = 0 cf_per = 0 max_clients = 100 max_routes_per_client = 256 auth_user_pass_verify_script = '/etc/openvpn/server/clientCheck.sh' auth_user_pass_verify_script_via_file = DISABLED auth_token_generate = DISABLED auth_token_lifetime = 0 auth_token_secret_file = '[UNDEF]' port_share_host = '[UNDEF]' port_share_port = '[UNDEF]' vlan_tagging = DISABLED vlan_accept = all vlan_pvid = 1 client = DISABLED pull = DISABLED auth_user_pass_file = '[UNDEF]'
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 1 2022
library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7506
WARNING: --keepalive option is missing from server config
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
CRL: loaded 1 CRLs from file crl.pem
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
TLS-Auth MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
TUN/TAP device tun1 opened
do_ifconfig, ipv4=1, ipv6=0
/sbin/ip link set dev tun1 up mtu 1500
/sbin/ip link set dev tun1 up
/sbin/ip addr add dev tun1 10.8.2.1/23
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET]192.168.0.27:443
TCPv4_SERVER link local (bound): [AF_INET]192.168.0.27:443
TCPv4_SERVER link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL IPv4: base=10.8.2.2 size=509
MULTI: TCP INIT maxclients=100 maxevents=104
Initialization Sequence Completed
MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]192.168.0.23:33260
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]192.168.0.23:33260
R192.168.0.23:33260 TLS: Initial packet from [AF_INET]192.168.0.23:33260, sid=88a1a810 57e425e0
WRRWWWRRR192.168.0.23:33260 peer info: IV_VER=2.5.6
192.168.0.23:33260 peer info: IV_PLAT=linux
192.168.0.23:33260 peer info: IV_PROTO=6
192.168.0.23:33260 peer info: IV_NCP=2
192.168.0.23:33260 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
192.168.0.23:33260 peer info: IV_LZ4=1
192.168.0.23:33260 peer info: IV_LZ4v2=1
192.168.0.23:33260 peer info: IV_LZO=1
192.168.0.23:33260 peer info: IV_COMP_STUB=1
192.168.0.23:33260 peer info: IV_COMP_STUBv2=1
192.168.0.23:33260 peer info: IV_TCPNL=1
192.168.0.23:33260 TLS: Username/Password authentication succeeded for username 'user'
WWRR192.168.0.23:33260 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
192.168.0.23:33260 [] Peer Connection Initiated with [AF_INET]192.168.0.23:33260
192.168.0.23:33260 MULTI_sva: pool returned IPv4=10.8.2.2, IPv6=(Not enabled)
192.168.0.23:33260 MULTI: Learn: 10.8.2.2 -> 192.168.0.23:33260
192.168.0.23:33260 MULTI: primary virtual IP for 192.168.0.23:33260: 10.8.2.2
192.168.0.23:33260 Data Channel: using negotiated cipher 'AES-256-GCM'
192.168.0.23:33260 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
192.168.0.23:33260 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
192.168.0.23:33260 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.0.0 net_gateway,route 172.16.0.0 255.240.0.0 net_gateway,ping 10,ping-restart 120,route-gateway 10.8.2.1,topology subnet,ifconfig 10.8.2.2 255.255.254.0,peer-id 0,cipher AES-256-GCM' (status=1)
WRRwrWRwrWRwrWRwrWRwrWW192.168.0.23:33260 Connection reset, restarting [0]
192.168.0.23:33260 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socketAnd on the client I get this message:
2022-04-01 11:56:18 us=284484 Connection reset command was pushed by server ('')
2022-04-01 11:56:18 us=284568 TCP/UDP: Closing socket
2022-04-01 11:56:18 us=284588 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
2022-04-01 11:56:18 us=284599 Restart pause, 5 second(s)So for some reason the server is causing a connection reset, but I have no change in my server or client configurations.
My server config on both 2.4.7 and 2.5.6 versions is the following:
local 192.168.0.27
port 69
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.254.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.0.0 net_gateway"
push "route 172.16.0.0 255.240.0.0 net_gateway"
push "explicit-exit-notify 2"
cipher AES-256-CBC
persist-key
persist-tun
ping-exit 150
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 120"
ping-timer-rem
status openvpn-status.log
verb 4
crl-verify crl.pem
explicit-exit-notify
management localhost 7505
script-security 3
max-clients 100
auth-user-pass-verify /etc/openvpn/server/clientCheck.sh via-env
verify-client-cert noneMy client config (2.5.6) is the following:
client
dev tun
proto udp
remote 192.168.0.27 69
resolv-retry infinite
ignore-unknown-option block-outside-dns block-ipv6
nobind
persist-key
persist-tun
remote-random
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
explicit-exit-notify 2
verb 4
auth-user-pass
pull
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>What can I try to stop this reconnecting?
9 Reset to default
