Hello! We run two openvpn servers, one of them has network 192.168.205.0/24 on tun and another has 192.168.206.0/24 on tun.
These servers are behind NAT. Yesterday I rebooted NAT devices, after this we hit problem. We have Centos 6 client, which runs openvpn 2.4.0 too. Before NAT device reboot it was connected to openvpn server 1 and it had address 192.168.205.16 on it's tun0. Then, after NAT is rebooted client lost connectivity, and, thus tried another openvpn server (I changed IP addresses to names) Jan 25 13:00:28 bkk openvpn[12557]: [inetgw1] Inactivity timeout (--ping-restart), restarting Jan 25 13:00:28 bkk openvpn[12557]: SIGUSR1[soft,ping-restart] received, process restarting Jan 25 13:00:28 bkk openvpn[12557]: Restart pause, 5 second(s) Jan 25 13:00:33 bkk openvpn[12557]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 25 13:00:33 bkk openvpn[12557]: TCP/UDP: Preserving recently used remote address: [AF_INET]server1:1194 Jan 25 13:00:33 bkk openvpn[12557]: Socket Buffers: R=[112640->112640] S=[112640->112640] Jan 25 13:00:33 bkk openvpn[12557]: UDP link local: (not bound) Jan 25 13:00:33 bkk openvpn[12557]: UDP link remote: [AF_INET]server1:1194 Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS handshake failed Jan 25 13:01:33 bkk openvpn[12557]: SIGUSR1[soft,tls-error] received, process restarting Jan 25 13:01:33 bkk openvpn[12557]: Restart pause, 5 second(s) Jan 25 13:01:38 bkk openvpn[12557]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 25 13:01:38 bkk openvpn[12557]: TCP/UDP: Preserving recently used remote address: [AF_INET]server2:1194 Jan 25 13:01:38 bkk openvpn[12557]: Socket Buffers: R=[112640->112640] S=[112640->112640] Jan 25 13:01:38 bkk openvpn[12557]: UDP link local: (not bound) Jan 25 13:01:38 bkk openvpn[12557]: UDP link remote: [AF_INET]server2:1194 Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 25 13:01:33 bkk openvpn[12557]: TLS Error: TLS handshake failed Jan 25 13:01:33 bkk openvpn[12557]: SIGUSR1[soft,tls-error] received, process restarting Jan 25 13:01:33 bkk openvpn[12557]: Restart pause, 5 second(s) Jan 25 13:01:38 bkk openvpn[12557]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 25 13:01:38 bkk openvpn[12557]: TCP/UDP: Preserving recently used remote address: [AF_INET]server2:1194 Jan 25 13:01:38 bkk openvpn[12557]: Socket Buffers: R=[112640->112640] S=[112640->112640] Jan 25 13:01:38 bkk openvpn[12557]: UDP link local: (not bound) Jan 25 13:01:38 bkk openvpn[12557]: UDP link remote: [AF_INET]server2:1194 Jan 25 13:01:38 bkk openvpn[12557]: TLS: Initial packet from [AF_INET]server2:1194, sid=ec086083 b9575e66 Jan 25 13:01:38 bkk openvpn[12557]: VERIFY OK: depth=1, C=RU, ST=Udm, L=Izhevsk, O=Belkam, OU=UIT, CN=vpn.belkam.com, emailAddress=supp...@belkam.com Jan 25 13:01:38 bkk openvpn[12557]: VERIFY OK: depth=0, C=RU, ST=Udm, L=Izhevsk, O=Belkam, OU=UIT, CN=inetgw2, emailAddress=supp...@belkam.com Jan 25 13:01:38 bkk openvpn[12557]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA Jan 25 13:01:38 bkk openvpn[12557]: [inetgw2] Peer Connection Initiated with [AF_INET]server2:1194 Jan 25 13:01:39 bkk openvpn[12557]: SENT CONTROL [inetgw2]: 'PUSH_REQUEST' (status=1) Jan 25 13:01:39 bkk openvpn[12557]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify 3,route 192.168.206.1,topology net30,ping 10,ping-restart 120,route 192.168.0.0 255.255.0.0,route 10.0.0.0 255 .0.0.0,ifconfig 192.168.206.16 192.168.206.15,peer-id 14,cipher AES-256-GCM' so it had to get address 192.168.206.16 on it's tun0 But address on tun0 is still 192.168.205.16 (!) : tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.205.16 P-t-P:192.168.205.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2962804 errors:0 dropped:0 overruns:0 frame:0 TX packets:2347402 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1955924218 (1.8 GiB) TX bytes:429175247 (409.2 MiB) I.e. it was not changed to new one, although it was provided by server. Don't know is there such problem with 2.3, because it is very rare condition in our environment. Could you tell me is this expected behavior and, if yes, is there any workaround , something like dhcp-release for windows? Thank you! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users