[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: ping (or ping-restart) with correct header for the detection of alive udp connection?

  • Subject: [Openvpn-users] Re: ping (or ping-restart) with correct header for the detection of alive udp connection?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 21 Jul 2004 15:51:02 -0500

On Wednesday 21 July 2004 08:50, sam wrote:
> Hi,
> Currently I experienced some problem of using OpenVPN 2 b7 behind a
> dynamically assigned IP address with a stateful firewall. I m using
> --mode server with udp connection.
> When the pub IP is changed, the old state is not being flushed from the
> state table, because the "ping" or "ping-restart" option in OpenVPN
> (client) keep sending icmp packet to the external OpenVPN server (with
> static IP), the OpenVPN server then replied icmp-echo, the stateful
> firewall now assumes the state is still valid so the state still keep in
> the state table. As long as the OpenVPN client does not close the
> connection (by pressing the ctl-C in windows), this outdated state will
> be in the state table forever. Now no matter how many times the OpenVPN
> client restart itself (not manually re-run the openvpn command), it will
> still fail to reestablish the connection via the old state. The --fload
> option is not help in this case because the OpenVPN client is in windows
> and it is located behind the stateful firewall.

I would think that when the client restarts itself, the server would see an 
incoming connection request coming from the new DHCP-assigned IP address, so 
the client would get a new state on the server.

The old state on the server would be deleted as soon as the server detects the 
common name of the certificate connecting from another IP address (as long as 
you don't have --duplicate-cn enabled).

> This is re-producible very easily by following the steps below:
> 1. install your openvpn client in windows behind a firewall (make sure
> your pub IP is dynamically assigned by your ISP, if the pub IP is not
> changed after the reset of your modem, this symtom is not going to happen).
> 2. establish connection to an external openvpn server.
> 3. now power off the modem and wait for few minutes (make sure the next
> IP is different), and power on the modem.
> 4. keep your openvpn client program running, do not re-run it from the
> comandline. If you do re-run it manually, it will be fine.
> 5. now you will notice your openvpn client never be able to re-establsih
> conneciton to the openvpn server.

If the stateful firewall is doing NAT over a DHCP-assigned IP address, then it 
has to know its public IP address, i.e. which IP address to put into the 
source address field of outgoing IP packets.

So I would think on DHCP address reassignment, it should begin filling in a 
new source address on outgoing packets which the OpenVPN server would see and 
associate with a "new" client.

Is this not happening?


Openvpn-users mailing list