OpenVPN clients don’t react well when the server goes down

Leave a Comment / Open Source, OpenVPN / By

I had a power failure at home tonight. The clients did not react well to the outage. They aren’t at home. They’re out there on the internets.

Jul  9 01:02:49 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:03:51 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:04:53 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:05:56 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:06:58 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:08:00 tallboy openvpn[40792]: UDPv4 link local (bound): [AF_INET]10.233.228.194:1194
Jul  9 01:08:17 tallboy openvpn[40792]: [bast.example.org] Peer Connection Initiated with [AF_INET]10.52.41.15:1194
Jul  9 01:08:19 tallboy openvpn[40792]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Jul  9 01:08:19 tallboy openvpn[40792]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Jul  9 01:08:19 tallboy openvpn[40792]: /sbin/ifconfig tun0 destroy
Jul  9 01:08:19 tallboy kernel: tun0: link state changed to DOWN
Jul  9 01:08:19 tallboy openvpn[40792]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
Jul  9 01:08:20 tallboy openvpn[40792]: Cannot allocate TUN/TAP dev dynamically
Jul  9 01:08:20 tallboy openvpn[40792]: Exiting due to fatal error

My theory: the clients fail because they run as non-root and cannot reallocate tun0.

I think this is a candidate for daemon-tools; for restarting OpenVPN when it fails like this.

The client configuration is:

local 10.127.23.226
client
dev tun
proto udp
remote bast.example.org 1194
resolv-retry infinite
#nobind
user  openvpn
group openvpn
persist-key
persist-tun
pull
ns-cert-type server
tls-auth /usr/local/etc/openvpn/keys/ta.key 1
ca       /usr/local/etc/openvpn/keys/ca.crt
cert     /usr/local/etc/openvpn/keys/client.crt
key      /usr/local/etc/openvpn/keys/client.key
comp-lzo
verb 1
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top