All VPN connections broke

1

Over the last two days all of our VPN clients refuse to stay connected for more than a few seconds. The connections say they are connected, and the lock appears green on a mobile or desktop app, but then when you try to connect to a remote desktop session using a remote laptop, the openvpn client immediately disconnects . I am seeing in /var/log/messages:

an IP packet with unknown IP version=15 seen

From other forum posts this has something to do with compression not set correctly, so in /var/ipfire/ovpn/settings I sent COMPLZO=no, then tried again, does not help.
Settings:
LOG_VERB=3
CLIENT2CLIENT=
REDIRECT_GW_DEF1=on
KEEPALIVE_2=
DDEST_PORT=1194
TLSAUTH=
KEEPALIVE_1=
DCOMPLZO=off
ADDITIONAL_CONFIGS=on
ROOTCERT_OU=IT
COMPLZO=no
VPN_IP=(external ip)
DHCP_WINS=10.5.1.1
ENABLED=on
DHCP_DNS=10.5.1.1
DHCP_DOMAIN=
DMTU=1400
DPROTOCOL=udp
ROOTCERT_EMAIL=(email)
ROUTES_PUSH=
ROOTCERT_HOSTNAME=(ipfire.fqdn)
ROOTCERT_CITY=(city)
DAUTH=SHA512
ROOTCERT_COUNTRY=US
ROOTCERT_ORGANIZATION=’(org).’
DOVPN_SUBNET=10.8.1.0/255.255.255.0
MAX_CLIENTS=100
ENABLED_ORANGE=off
ROOTCERT_STATE=WI
ENABLED_BLUE=off
DCIPHER=AES-256-CBC

------------------------------- server.conf--------------------
[root@ipfire ovpn]# vi server.conf
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local (external ip)
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.8.1.0 255.255.255.0
tun-mtu 1400
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-CBC
auth SHA512
push “redirect-gateway def1”
push “dhcp-option DNS 10.5.1.1”
push “dhcp-option WINS 10.5.1.1”
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3

Log clients connecting/disconnecting

client-connect “/usr/sbin/openvpn-metrics client-connect”
client-disconnect “/usr/sbin/openvpn-metrics client-disconnect”

#---------------------------

Start of custom directives

from server.conf.local

#---------------------------

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

#ping 10
#ping-exit 60

#-----------------------------

End of custom directives

#-----------------------------

----------------------client config-----------------------------------

OpenVPN clientconfig from ccd extension by Copymaster#

#This client uses the dynamic pool

#Client gets routes to these networks (behind IPFire)
push “route (lan network) 255.255.255.0”

#Client gets these nameservers
push “dhcp-option DNS (openvpn gateway)”

########################################

#######################################

#Force clients to disconnect after 5 minutes
push “inactive 300”

I’m not sure what changed, as I have not changed any settings on ipfire this week until this started happening.

Any thoughts would be appreciated.

2

Hello,

an IP packet with unknown IP version=15 seen

can be a hint that the compression is active on one side which probably is then the client.ovpn which you haven´t posted here yet. If you check the client configuration and you can find a
comp-lzo
entry you should delete it, also the OpenVPN compression can be compromised via Voracle so under specific circumstances, it might be a good idea to leave this directive out.

Another thing is, i would not configure the server via the settings file but via the web user interface to prevent overwriting or a wrong display on the surface.

As a first idea. Best,

Erik