1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Bridge Mode filling syslog

Discussion in 'Tomato Firmware' started by jochen, Jan 18, 2011.

  1. jochen

    jochen LI Guru Member

    I'm using TomatoUSB with OpenVPN support. I'm using bridge mode (tap device) with static key. All is working fine, but there are lots of messages filling my syslog:

    Code:
    Jan 18 19:38:08 router daemon.warn openvpn[24890]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: LZO compression initialized
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: TUN/TAP device tap21 opened
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: TUN/TAP TX queue length set to 100
    Jan 18 19:38:08 router daemon.notice openvpn[24890]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 18 19:38:08 router daemon.notice openvpn[24895]: Socket Buffers: R=[112640->131072] S=[112640->131072]
    Jan 18 19:38:08 router daemon.notice openvpn[24895]: UDPv4 link local (bound): [undef]:1194
    Jan 18 19:38:08 router daemon.notice openvpn[24895]: UDPv4 link remote: [undef]
    Jan 18 19:39:08 router daemon.notice openvpn[24895]: Inactivity timeout (--ping-restart), restarting
    Jan 18 19:39:08 router daemon.notice openvpn[24895]: TCP/UDP: Closing socket
    Jan 18 19:39:08 router daemon.notice openvpn[24895]: Closing TUN/TAP interface
    Jan 18 19:39:08 router daemon.notice openvpn[24895]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 18 19:39:08 router daemon.notice openvpn[24895]: Restart pause, 2 second(s)
    
    These messages are repeating every minute. How can I stop these messages?
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For some reason, the keepalive pings are failing.
    Add the following to your custom config:
    Code:
    keepalive 10 86400
    This will change it from "ping every 10 seconds, and restart if we go 1 minute without a response" to "ping every 10 seconds, and restart if we go 1 day without a response".
     
  3. jochen

    jochen LI Guru Member

    What are these "keep alive pings"?
    When no client is connected to the server, there should be nothing to be "keeped alive".
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're correct (keep reading for a more detailed answer).

    The complication is that you're not really running in "server" mode. With TLS, you have a "server" and "clients", but with static key, you just have two clients, one of which is in "listening" mode (the GUI calls this the server).

    OpenVPN treats the keepalive differently for clients and servers. For clients, a failed keepalive will restart the client (initiating a reconnect). For servers, a failed keepalive will just restart the part handling the connection to that particular client (hopefully, causing the client to reconnect).

    TomatoVPN always auto-generates the keepalive directive, but it should leave it out for static key servers. I plan to fix this in the next release.

    In the meantime, you can override the keepalive with very large values (what I had you do) or use TLS (which is much more robust and easier to administer/maintain than static key).
     
  5. jochen

    jochen LI Guru Member

    Thank you for that explanation. I will try this setting.
    In the meantime I have setup the second server with routing mode (tun) and certificates, just to see what the difference between these modes is.

    I found two interesting things comparing these modes:

    1. establishing the connection is much faster with static keys.

    2. in static key mode with tap device the connection is stable over hours. With certificates and tun device the connection is often disconnected (maybe after a certain time of inactivity). I have to examine this further.

    My client is Ubuntu 10.10 with network manager and OpenVPN plugin.
     
  6. jochen

    jochen LI Guru Member

    I think I found the cause for the random disconnects in TLS mode. Some time ago I reduced the UDP timeouts according to Toastman recommendations. These values were too low for OpenVPN.
    Where can I find the default values for the conntrack settings?
     
  7. Toastman

    Toastman Super Moderator Staff Member Member

    It is ISP dependant. The default Tomato values were actually too small for some ISP's. There were a couple of threads about this not long ago but I can't find them. There's some info here: http://www.linksysinfo.org/forums/showpost.php?p=337415&postcount=3

    Normally it is the "UDP - assured" setting that needs to be made longer. Set it high, say 180 or 300 and then after having ascertained it is working, reduce it until you find a happy compromise. If you also run heavy P2P, expect lots of redundant connections hanging around, you may have to compensate for this elsewhere.
     

Share This Page