XP SP2 VPN connection drops after ~25 minutes

[Stark]

I've been poking around the net for a few days, but I've found nothing to help. I'm running a SP2 VPN server, and my router allows incoming connections. People can connect fine, and they have full access to my internal network and resources. Speed is fine, there's no latency issues, etc. However, after about 20-25 minutes, the connection drops: it appears from both ends that the server is transmitting but the client is not responding. Anyone got any ideas?

[Stark]

If anyone could recommend a third-party VPN solution that'd be great - OpenVPN is a little too much work for the application, however.

[Pu-239]

What are you using currently?

I'm using OpenVPN on Linux- didn't really seem that hard setting up a Windows client, and the server should be really similar- only problem would be generating the certs, and the Windows client has stuff to do that for you... IPSec is too hard (an issue w/ people needing to configure their own), and has issues w/ firewalls .

[Stark]

I'm using the XP inbuilt VPN server/client, and tunneling through my router. My router (apparently) has IPSec passthrough, but I installed OpenVPN and was scared off by its manual-ness.

If you don't mind, could you briefly run through the steps for a barebones, minimum-security server configuration in OpenVPN? VPN clients are ten a penny, so I'm hoping moving away from the Windows native VPN server will fix my issue.

[Pu-239]

I'm using the XP inbuilt VPN server/client, and tunneling through my router. My router (apparently) has IPSec passthrough, but I installed OpenVPN and was scared off by its manual-ness.

If you don't mind, could you briefly run through the steps for a barebones, minimum-security server configuration in OpenVPN? VPN clients are ten a penny, so I'm hoping moving away from the Windows native VPN server will fix my issue.

Don't have a windows machine in front of me, will have to look at that tomorrow morning (EST) or night (left experimental server at work unplugged while reorganizing). Doing the best I can redissecting it w/ wine.

Anyway, I think the steps are:
1. Get the Win32 GUI client here: http://openvpn.se/
2. Install everything

SSL Cert generation (do on server):
3. Read c:\program files\openvpn\easy-rsa\README.txt (or just follow below) and follow the steps



Client/Server conf
4. Copy the keys and certs to the appropriate client and dump them in the config folder in c:\program files\openvpn\config - rename the client keyand cert to client.key, client.cert respectively, and ca.crt for the CA certificate (don't release the CA key!). Repeat for server (name as server.key, server.cert, ca.crt).

5. Copy the sample client.ovpn config file in sample-config to the config folder specified above and edit- ";" specifies a comment. Change "dev tun" to "dev tap". For the client only, type in the internet hostname or IP (whichever you use) as the value of remote, leave the port alone. You can just tell people connecting to you to copy the entire config directory into theirs (make sure keys are different though)

6. Do the same for the server, change tun to tap

7. Make a bridge w/ the TAP interface and your real network card on the server in network connections in the control panel (select both of them at the same time and right-click).

8. Start openvpn on both client and server. I think it should work...

[Stark]

Oh okay: it looked a lot more complicated in the HOWTOs. I'll give that a go, thanks!

[Pu-239]

Er, edit to the above- just read the readme for the cert generation- I cut out my explanation since the readme was more concise.

[Stark]

I've got a splitting headache, so I'm leaving it for tonight. Thanks to your help, I'm pretty sure I can get OpenVPN working. Hopefully it won't have the dropout problems the Windows implementation has.

[Xon]

This sounds like a problem with the TCP/UDP session timeout on your router.

[Stark]

This sounds like a problem with the TCP/UDP session timeout on your router.

Can you elaborate? I'd narrowed it down to the router, but nobody has been able to tell me what the problem with the router *is*. Why would this only apply to VPNs? This is all a learning experience for me.

[Xon]

This sounds like a problem with the TCP/UDP session timeout on your router.

Can you elaborate? I'd narrowed it down to the router, but nobody has been able to tell me what the problem with the router *is*. Why would this only apply to VPNs? This is all a learning experience for me.

I'm fairly sure VPNs use UDP to transmit data. Some routers have hardcoded limits on how long a UDP port can go without recieving data and keep the port "open" before being discarded. Once the that time has passed, the NAT discards traffic being sent to the port since it is no longer aware that anything is interested in it.

20-25 minutes if a common figure for this timeout value.

This link should help in figuring out what is going wrong.

[Chris OFarrell]

I've heard some routers have hardcoded values for timeouts on UDP packets sent to ports. At least the cheaper and more basic models, for 'security' reasons.

[Stark]

I'm not sure if that makes sense, as the sessions drop in the middle of file transfers, application sessions etc. There is usually no idle time at all.

[Pu-239]

OpenVPN can be set to use TCP instead of UDP- you get performance issues though.

EDIT: What model is your router?

[Stark]

Bah. I'm trying to get a cleartext tunnel working in OpenVPN, but it wants me to define the DH options anyway. Grr.

I'm using a Netcomm NB5, which uses a Texas Instrument chipset.

[Stark]

Pu-239, my problem is now that when I generate my PKI, the certificates have no data in them. The keys and DH params come out fine, and the ca.crt is okay, but the client/server certs are empty, and don't work.

EDIT - Okay, so it wanted a common name. Should the common names be the same for all certs, or different? Whenever I try to make the client cert, it fails with a database error.

[Pu-239]

Yeah, they should be different- just make them the names of the computers you'll have them on (it'll probably work if not though).


What's your error? You could try deleting everything in the keys subdirectory and start over.

This works for me

Code: Select all

cd "c:\program files\openvpn\easy-rsa\"
init-config
[edited vars.bat in wordpad]
clean-all
build-ca
build-key-server server [used server as the CN for this purpose, should preferably be the hostname or whatever from the outside, but it should work]
build-key laptop.lan [used laptop.lan as the CN]

[Stark]

Yeah I had to kill the keyset and make a new one. Soon as my clients get out of bed I can test connectivity, but the server has started properly.

However, I get an error on startup, about the interface not being availible anymore.

NOTE: could not get adapter index for DEVICE\TCPIP_{9B1B6FE1-A4DE-458A-AB2D-85FB89A5446D}, status=55 : The specified network resource or device is no longer available.
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: [undef]

So I'm not sure if the server is bound to the interface properly.

[Pu-239]

Hm, I seem to have forgotten something- comment out the line starting out w/ server, and uncomment the line starting w/ "server-bridge ", replacing the numbers w/ the IP address of your server, the netmask, beginning IP address on your network to allocate to the VPN, and ending IP address on your network. Afterwards, bridge the fake network interface and the real one. Reboot if you have trouble (I did trying this on the laptop on the Windows side (stupid bridged connection wouldn't take an IP address)- worked afterwards)

[Stark]

Yeah I've done that... I'm not sure if the tap interface is working properly. Maybe I'll reinstall openvpn? I haven't tested it yet, so i'm not sure it won't work.

[Pu-239]

Can you post a config file?

EDIT: Hm, apparently there's a script to manipulate TAP adapters in the start menu- try deleting and adding.

[Stark]

Sha. I renamed the tap interface 'VPN' in network connections.

dev tap
dev-node VPN
;ifconfig 10.8.0.1 10.8.0.2
server-bridge 192.168.1.8 255.255.255.0 192.168.1.50 192.168.1.55
ca ca.crt
cert zen.crt
key zen.key
dh dh1024.pem

OpenVPN finds the interface fine, but then after the 10 second sleep it seems to lose it.

Sat Jan 21 10:24:49 2006 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
Sat Jan 21 10:24:49 2006 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jan 21 10:24:49 2006 WARNING: --keepalive option is missing from server config
Sat Jan 21 10:24:49 2006 TAP-WIN32 device [VPN] opened: \\.\Global\{9B1B6FE1-A4DE-458A-AB2D-85FB89A5446D}.tap
Sat Jan 21 10:24:49 2006 Sleeping for 10 seconds...
Sat Jan 21 10:24:59 2006 NOTE: could not get adapter index for \DEVICE\TCPIP_{9B1B6FE1-A4DE-458A-AB2D-85FB89A5446D}, status=55 : The specified network resource or device is no longer available.
Sat Jan 21 10:24:59 2006 UDPv4 link local (bound): [undef]:1194
Sat Jan 21 10:24:59 2006 UDPv4 link remote: [undef]
Sat Jan 21 10:24:59 2006 Initialization Sequence Completed

[Pu-239]

Just comment that line out- it's only required if you have more than one TAP interface set up.

[Stark]

Uncommenting the dev-node line makes no difference: I initially added it to try and fix this problem. It's not listed as a warning, and OpenVPN still starts, so I'm not sure if it will work or not.

[Pu-239]

If you add it, I think it has to be the same name as what shows up in network connections, eg "Local Area Connection 2" - the keepalive warning seems interesting- I'll reboot back into Windows and take a look.