OpenVPN tunnel disconnects frequently - Ozy - 10-31-2018 01:48 AM

Hi team,

we are having an issue with T4x phones on V82 with OpenVPN.

We are using the pfSense in-built OpenVPN server and the Client Export wizard T38(2) option. VPN tarball loads fine and phones connect and work fine.
Sites with just one T4x phone, the tunnel is stable over weeks.
Sites with multiple T4x phones often re-establish the tunnel, in general under 24 hours. Randomly this re-connect fails all together and the tunnel is down. Only way to fix this is to restart the phone.
We have run syslog with verb 6, however I can't see anything that indicates the problem.

Has anyone come across this issue?

OpenVPN config is as per Yealink whitepaper.
Quote:dev ovpns3
verb 6
dev-type tun
dev-node /dev/tun3
writepid /var/run/
#user nobody
#group nobody
script-security 3
keepalive 10 60
proto udp
cipher BF-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-config-dir /var/etc/openvpn-csc/server3
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'TQMS-OpenVPNServer' 1"
lport 4194
management /var/etc/openvpn/server3.sock unix
max-clients 500
push "route"
push "dhcp-option DOMAIN"
ca /var/etc/openvpn/
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.1024
topology net30
push "route"

Thanks for any pointers that let us fix this.

RE: OpenVPN tunnel disconnects frequently - jolouis - 10-31-2018 01:49 PM

(10-31-2018 01:48 AM)Ozy Wrote:  lport 4194

That's your issue, you are specifying in the OpenVPN configuration the local port for the client to use. Since you are setting it explicitly to 4194, that means all phones on the network will try to use the same local port as source to connect to the VPN server.

The problem is that since your phone are behind a PFSense firewall, I assume you are doing NAT on the firewall. Most default NAT configurations get confused by multiple devices talking to same remote server/port from the same origin port.

Try either removing the lport setting, or specifying it to 0 (which means use random port instead of defined one). That should resolve the issue.

RE: OpenVPN tunnel disconnects frequently - dannylarsen - 11-01-2018 08:09 PM

On PfSense set your Outbound NAT to manual
Then make a rule for the port used 1194 UDP or 4194 UDP whatever you use
Then make sure you have the "Static Port" unchecked
Same goes for SIP traffic ports 5060 for example if you are not using vpn