Return to Level1Techs.com

FTTN internet connection constantly changing the ip address kills nord nordvpn openvpn client connection on pfSense router

I have an FTTN internet connection and the ip changes constantly like maybe sometimes 2 - 3 times in a day. I have a rule routing certain machines internet traffic through the vpn interface and a drop rule on the wan so that internet traffic of these machines cannot access the internet otherwise.
I am not 100% certain because I don’t always know when the ip address changes or exactly when I can no longer access the internet from these machines but the fix is always the same. Restart the openvpn client service and then I can access the internet again…… until I can’t, at least once a day. This is very annoying as it kind of defeats the purpose of setting this all up. One solution I suppose might be to have a cron job constantly restart the service although I would rather just restart it when I need to. I cannot find a way to confirm that internet access is lost on the interface itself however it is always on a machine routed through the interface that cannot connect to an internet address. If I try and use ping on the nordvpn interface from pfSense I am always able to resolve addresses.

Has anyone ever had these types of issues and have you been able to fix them in an elegant way?

Thanks,

C

Did you check the Logs? (Status → System Logs and select OpenVPN)

On your clients, can you manually ping an address on the outside world?
Could be a DNS issue.

Hi felix thanks for the response. I have looked in the logs although I am not too sure what I am looking at there are some events although they don’t neccessarily look like errors. Is there are place that I could post them and someone could have a look?

On the clients when the interface goes “down” and not down in the sense of the interface not being up because the status still shows as up, but in the sense that I cannot access the internet or ping anything from a client machine until I restart the service.

It’s been a while since I configured OpenVPN… there’s supposed to be a healthchecking / autoreconnect option somewhere. Might be worth looking at the manual page.

EDIT: hmm, just checked see openvpn(8) — openvpn — Debian unstable — Debian Manpages

I found connect-retry, connect-retry-n, connect-timeout, server-poll-timeout,

but no healthchecking options… I must have confused it with wireguard that definitely has this feature.

1 Like

Yes well the issue is that the status shows as being up without issues.

Can you reproduce the issue by manually requesting a new DHCP Lease on your WAN?
In that case, go ahead and do so, but also see whether you can ping 1.1.1.1 from the OpenVPN Interface (using pfsense) and from your client.
If you can ping an IP from the OpenVPN Interface, the next step would be to make sure you got logging enabled on your firewall rules and check those logs out.
OPNsense has a tab for “live view” of the firewall logs that is great for diagnosing with it’s filters, maybe someone more familiar with pfsense knows how it’s done there.

OK I’ll look into manually requesting a new lease in the mean time I have pasted my logs to paste bin if someone cares to have a look and perhaps notice something that I have missed.

It seems unusual for your IP address to change that often without there being some kind of intermitted connectivity issue.

Next time it happens try sending a ping from within the pfsense webui on the VPN interface to see if the VPN is actually working. If it is but you can’t access the Internet from your devices then the issue probably isn’t with openvpn. I’m not at home at the moment so I can’t check but see if there is an option. I’m the openvpn settings to reset the states when it reconnects, if there are old states still active that may prevent things from connecting properly.

You can also try going to the gateway settings in the routing menu and set the latency and packet loss thresholds higher so that pfsense doesn’t shutdown the gateway because of high latency, I set them about 10x higher than default and really you sint need to worry about setting it too high unless you have a fail over Internet connection.

You could also try installing the service watchdog package and set it to restart openvpn if it stops.

1 Like

Are you attempting to connect using a wifi network perhaps? Windows wifi settings automatically change your wifi address for security. Generally this means public wifi networks, but it is possible that either the network you are on has been marked as public, or that setting got turned on for your private network settings.

It’s actually quite normal for ISPs in many countries to give out new IPs at midnight every day.
Only thing that helps against that is to set your firewall to hold onto the lease for longer.

Thanks for the response! I will look through the documentation to see if I can find something about checking states. And just to clarify what do you mean when you say states? And also just to confirm I can ping from the vpn interface and get a response when I have the issue that is to say that when I cannot access the internet from a client machine routed through the vpn interface if that helps clear some things up

no this is on my home network using a wired connection. the issue with the address changing is my public ip assigned by my isp!

The state table is a table of established connections used by the firewall to decide whether or not to allow traffic. So if you have existing states it can cause problems if something changes. An easy way to test if this is the problem would be to go to status>states (or it might be under diagnostics) and clearing the state table, if that works then you know that it’s a problem with stale states. The option to reset states when WAN address changes is at the bottom of system>advanced>networking

If you can ping with the VPN then that means that the VPN is still working properly after your IP changes, so that at least means it’s not a problem with the VPN configuration.

Damn! Clearing the state table did not allow a vpn interface routed machine to connect to the outside internet.

image

However I am able to ping from the from the interface through the web interface and it seems to work well.

But as you can see on the status page it does not know that I cannot reach the internet from one of the machines. In this case I don’t think the watchdog would even know that there is an issue! So frustrating because this really makes having the router vpn an issue if it keeps breaking and requiring constant intervention on my part. My users are getting angry lol

So next steps are to look perhaps at the rule logs as felixthecat suggested in an earlier post?

However not sure how I should go about monitoring that?

Thanks,

C

As a quick side note: Did you ever consider switching Camps to OPNsense? Aside from the drama, it’s in my opinion easier to set up and administer. And troubleshooting goes well :slight_smile:

What you show indeed means that your VPN connection doesn’t go down, but only your internal routing. Aside from what I mentioned earlier, which I have no idea of how to accomplish on pfsense, you could consider to backup your pfsense config and starting over fresh. Maybe there was just a problem with a firewall rule or the NAT you set up.

Haha no I`m pfSense all the way the sunk cost is too much at this point!

The firewall logs are in the system log, the default block rules should be logged by default and you can enable logging on any other rules. Although this will only tell you if traffic is being blocked not if it’s going nowhere or something like that.

Did you try changing the gateway quality thresholds? Because the low default values can cause problems with VPN connections.

I did try changing the thresholds no dice :frowning: I guess I will need to keep looking thanks so much for sharing some ideas!