Project

General

Profile

Feature #3473

Allow configuration of OpenVPN keepalive

Added by B. Derman almost 6 years ago. Updated 5 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
02/19/2014
Due date:
% Done:

100%

Estimated time:

Description

The keepalive option is always added to an OpenVPN server configuration.

There are many scenarios where this is not wanted and will prevent the required behavior. In my case, when working with iOS VPN on demand rule-driven behavior, the keepalive had to be removed (by commenting out line 453 in openvpn.inc).

What's even worse is that, with the keepalive option configured, you can't even add options such as ping, ping-exit and inactive (i.e., via OpenVPN's "Advanced configuration") because the server fails to start when you do, citing a conflict with the keepalive option.

I'd suggest that the keepalive option should be an optional item configured via the GUI. A more complete/useful strategy would be to allow configuration of all of the following via the GUI:
- keepalive & both time parameters (should be mutually exclusive with ping/ping-exit)
- ping with time parameter
- ping exit with time parameter
- inactive with time parameter
along with a checkbox-type option to also push any of these to the client.

Associated revisions

Revision 99d7e8c1 (diff)
Added by Jim Pingle 2 months ago

Fix OpenVPN keepalive default values. Fixes #3473

Revision 44a87108 (diff)
Added by Jim Pingle 26 days ago

Fix OpenVPN keepalive default values. Fixes #3473

(cherry picked from commit 99d7e8c10e96e6f22ad47973d07258cd02426fe6)

Revision 4a5875a1 (diff)
Added by Jim Pingle 15 days ago

Add OpenVPN Keepalive/Ping/Inactive input validation. Fixes #3473

Revision b3395df2 (diff)
Added by Jim Pingle 15 days ago

Add OpenVPN Keepalive/Ping/Inactive input validation. Fixes #3473

(cherry picked from commit 4a5875a1771d286aee1c1e90d7f45991f9892a68)

History

#1 Updated by B. Derman almost 6 years ago

Oh, ping-restart should also be added to the list.

#2 Updated by Chris Buechler about 5 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from keepalive always added to OpenVPN server configuration to Allow configuration of OpenVPN keepalive
  • Affected Version deleted (2.1)
  • Affected Architecture deleted (i386)

#3 Updated by Renato Botelho about 3 years ago

  • Assignee set to Renato Botelho
  • Target version set to 2.4.0

#4 Updated by Jim Pingle over 2 years ago

  • Target version changed from 2.4.0 to 2.4.1

#5 Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.4.1 to 2.4.2

#6 Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.4.2 to 2.4.3

#7 Updated by Jim Pingle almost 2 years ago

  • Target version changed from 2.4.3 to 2.4.4

#8 Updated by Steve Beaver over 1 year ago

  • Target version changed from 2.4.4 to 48

#9 Updated by IT Sex 12 months ago

Ran into the problem. Found out that you can comment-out or change the way the keepalive directive is added to new openVPN configurations using pfSense's Diagnostics>Edit File feature. Browse to /etc/inc/ and open /etc/inc/openvpn.inc, then find "keepalive" to see the line of the pfSense script where it is added. Adding a # to the argument (changing it to "#keepalive 10 60\n") and saving the script seems like the minimum-impact way to disable keepalive, and worked to let me add ping to my configs.

Just for clarity, this seems to keep pfSense from adding the keepalive directive to any (new?) openVPN (client?) configurations. It could break stuff that depends on that, although in my experience running openVPN clients without keepalive works just fine, and you should be able to add in back in manually with the advanced settings option. I did try looking for the openVPN config files themselves, but it looks like those are generated only temporarily (using the script edited above) when you run them.

#10 Updated by Jim Pingle 9 months ago

  • Target version changed from 48 to 2.5.0

#11 Updated by Renato Botelho 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Done. I used wrong ticket number in 3bfecc81db500415a6d61df318513ccb82f47a8c

#12 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to In Progress

I have not changed anything in my configuration, and after upgrading to a snapshot with these changes, I am seeing errors in the OpenVPN log:

Sep 20 10:37:33 clara openvpn[83141]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client1.conf:10: keepalive (2.4.7)
Sep 20 10:37:33 clara openvpn[83141]: Use --help for more information.
: grep -n keepalive /var/etc/openvpn/client1.conf 
10:keepalive  

It's missing the default set of parameters that should be after it (10 60)

#13 Updated by Jim Pingle 2 months ago

  • Status changed from In Progress to Feedback

#14 Updated by Jim Pingle 15 days ago

  • Status changed from Feedback to In Progress
  • Assignee changed from Renato Botelho to Jim Pingle

This is missing input validation. I'll add it.

#15 Updated by Jim Pingle 15 days ago

  • Status changed from In Progress to Feedback

#16 Updated by Jim Pingle 5 days ago

  • Target version changed from 2.5.0 to 2.4.5

Also available in: Atom PDF