search

OpenVPN / openvpn-gui

OpenVPN GUI is a graphical frontend for OpenVPN running on Windows 7 / 8 / 10. It creates an icon in the notification area from which you can control OpenVPN to start/stop your VPN tunnels, view the log and do other useful things.
Other
1.38k stars 397 forks source link

How to get openvpn-gui NOT to reconnect after resuming from sleep? #636

Open rpodric opened 1 year ago

rpodric commented 1 year ago

AFAIK, the default behavior, at least on Windows, goes like this:

1) Right-click openvpn-GUI (current version) tray icon and Connect. 2) Sometime later, you've maybe forgotten about the connection, so it's still on, but you put the machine to sleep. 3) When you return and resume, you see that openvpn-GUI is still green and the VPN is still live. It's quickly reconnected.

How do you stop it doing that? If it's something to be done on the server or in the ovpn, that's fine, but it seems like it should be handled in the GUI given that...

...I tried unchecking "Enable auto restart of active connections," but interestingly that made no difference. What does it do if not this? I've also set "Persistent Connections" on Disable, though I don't think that applies to the way that I connect anyway, so I wasn't surprised by this one.

I'd much prefer to have to click Connect again to connect after sleep.

The reconnects also spew the server log with either the infamous "TLS Error: local/remote TLS keys are out of sync" or "AEAD Decrypt error," neither of which ever happen when making the initial connection (i.e. not these automatic reconnects), but they're almost beside the point since I don't want reconnects in the first place. Figuring out how to stop the reconnects will stop these.

lstipakov commented 1 year ago

...I tried unchecking "Enable auto restart of active connections," but interestingly that made no difference. What does it do if not this?

When openvpn-gui exits with some connections still on, those will be stopped and then restarted when openvpn-gui is running again.

I'd much prefer to have to click Connect again to connect after sleep.

I don't think we are aware of sleep/resume, openvpn sees it as keepalive timeout for UDP or connection reset for TCP, which triggers reconnect. Maybe you can play with scripting and power management events to tell gui to stop all connections on standby.

I am curious, why do you want to do it?

selvanair commented 1 year ago

When you put the client host to sleep, OpenVPN tunnel is not "disconnected" nor is openvpn.exe or openvpn-gui.exe stopped. When it wakes up, all programs that were running before sleep resume and so does OpenVPN and the GUI. As far as OpenVPN is concerned, there is no difference whether the traffic stopped because of sleep or some network glitch. In either case it will do a ping-restart if traffic has stopped flowing for a certain time. You can probably change that using --ping-exit or --inactive, but that would also affect recovery from network loss other than sleep.

Neither OpenVPN nor OpenVPN-GUI explicitly does anything on sleep events. The underlying network driver may reset on to power events but the connection resumes when the driver wakes up. Just like your wifi or LAN connection resumes.

Every long running program on your machine (like a long computation) also resumes after sleep. I fail to see why you want OpenVPN to behave differently --- if the connection does not resume after sleep that would be a cause for concern.

rpodric commented 1 year ago

Thanks, @lstipakov @selvanair

When openvpn-gui exits with some connections still on, those will be stopped and then restarted when openvpn-gui is running again.

Ah, it wouldn't have occurred to me that it was about that.

I don't think we are aware of sleep/resume, openvpn sees it as keepalive timeout for UDP or connection reset for TCP, which triggers reconnect. Maybe you can play with scripting and power management events to tell gui to stop all connections on standby.

I think you're referring to the Advanced tab, where we have script timeouts for Preconnect, Connect, and Disconnect, currently on the defaults of 10, 30, and 10 respectively. I'll have to look into those to see if they'd apply here.

Neither OpenVPN nor OpenVPN-GUI explicitly does anything on sleep events. The underlying network driver may reset on to power events but the connection resumes when the driver wakes up. Just like your wifi or LAN connection resumes.

OK, so maybe those timeouts wouldn't apply then.

Here's the scenario where you might not want it to reconnect: 1) VPN sees occasional use. That is, it's not one of those scenarios where it's needed most of the time. 2) User is forgetful. There's no hope of getting him to recall to disconnect manually.

Under those conditions, for a need that might have really been 30 minutes or an hour a week, over a couple total connects, the VPN will be connected (except when asleep, of course) for potentially weeks (or reboot, which isn't often in most cases), as the user never gives it a second thought again. That in itself is not great, but then compound that with the log filling up with those two reconnect-triggered errors I mentioned. That's kind of a separate topic, but also not necessarily easy to solve based on other threads spanning years.

selvanair commented 1 year ago

Here's the scenario where you might not want it to reconnect:

VPN sees occasional use. That is, it's not one of those scenarios where it's needed most of the time.

User is forgetful. There's no hope of getting him to recall to disconnect manually.

Use --ping-exit and/or --inactive in your config file. See OpenVPN man page for details.

rpodric commented 1 year ago

Yes, I'm looking at those (and maybe --ping). Finding the right combination that will work but at the same time not undermine it when the machine is not asleep, might be a challenge.