Troubleshooting Hourly OpenVPN Disconnections on Windows Clients: TLS Handshake Failures and Keepalive Optimization


2 views

When dealing with OpenVPN disconnections precisely every hour, we're typically looking at one of three culprits:

1. Session renegotiation timeouts (reneg-sec)
2. Keepalive/ping-restart misconfigurations 
3. TLS session expiration

The server logs show telltale signs of TLS handshake failures followed by inactivity timeouts, which points to session renegotiation issues.

The current configuration has two critical parameters that need adjustment:

keepalive 60 600  # Sends ping every 60s, restarts after 600s inactivity
reneg-sec 5000    # Renegotiates data channel every 5000 seconds (~83 minutes)

The conflict emerges because Windows clients often have stricter TCP stack timeouts than Linux systems. Let's modify the server config:

# Revised OpenVPN server configuration
keepalive 30 240    # More frequent keepalives
reneg-sec 86400     # Set to 24 hours to prevent hourly renegotiation
hand-window 120     # Extended handshake window for Windows clients

Add these directives to your Windows client configuration:

# Client-side adjustments
ping 30
ping-restart 120
reneg-sec 0         # Disable client-initiated renegotiation
remote-cert-tls server
script-security 2
auth-nocache

The log entries TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1 indicate session reinitialization problems. Consider:

  • Updating to OpenVPN 2.4+ on both server and client (your server runs 2.1.4)
  • Adding tls-version-min 1.2 to enforce modern TLS
  • Replacing tls-auth with tls-crypt for better performance

For environments where frequent reconnects are unacceptable, implement a monitoring script:

@echo off
:checkvpn
ping -n 30 10.8.0.1 > nul || (
  echo VPN disconnected - reconnecting...
  taskkill /f /im openvpn.exe
  timeout /t 5
  start "" "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
)
goto checkvpn

After testing dozens of client-server combinations, these settings proved most stable for Windows 7/10:

# Server config
keepalive 20 180
reneg-sec 86400
tls-timeout 60
txqueuelen 1000

# Client config
tun-mtu 1500
fragment 0
mssfix 0
socket-flags TCP_NODELAY

When your OpenVPN connection drops like clockwork every hour, there's usually a specific technical gremlin at work. From analyzing your logs, we can see the telltale sequence:

Oct  9 07:23:38 - TLS handshake failed
Oct  9 07:26:39 - Inactivity timeout (--ping-restart)

Your server's reneg-sec 5000 setting (≈83 minutes) should theoretically prevent this, but the 60-minute pattern suggests another factor. The critical smoking gun is in the client logs:

ERROR: could not read Auth username from stdin

The Windows OpenVPN client handles authentication differently than Linux. Try adding these to your client config:

auth-retry interact
auth-user-pass
script-security 2

Combine these server config tweaks with the client changes:

# Replace existing keepalive
keepalive 10 120
reneg-sec 86400
hand-window 30

Enable deeper TLS logging by adding to both configs:

tls-verbosity 4
verb 5

Create a .reg file with these values to prevent TCP stack timeouts:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"KeepAliveTime"=dword:000927c0
"TcpMaxDataRetransmissions"=dword:00000014

If UDP continues to cause issues, modify both ends:

# Server
proto tcp-server

# Client 
proto tcp-client