No announcement yet.

OpenVPN auto-reconnect after DynDNS change

  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenVPN auto-reconnect after DynDNS change

    Hello everybody,

    I have a problem with OpenVPN Connect App on Android and Untangle OpenVPN Server.

    My Untangle server has no static public ip address but I use a DynDNS service to connect to it.

    Everytime my router restarts and the IP adress of the router and behind the DynDNS changes, the OpenVPN Connect App changes into "Disconnect" status and tries to reach the server at the old IP but did not re-resolve the DynDNS address.

    The log of the OpenVPN Connect app remains in a loop:

    09:19:40.155 -- Server poll timeout, trying next remote entry...

    09:19:40.159 -- EVENT: RECONNECTING

    09:19:40.170 -- Contacting [old_ip]:[port] via UDP

    09:19:40.174 -- EVENT: WAIT

    09:19:40.184 -- Connecting to [dyndns address]:[port] ([old_ip]) via UDPv4

    I'd like the OpenVPN app to reconnect automatically after IP change, because so I always have the problem that the phone is offline until I manually restart the VPN.

    My client and server config is as followed:


    dhcp-option ADAPTER_DOMAIN_SUFFIX [domain]
    dhcp-option DOMAIN [domain]
    dhcp-option DNS [gateway]
    keepalive 5 10
    resolv-retry infinite
    remote-cert-tls server
    verb 1
    explicit-exit-notify 1
    dev tun
    proto udp
    port [port]
    cipher AES-128-CBC
    remote [dyndns address] [port]


    allow-compression no
    push "dhcp-option DOMAIN [domain]"
    push "dhcp-option ADAPTER_DOMAIN_SUFFIX [domain]"
    push "dhcp-option DNS [gateway]"
    keepalive 5 20
    mode server
    ca data/ca.crt
    cert data/server.crt
    key data/server.key
    dh data/dh.pem
    client-config-dir ccd
    user nobody
    group nogroup
    status openvpn-status.log
    log /var/log/openvpn.log
    verb 1
    dev tun0
    max-clients 2048
    mute 20
    ifconfig-pool-persist /etc/openvpn/address-pool-assignments.txt
    script-security 3
    auth-user-pass-verify "/usr/bin/sudo -E /usr/share/untangle/bin/openvpn-auth-user-pass" via-env
    proto udp
    port [port]
    cipher AES-128-CBC
    server [ip] [mask]
    management [ip] [port]
    push "route [ip] [mask]"

    I also tested with keepalive, ping, ping-restart, without persist-tun and persist-key options, but nothing solved my problem.

    The strange thing is, that when I manually deactivate the VPN in OpenVPN Connect app completely by pressing the button and than reactivate it, the reresolving of the DynDNS address works.

    My first thought was that it does not work, because I have activated the Always On function and the killswitch under Android, so that without VPN no data traffic and so also no DNS resolution can take place, but then it would not work after the manual switch off and switch on again, I think.

    Have somebody any idea, what I can do to solve this problem ?

    Thank you


  • #2
    The NGFW needs to be configured to use hostname. In Config -> Network -> Hostname change public address to "Use Hostname" and assign you Dynamic DNS name to the NGFW. Either remove/install OpenVPN again in NGFW rack so it picks up the new Site URL.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]


    • #3
      The NGFW is configured to use hostname (DynDNS name). The hostname is also listed in the OpenVPN configuration file. When the connection is manually deactivated and then reactivated after IP change, the (re)connection is sucessfull. I think there is an error that the ip behind the DynDNS doesn't get updated while the OpenVPN connection is still active/retries to connect... Somewhere I've read, that keepalive, ping or ping-restart in the OpenVPN configuration file should solve this problem, but it doesn't...


      • #4
        Most likely the new IP is not propagated across the Internet DNS as quickly as you expect so the client using OpenVPN does not have the new IP in their DNS yet. I've seen two to three hours for DNS updates.
        Attention: Support and help on the Untangle Forums is provided by
        volunteers and community members like yourself.
        If you need Untangle support please call or email [email protected]


        • #5
          You can look at lowering the TTL for your dynamic DNS A-record. But don't go crazy because many DNS servers don't like very short TTLs. If your DNS hosting provider allows it, play around with different values and stick with one that works. Or you can talk to them for insight on what value to use for your use case.

          You can use nslookup to check the current TTL of your DNS record.

          I am using Namecheap (because, I am), and I've set the TTL to Automatic. When I do an nslookup, assuming I read the results correctly, the TTL of my DNS record comes out to be 60 minutes. I have no issue with this because two things are working for me:
          1. My public IP seldom change. I'm talking weeks to a month
          2. I don't have an always-on VPN connection.


          • #6
            Okay, thank you for the tips, I will give it a try...