OpenVPN Connect client try to contact old IP

joereddator · March 11, 2025, 7:52pm

Openvpn Connect version 3.4.4 on Windows 7 client

In config I have:

mydomain.example.net IP is updated by a powershell script and configured on a dynamic dns service like dyndns, or duckdns in my case.

When my server IP changes the client properly gets it: if I launch ping command from the windows client to mydomain.example.net it responds as expected.

The problem is just for openvpn client, it retries to connect to the old IP, fails, wait about 10 seconds, retries and so on. It doesn’t “sense” the new IP address of remote domain of openvpn server.

It’s not an issue related to dynamic dns service: within client windows system mydomain.example.net redirect properly to new IP. I cannot figure why ovpnconnector active service continues to try connecting to proper domain but referring it to the old IP.

Here my config:

client
ping-restart 10
dev tun
proto udp
remote mydomain.example.net 12345
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
data-ciphers-fallback AES-256-CBC
verb 3
user nobody
group nobody
auth-nocache
ecdh-curve secp521r1

joereddator · March 11, 2025, 7:52pm

Here last lines of “ovpnconnector.log”:

EVENT: RECONNECTING
Contacting 12.34.56.78:12345 via UDP
EVENT: WAIT
Connecting to [mydomain.example.net]:12345 (12.34.56.78) via UDP
Server poll timeout, trying next remote entry...
EVENT: RECONNECTING
[...]

12.34.56.78 was the old IP associated to mydomain.example.net

On the same machine, at the same time if I try a ping to the domain name, it contact an other IP, the properly updated new one:

> ping mydomain.example.net

Pinging 91.82.73.64 with 32 bytes of data:
[...]

tartare4562 · March 11, 2025, 7:52pm

Check the TTL of your DDNS hostname on your domain DNS provider. It should be as low as possible, like 5 minutes.

imjebran · March 11, 2025, 7:52pm

if the cmd resolving correct IP, when the old IP must be cached by OpenVPN GUI itself. Please explore the following directive this might help to resolve your issue also ping-restart 10 interval.

–register-dns Run net stop dnscache, net start dnscache, ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.

joereddator · March 11, 2025, 7:52pm

I solved by replacing 3.4.4 version with the OpenVPN 2.6.10 community project version.

OpenVPN 2.6.10 – Released 20 March 2024

This one accepts the following option that seem to execute the procedure I needed:

remap-usr1 SIGHUP

With this added, after a failed connection the client re-resolve the domain name of remote server before re-try to contact it.

In my case this is needed because my remote client has to try to contact my local VPN server which isn’t always on. When I turn on the server, my local IP can be changed since the previous time I used the vpn to reach the remote client, and my domain name points at this new IP as well. Remote client has to do a check before retrying to contact the server domain name, otherwise it would fail insisting to an old IP which doesn’t point to my domain name anymore.

Here my tested client profile:

client
dev tun
proto udp
remote mydomain.example.net 12345
ping 10
ping-restart 10
nobind
ecdh-curve secp521r1
remote-cert-tls server
verb 3
remap-usr1 SIGHUP

I still have to tune it for some warnings appearing, but as for the issue described in this topic just works.

joereddator · March 11, 2025, 7:52pm

I’m not using the GUI on windows client, I followed the guide to manage openvpn as a service (ovpnconnector [install|set-config profile|start]). The windows pc client is in a remote location, I need it tries openvpn connection when it starts up.

The issue should not be related to TTL of DDNS provider because “ping” command reports right IP (in my example above 91.82.73.64). I also tried to force resolving mydomain.example.net by putting it within hosts file:

“c:\windows\system32\drivers\etc\hosts”

and verify with ping commmand: if I manually change the associated IP adddress, ping tries to contact the new one, and not the old. This should exclude any ddns provider issue.

And should exclude also dnscache problems at OS level, but I’m not sure.

Tried “ipconfig /flushdns” yet and seems to do nothing. The new lines of ovpnconnector.log report it is still trying to contact the old IP.

Tried also to add “register-dns” to the config, but ovpnconnector cannot start, it returns an error… so I removed that option, could retry and report. I could try it again and report exactly the error, but I don’t need the DNS to be pushed by the openvpn server through the vpn tunnel, I just need to establish the connetcion and the client tries to contact a wrong IP. I read about “register-dns” option, but frankly I’m still not sure about what it does exactly.

In my case I want just the remote client connects to the local server. After that I use a vncviewer from the server to remotely control the windows client. I don’t need any other vpn feature like tunneling DNS or routing client internet connection throght my vpn server and so on…

By reading an howto recommended by Openvpn forum:

The OpenVPN client by default will sense when the server’s IP address has changed, if the client configuration is using a remote directive which references a dynamic DNS name. The usual chain of events is that (a) the OpenVPN client fails to receive timely keepalive messages from the server’s old IP address, triggering a restart, and (b) the restart causes the DNS name in the remote directive to be re-resolved, allowing the client to reconnect to the server at its new IP address.

Anyway in my case it doesn’t seem to work exactly as explained above. May be due to some option I have in the config? It is posted above…

imjebran · March 11, 2025, 7:52pm

I do understand the FlushDNS or ping option will not the root cause of your problem. Also a host entry make the last known IP static for the OS.

What I understand is, the openconnector works as a service, it loaded the entire config file among the remote host IP and keep retried the IP what was resolved at the time of starting of the OVPN connector service.

Did you tried by restart OpenVPN connector services, if that start connection with the same DyDNS host with new IP, than a solution can be developed to address your problem.

joereddator · March 11, 2025, 7:52pm

You understood good.

That’s the point: ovpnconnector service on the windows client keep retried the IP it resolved when was launched, even when the domain name used in the config changes its associated IP to a new one (editing hosts file can serve for quick testing this scenario of dynamic IP).

joereddator · March 11, 2025, 7:52pm

Tried adding “register-dns” option to config but I get the following response:

PS C:\Program Files\OpenVPN Connect> .\ovpnconnector.exe start
Service start pending...
Service not started.
  Current State: 1
  Exit Code: 0

Looking at the log:

PS C:\Program Files\OpenVPN Connect> Get-Content -tail 20 ovpnconnector.log
Wed May 15 10:50:27 2024 Connecting to [mydomain.example.net]:12345 (12.34.56.78) via UDP
Wed May 15 10:50:37 2024 Server poll timeout, trying next remote entry...
Wed May 15 10:50:37 2024 EVENT: RECONNECTING
Wed May 15 10:50:37 2024 Contacting 12.34.56.781:12345 via UDP
Wed May 15 10:50:37 2024 EVENT: WAIT
Wed May 15 10:50:37 2024 Connecting to [mydomain.example.net]:12345 (12.34.56.78) via UDP
Wed May 15 10:50:39 2024 EVENT: DISCONNECTED

I disconnected ovpnconnector (it tried wrong IP again and again), “ovpnconnector stop”, then restarted as reported at the top of this message. And below the interesting part of the log which show how it has failed.

Wed May 15 10:51:35 2024 OpenVPN core 3.8.2connect3 win x86_64 64-bit OVPN-DCO
Wed May 15 10:51:35 2024 Frame=512/2112/512 mssfix-ctrl=1250
Wed May 15 10:51:35 2024 NOTE: This configuration contains options that were not used:
Wed May 15 10:51:35 2024 Unsupported option (ignored)
Wed May 15 10:51:35 2024 6 [resolv-retry] [infinite]
Wed May 15 10:51:35 2024 8 [persist-key]
Wed May 15 10:51:35 2024 9 [persist-tun]
Wed May 15 10:51:35 2024 11 [data-ciphers-fallback] [AES-256-CBC]
Wed May 15 10:51:35 2024 13 [user] [nobody]
Wed May 15 10:51:35 2024 14 [group] [nobody]
Wed May 15 10:51:35 2024 15 [auth-nocache]
Wed May 15 10:51:35 2024 UNKNOWN/UNSUPPORTED OPTIONS
Wed May 15 10:51:35 2024 1 [register-dns]

There are “unsupported options” detected. And the last “register-dns” unknown/unsupported. So the client doesn’t even tries connection to the remote server.

joereddator · March 11, 2025, 7:52pm

To answer your question. If I remove register-dns, and start ovpnconnector service, it uses for the domain name the new right IP currently associated to it.
Obviously this IP reload obtained thanks to manual ovpnconnector restart isn’t an option, because the windows pc client isn’t locally controlled by human. I can manage it at now with teamviewer or direct vncviewer, but openvpn has to be working also in a “stand alone” way.

joereddator · March 11, 2025, 7:52pm

OK, I’ll report a log after removing register-dns option:

Wed May 15 13:30:51 2024 OpenVPN core 3.8.2connect3 win x86_64 64-bit OVPN-DCO
Wed May 15 13:30:51 2024 Frame=512/2112/512 mssfix-ctrl=1250
Wed May 15 13:30:51 2024 NOTE: This configuration contains options that were not used:
Wed May 15 13:30:51 2024 Unsupported option (ignored)
Wed May 15 13:30:51 2024 5 [resolv-retry] [infinite]
Wed May 15 13:30:51 2024 7 [persist-key]
Wed May 15 13:30:51 2024 8 [persist-tun]
Wed May 15 13:30:51 2024 10 [data-ciphers-fallback] [AES-256-CBC]
Wed May 15 13:30:51 2024 12 [user] [nobody]
Wed May 15 13:30:51 2024 13 [group] [nobody]
Wed May 15 13:30:51 2024 14 [auth-nocache]
Wed May 15 13:30:51 2024 EVENT: RESOLVE
Wed May 15 13:30:51 2024 Contacting 91.82.73.64:12345 via UDP
Wed May 15 13:30:51 2024 EVENT: WAIT
Wed May 15 13:30:51 2024 Connecting to [mydomain.example.net]:12345 (91.82.73.64) via UDP
Wed May 15 13:31:01 2024 Server poll timeout, trying next remote entry...
Wed May 15 13:31:01 2024 EVENT: RECONNECTING
Wed May 15 13:31:01 2024 Contacting 91.82.73.64:12345 via UDP
Wed May 15 13:31:01 2024 EVENT: WAIT
Wed May 15 13:31:01 2024 Connecting to [mydomain.example.net]:12345 (91.82.73.64) via UDP
Wed May 15 13:31:11 2024 Server poll timeout, trying next remote entry...
Wed May 15 13:31:11 2024 EVENT: RECONNECTING
Wed May 15 13:31:11 2024 Contacting 91.82.73.64:12345 via UDP
Wed May 15 13:31:11 2024 EVENT: WAIT
Wed May 15 13:31:11 2024 Connecting to [mydomain.example.net]:12345 (91.82.73.64) via UDP
Wed May 15 13:31:21 2024 Server poll timeout, trying next remote entry...

As you can see it tries to connect to the right IP. But it does due to the initial “EVENT: RESOLVE”, after that it re-use thi IP even if the connection fails. Now it fails because I have a firewall activated on the server side, anyway the issue seems clear to me.
ovpnconnector with my current config doesn’t launch an EVENT: RESOLVE when it retries connection after a fail. This RESOLVE event is done just at startup, as we have noticed in the above comments.

Eric_ardo · March 11, 2025, 7:52pm

I am having the exact same problem, I even tried everything you did before finding this thread. Did you manage to solve this?