persist_remote_ip not honoured

[joe-alford]

Describe the bug

We are seeing that persist_remote_ip = DISABLED is set when starting OpenVPN clients, but the client will still try to reuse IPs when the server is disconnected.

We have one DNS CNAME pointing to a pool of 2+ OpenVPN servers. DNS will round robin between the servers. This works fine, but when a server is replaced, the client will keep retrying its IP until it times out, even though it should not be.

2025-03-04 14:57:14 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
2025-03-04 14:57:14 Restart pause, 10 second(s)
2025-03-04 14:57:24 TCP/UDP: Preserving recently used remote address: [AF_INET]54.75.xxx.xxx:1194
2025-03-04 14:57:24 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-04 14:57:24 UDPv4 link local: (not bound)
2025-03-04 14:57:24 UDPv4 link remote: [AF_INET]54.75.xxx.xxx:1194
2025-03-04 14:57:24 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-04 14:57:26 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-04 14:57:30 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-04 14:57:38 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-04 14:57:54 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-04 14:58:25 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-03-04 14:58:25 TLS Error: TLS handshake failed
2025-03-04 14:58:25 SIGUSR1[soft,tls-error] received, process restarting
2025-03-04 14:58:25 Restart pause, 10 second(s)
2025-03-04 14:58:35 TCP/UDP: Preserving recently used remote address: [AF_INET]34.254.239.189:1194
2025-03-04 14:58:35 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-04 14:58:35 UDPv4 link local: (not bound)
2025-03-04 14:58:35 UDPv4 link remote: [AF_INET]34.254.239.189:1194
2025-03-04 14:58:35 TLS: Initial packet from [AF_INET]34.254.239.189:1194, sid=95f90ca5 e3143360
2025-03-04 14:58:35 VERIFY OK: depth=1, CN=vpn.DOMAIN
2025-03-04 14:58:35 VERIFY KU OK

To Reproduce

See the config below to start a client/server combo.

• start the server
• start the client and wait for it to connect
• now restart the server
• note that the client will output preserving recentl used remote address

server config
client config

Logs

Verbose level logs

Expected behavior

As above, but without any of the Preserving recently used remote address messages

Version information (please complete the following information):

Server:

openvpn --version ; uname -a
OpenVPN 2.6.13 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yesenable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
Linux ip-172-20-26-243 6.8.0-1023-aws #25-Ubuntu SMP Mon Jan 27 20:44:03 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux

Client:

penvpn --version ; uname -a
OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
Linux ifu-28 6.8.0-1023-aws #25-Ubuntu SMP Mon Jan 27 20:44:03 UTC 2025 aarch64 GNU/Linux