Restoring from suspend, openvpn sometimes requires a restart

[danielittlewood]

I use openvpn to connect to a Private Internet Access VPN (set up following the wiki).

When I suspend my laptop, sometimes (but not always) my VPN fails to connect, and I have to restart openvpn in order to continue. Restarting NetworkManager works too, but that's only because it restarts openvpn in the process, I think.

I asked about this in IRC, and they suggested checking /var/log/messages.log, and ip addr. A gist showing /var/log/messages.log is here: https://gist.github.com/danielittlewood0/f3d8e7b5e73ebbe935b45a63aa5cc0e5

Before and after restarting openvpn, my ip addr shows a change in tun0:

[Anon-E-moose]

Every time openvpn is started, it connects to the vpn service and gets a 10.* address (in your case).
When you come back from suspend, that address might not be available to you (because of the vpn service)
The reason it works (sometimes) is that the 10.* address is still valid (available from vpn service)

I know that I've stopped openvpn for a short period of time, and when I restart openvpn, sometimes the 10.* addy is the same, sometimes it changes.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

[pa4wdh]

In my experience VPN and suspend is a combination that always ends up with trouble.

Your hypothesis is quite likely to be right, although openvpn does have a feature called "floating" where you can safely change IP address without losing your VPN. I would expect the client to have changed IP address, not the server.
An other thing is, depending on the server-side configuration, that the server simply forgot about your VPN session because the sleep time of your laptop is longer than the timeouts configured server side (usually a few minutes). In that case there is nothing to be restored and the only way out is a restart of your VPN.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[danielittlewood]

Ok - seems like this is a more general problem than I first thought.

It makes sense that IP would be constantly changing, and also that if the IP changes subnet then it can't be rerouted and the connection might just fail. I'm surprised something scriptable (like restarting openvpn when NetworkManager finishes connecting?) isn't already implemented. Maybe there's a complexity I don't know about.

I'm optimistic that the "ipchange" directive might be useful. (docs here: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/). At the moment I'm just logging what it reports as ip_address and port_number. But the following sounds promising:

[danielittlewood]

I have had some success, I think. The proposed config on the wiki includes