NT66u slave router - OpenVPN client dropping, then unable to reconnect

[Dazed2u]

I've been trying to troubleshoot a recurring problem with my VPN router dropping its OpenVPN client connection, then unable to resolve VPN host and reconnect.

My setup:
Asus AC66u router connected to ISP (no VPN client).
Asus N66u router connected to the AC66u, running an OpenVPN client to TorGuard.

Both routers are running: 3.0.0.4.374.43 Merlin fork.

Issue:
The N66u appears to lose OpenVPN connectivity at random intervals - as little as 15 minutes after a reboot, and sometimes it will be fine for several days. Once the client drops, it can no longer resolve the VPN host - only a VPN client stop/start, or reboot of the router will allow the N66u to connect again.

The master router shows no signs of internet drops, and doesn't have any disruption related to the times when the VPN router disconnects.

Log snippet when a drop occurs:
Jun 30 05:01:25 ntp: start NTP update
Jun 30 05:01:26 ntp: NTP update successful after 1 attempt(s)
Jun 30 05:24:14 openvpn[441]: [TG-OVPN-CA] Inactivity timeout (--ping-restart), restarting
Jun 30 05:24:14 openvpn[441]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 30 05:24:14 openvpn[441]: Restart pause, 2 second(s)
Jun 30 05:24:16 openvpn[441]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 30 05:24:16 openvpn[441]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 30 05:24:16 openvpn[441]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jun 30 05:24:46 openvpn[441]: RESOLVE: Cannot resolve host address: chi.central.usa.torguardvpnaccess.com: Name or service not known
Jun 30 05:25:16 openvpn[441]: RESOLVE: Cannot resolve host address: chi.central.usa.torguardvpnaccess.com: Name or service not known

Any help appreciated! Trying to understand whether I have a VPN disconnect issue, or DNS confusion that resolves itself when the VPN is manually stopped/started.

OpenVPN client settings are attached.

 

[yorgi]

I've been trying to troubleshoot a recurring problem with my VPN router dropping its OpenVPN client connection, then unable to resolve VPN host and reconnect.

My setup:
Asus AC66u router connected to ISP (no VPN client).
Asus N66u router connected to the AC66u, running an OpenVPN client to TorGuard.

Both routers are running: 3.0.0.4.374.43 Merlin fork.

Issue:
The N66u appears to lose OpenVPN connectivity at random intervals - as little as 15 minutes after a reboot, and sometimes it will be fine for several days. Once the client drops, it can no longer resolve the VPN host - only a VPN client stop/start, or reboot of the router will allow the N66u to connect again.

The master router shows no signs of internet drops, and doesn't have any disruption related to the times when the VPN router disconnects.

Log snippet when a drop occurs:
Jun 30 05:01:25 ntp: start NTP update
Jun 30 05:01:26 ntp: NTP update successful after 1 attempt(s)
Jun 30 05:24:14 openvpn[441]: [TG-OVPN-CA] Inactivity timeout (--ping-restart), restarting
Jun 30 05:24:14 openvpn[441]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 30 05:24:14 openvpn[441]: Restart pause, 2 second(s)
Jun 30 05:24:16 openvpn[441]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 30 05:24:16 openvpn[441]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 30 05:24:16 openvpn[441]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jun 30 05:24:46 openvpn[441]: RESOLVE: Cannot resolve host address: chi.central.usa.torguardvpnaccess.com: Name or service not known
Jun 30 05:25:16 openvpn[441]: RESOLVE: Cannot resolve host address: chi.central.usa.torguardvpnaccess.com: Name or service not known

Any help appreciated! Trying to understand whether I have a VPN disconnect issue, or DNS confusion that resolves itself when the VPN is manually stopped/started.

OpenVPN client settings are attached.

Did you load the vpn.config file that they provided to your routers Import .ovpn file with upload feature?
Maybe there is a custom configuration missing
such as
tls-client
remote-cert-tls server
I suggest you do that and then take it from there.
Are you using firmware version 380.59 from Merlin?
After seeing your configurations I would change Accept DNS Configuration from strict to exclusive. set compression to none,
Check out if they need to add more parameters in the custom configurations
hope that helps you out.

 

[Dazed2u]

Thanks for the reply and things to check.

I've tried both the .ovpn file and a manual guide on the site that shows slightly different parameters. Interestingly, the only custom config line the .ovpn file adds is remote-cert-tls server - no others.
I've just retried the .ovpn file, and made the manual change of the Accept DNS Configuration to exclusive and compression to none to see if it makes any difference.

I've previously tried Merlin 380.59 build with the same results - also tried swapping my AC66u and N66u - also the same result. I'm currently on the 3.0.0.4.374.43 Merlin fork seeing if it makes any difference.

Thanks again - will post any results if the suggested changes help or not.

 

[yorgi]

Thanks for the reply and things to check.

I've tried both the .ovpn file and a manual guide on the site that shows slightly different parameters. Interestingly, the only custom config line the .ovpn file adds is remote-cert-tls server - no others.
I've just retried the .ovpn file, and made the manual change of the Accept DNS Configuration to exclusive and compression to none to see if it makes any difference.

I've previously tried Merlin 380.59 build with the same results - also tried swapping my AC66u and N66u - also the same result. I'm currently on the 3.0.0.4.374.43 Merlin fork seeing if it makes any difference.

Thanks again - will post any results if the suggested changes help or not.

can you post that openvpn file please?
I would like to take a look at it.

 

[Dazed2u]

See attached - extension renamed to .txt. The link below is a 'how-to' on their site for an Asus router, but contains slightly different parameters than contained in the openvpn file.

https://torguard.net/knowledgebase.php?action=displayarticle&id=216

 

[john9527]

@Dazed2u - Do a search in your syslog for 'explicit-exit-notify' (without the quotes). If TorGuard is pushing this option to the client it can result in what you are seeing.

 

[yorgi]

See attached - extension renamed to .txt. The link below is a 'how-to' on their site for an Asus router, but contains slightly different parameters than contained in the openvpn file.

https://torguard.net/knowledgebase.php?action=displayarticle&id=216

I wouldn't look at that guide. Try it this way and see what happens. I attached a jpg thumbnail.
Your custom configuration has things that are not needed and others that you have to put on there.
Please check it out and let us know if these changes made a difference.
Also try what john9527 suggested as well.

 

[yorgi]

Also put the redirect traffic to whatever you had it set too.

 

[Dazed2u]

Thanks for the feedback. Results from the last few days look promising. A search on a few of my old logs with dropped connections didn't indicate Torguard sending ' explicit-exit-notify '.

VPN connection has been up and steady for over 40 hours, based on suggested setting changes.

Certainly appreciate the help! Thank you.