1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AC5300 VPN worked one minute and then didn't

Discussion in 'VPN' started by outlaw78, Jun 19, 2019.

  1. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Hello all!

    I just started messing with OpenVPN on the latest merlin build. I am hosting a VPN server to access my home network devices and use its internet. Got it all set up and working on my AC5300. I was surprised at how fast it was. I was using it on a Galaxy S9+ on Sprint LTE+ when it was working. Then all of a sudden it quit working on LTE+. It would still connect to the VPN but I could not access home network devices (when it did, it was like it wouldn't load completely), nor could I access the router thru its local IP address. It looked like packets were still flowing in and out. IPV6 is disabled on my home router although its available from my internet provider.

    I have been working with Sprint but they can't find an issue on their side. However, when I connect to CDMA (3G) or external Wi-Fi network, it works flawlessly again.

    I am using the OpenVPN app from the play store which is 3.0.5.(1816). I imported the generated .OVPN to the app and set the app, under settings, to:
    Reconnect on Reboot on
    Seamless Tunnel on
    VPN Protocol UDP
    IPV6- IPV4-Only Tunnel
    Connection Timeout - 1 Min
    Compression - Full
    AES-CBC cipher algorithm Off
    Use insecure algorithms Off
    Minimum TLS Version TLS 1.2
    DNS Fallback On
    Shortcut Minimize On
    Show Notifications Off

    I noticed that sometimes when I check the connection status, it shows me connected with an IPV6 even though the app is set to IPV4 only tunnel.

    If I need to post any more information to help with this, let me know. I just can figure out why one minute it was working great and the next minute it wasn't. I rebooted all devices (cable modem, router, phone) and even set VPN server to "defaults" and started over to no avail. I googled the problem but anything I found, I tried and the only thing to work was "Switch to CDMA" but that really isn't an option due to speed.

    Also, I can't seem to access the NAS web-gui. I get an error "Forbidden", you don't have permission to access /UI on this server. Additionally, a 404 not found error was encountered while trying to use an ErrorDocument to handle the request. When I am physically on the LAN without VPN, I can access those pages just fine.

    Thank you in advance!

    UPDATE: I can access the shares on the NAS using Solid File Explorer and I can SSH into router (Set for LAN only), but I can not access any web-gui on the router (just hangs there but works fine from behind the router), printer or NAS devices using their LAN IP when on VPN. Speedtest app says "Error, test failed to complete. Please check your connection and try again."
     
    Last edited: Jun 19, 2019
  2. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    This is all that is in the export file (Certificates and Keys Excluded) and I included the server side settings. I *** out the DDNS info. Asusnat Tunnel is Disabled, but it didn't seem to make a difference either way.

    client
    dev tun
    proto udp
    remote ***.***.com 7443
    float
    ncp-ciphers AES-256-GCM:AES-256-CBC
    auth SHA512
    compress lz4
    keepalive 15 60
    auth-user-pass
    remote-cert-tls server
    <ca>
    -----Keys and Certificate----
    </tls-auth>
    key-direction 1
    resolv-retry infinite
    nobind
     

    Attached Files:

    Last edited: Jun 19, 2019
  3. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    This is the logs from the router when the client in question connects. Sensitive information censored.

    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Data Channel: using negotiated cipher 'AES-256-GCM'
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.0.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 PUSH: Received control message: 'PUSH_REQUEST'
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI: primary virtual IP for client/***:32704: 10.8.0.2
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI: Learn: 10.8.0.2 -> client/***:32704
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 [client] Peer Connection Initiated with [AF_INET6]::ffff:**.***.**.***:32704
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 TLS: Username/Password authentication succeeded for username '******************************'
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_BS64DL=1
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_IPv6=1
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_LZ4=1
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_PROTO=2
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_TCPNL=1
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_NCP=2
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_PLAT=android
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_VER=3.2
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_GUI_VER=OC30Android
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, [email protected]
    06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC5300, [email protected]
    06-19-2019 16:42:00 Daemon.Notice router.asus.com Jun 19 16:41:59 ovpn-server1[2445]: ***:32704 TLS: Initial packet from [AF_INET6]::ffff:**.***.**.***:32704, sid=8********
     
    Last edited: Jun 19, 2019
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,426
    Location:
    UK
    Try switching to a TCP connection instead of UDP. I find that more reliable when connecting over mobile networks.
     
    outlaw78 likes this.
  5. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    I've tried that. THat too isn't working from LTE and LTE+. And from what I hear, TCP adds tons of overhead and extremely slows down the connection?
     
    Last edited: Jun 19, 2019
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,426
    Location:
    UK
    It was only a debugging suggestion.

    Yes there's an overhead with TCP but that's the price of using a reliable transport mechanism. "Extreme slow down", that's a relative term. Back in the days of links measured in kilobits it was a major issue. If your link is in the 10's of megabits, not so much.
     
    outlaw78 and L&LD like this.
  7. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Ah, gotcha. Well it did work at one time, then when I tried again it wasn't working. I honestly think either sprint is doing something (blocking/disabling) or from what I read, it can be that LTE uses IPV6 and CDMA uses IPV4 (verified it by checking phone connected status) and VPN's don't play well with IPV6? Would enabling it on the router help with that? My IP offers it but I haven't enabled it.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,426
    Location:
    UK
    Sorry, no idea. Personally I'd stick with all-IPv4, that's only one protocol to debug instead of two.

    You edited post #1 to say that it was now working locally using SSH but not HTTP(S)? Is that still the case or is it random?
     
    outlaw78 likes this.
  9. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    I could always access the SSH (set for allow lan only) either locally or via the VPN. However, I can not access the web-gui to router thru VPN while on the LTE network, but I can if I connect to say, my work Wi-Fi or CDMA..
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,426
    Location:
    UK
    I'm at a loss then. Once the VPN tunnel is established there's no way the carrier can differentiate what traffic is flowing through it, be it SSH or HTTP.

    Perhaps the client is configured for split tunnelling and the IPv6 connection is confusing it. Or maybe the client's web browser is bypassing the VPN and trying to go straight out to the internet. Have you got another client device you can try, something completely different like a Windows PC?
     
    outlaw78 likes this.
  11. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Yeah, its only happening on the LTE network for my phone. I haven't had to take my laptop anywhere to test it that way. The funny thing is, while on the mobile network, connected to the VPN, if I enter the router's local IP address, it hangs. It also hangs the current computer that is actually on the LAN in the web-gui. (I should get "You can't connect while another device is connected" but I don't on my phone) until I stop trying to load it from the VPN connection and then it frees the web-gui for the computer on the LAN. (Hope that makes sense).
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,426
    Location:
    UK
    For testing purposes can you force your phone to use the errant LTE connection whilst at home?

    If so you could do that (and make sure the phone's VPN is off) and turn on the phone's WiFi hotspot feature (so you now have a WiFi to LTE link).

    Then connect to the WiFi hotspot from the laptop.... Then run a Windows VPN client on the laptop to connect to your server. Phew! Now test again.
     
    outlaw78 and L&LD like this.
  13. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Ill give that a try tomorrow.
     
  14. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Ok tried this on my laptop connected to phone hotspot. Was getting bad header packet.
     
  15. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    When I turn off TLS Incoming 0, the error goes away but still a no-go when using hotspot to my LTE network using my laptop. The connection is timing out to the router. OpenVPN program on windows 10 gives no error.
     
  16. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Ok so I got it working. Apparently my config was incorrect. At first, when I would watch the logs on my router, it said something about "Warning: MTU is different from client to host. Client 1384 (or something and host is 1500 mtu". Never thought much of it cause it was working. Then it stopped saying that. Well it turns out I found a post talking about packet size and how there 20kb for adding this and 60kb for adding that, etc to the packet; Basically you have to use smaller packets to avoid fragmentation. This is what was happening. The openVPN app on their website (links to playstore) has very limited options for setting that kind of thing and I'm not very config file savvy. So I found an app called OpenVPN for android by Arne Schwabe. This has a setting "Set MSS of TCP payload" which basically tells the packets to not be over a certain size. When enabled (set for 1380), UDP connection works flawlessly. The only drawback is the program automatically disables compression on sent packets. Compression is enabled for received packets.

    So my next few questions are these:
    1. I know my download to my client will never exceed 20 Mb/s because that is the upload of my ISP (which is the speed I'm receiving when I do a speed test). However, my upload only reaches about 2 Mb/s upload, which should be 400 Mb/s because that is the download speed of my ISP. I'd be happy if I just got the same up as down 20 Mb/s. Is this because compression is disabled on sent packets by the app?

    2. Is there command line to enter in the .ovpn to specify packet size or MTU size to avoid fragmentation?
     
  17. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Just did some more testing...

    I found the commands to change packet size (mssfix #) and tun-mtu # seems to work too. However, when using the official openvpn client, the log states that mssfix is an "Unused Option" and won't enable it. I have to use the tun-mtu option. However, in the 3rd party app, its listed in the config and appears to work. Not sure why this is happening. Compression (lz4-v2) enabled both ways on the official app seems to slow down both directions. On the 3rd party app that only enables it on the received packets and seems to make the download slightly faster. Should I use compression at all?
     
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,163
    Location:
    Canada
    Personally I'd say no. Most network data these days is encrypted, therefore not really compressible.
     
    outlaw78 likes this.
  19. outlaw78

    outlaw78 Occasional Visitor

    Joined:
    Jan 1, 2018
    Messages:
    39
    Thanks Merlin. Quick question, layman here when it comes to VPN since I'm just starting out in VPN waters... I've searched about the difference in LZ4 and LZ4-v2 and I don't quite understand what I read. Which is better if I were to use one?
     
  20. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,163
    Location:
    Canada
    LZ4-v2 is supposed to be slightly faster than LZ4. Make sure both ends support it however, as it's not officially documented by OpenVPN.