AC5300 VPN worked one minute and then didn't

[outlaw78]

Hello all!

I just started messing with OpenVPN on the latest merlin build. I am hosting a VPN server to access my home network devices and use its internet. Got it all set up and working on my AC5300. I was surprised at how fast it was. I was using it on a Galaxy S9+ on Sprint LTE+ when it was working. Then all of a sudden it quit working on LTE+. It would still connect to the VPN but I could not access home network devices (when it did, it was like it wouldn't load completely), nor could I access the router thru its local IP address. It looked like packets were still flowing in and out. IPV6 is disabled on my home router although its available from my internet provider.

I have been working with Sprint but they can't find an issue on their side. However, when I connect to CDMA (3G) or external Wi-Fi network, it works flawlessly again.

I am using the OpenVPN app from the play store which is 3.0.5.(1816). I imported the generated .OVPN to the app and set the app, under settings, to:
Reconnect on Reboot on
Seamless Tunnel on
VPN Protocol UDP
IPV6- IPV4-Only Tunnel
Connection Timeout - 1 Min
Compression - Full
AES-CBC cipher algorithm Off
Use insecure algorithms Off
Minimum TLS Version TLS 1.2
DNS Fallback On
Shortcut Minimize On
Show Notifications Off

I noticed that sometimes when I check the connection status, it shows me connected with an IPV6 even though the app is set to IPV4 only tunnel.

If I need to post any more information to help with this, let me know. I just can figure out why one minute it was working great and the next minute it wasn't. I rebooted all devices (cable modem, router, phone) and even set VPN server to "defaults" and started over to no avail. I googled the problem but anything I found, I tried and the only thing to work was "Switch to CDMA" but that really isn't an option due to speed.

Also, I can't seem to access the NAS web-gui. I get an error "Forbidden", you don't have permission to access /UI on this server. Additionally, a 404 not found error was encountered while trying to use an ErrorDocument to handle the request. When I am physically on the LAN without VPN, I can access those pages just fine.

Thank you in advance!

UPDATE: I can access the shares on the NAS using Solid File Explorer and I can SSH into router (Set for LAN only), but I can not access any web-gui on the router (just hangs there but works fine from behind the router), printer or NAS devices using their LAN IP when on VPN. Speedtest app says "Error, test failed to complete. Please check your connection and try again."

 

[outlaw78]

This is all that is in the export file (Certificates and Keys Excluded) and I included the server side settings. I *** out the DDNS info. Asusnat Tunnel is Disabled, but it didn't seem to make a difference either way.

client
dev tun
proto udp
remote ***.***.com 7443
float
ncp-ciphers AES-256-GCM:AES-256-CBC
auth SHA512
compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----Keys and Certificate----
</tls-auth>
key-direction 1
resolv-retry infinite
nobind

 

[outlaw78]

This is the logs from the router when the client in question connects. Sensitive information censored.

06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 Data Channel: using negotiated cipher 'AES-256-GCM'
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.0.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 PUSH: Received control message: 'PUSH_REQUEST'
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI: primary virtual IP for client/***:32704: 10.8.0.2
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI: Learn: 10.8.0.2 -> client/***:32704
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: client/***:32704 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 [client] Peer Connection Initiated with [AF_INET6]::ffff:**.***.**.***:32704
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 TLS: Username/Password authentication succeeded for username '******************************'
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_BS64DL=1
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_IPv6=1
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_LZ4=1
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_PROTO=2
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_TCPNL=1
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_NCP=2
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_PLAT=android
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_VER=3.2
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 peer info: IV_GUI_VER=OC30Android
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
06-19-2019 16:42:01 Daemon.Notice router.asus.com Jun 19 16:42:00 ovpn-server1[2445]: ***:32704 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC5300, emailAddress=me@myhost.mydomain
06-19-2019 16:42:00 Daemon.Notice router.asus.com Jun 19 16:41:59 ovpn-server1[2445]: ***:32704 TLS: Initial packet from [AF_INET6]::ffff:**.***.**.***:32704, sid=8********

 

[ColinTaylor]

Try switching to a TCP connection instead of UDP. I find that more reliable when connecting over mobile networks.

 

[outlaw78]

Try switching to a TCP connection instead of UDP. I find that more reliable when connecting over mobile networks.

I've tried that. THat too isn't working from LTE and LTE+. And from what I hear, TCP adds tons of overhead and extremely slows down the connection?

 

[ColinTaylor]

I've tried that. That too isn't working. And from what I hear, TCP adds tons of overhead and extremely slows down the connection?

It was only a debugging suggestion.

Yes there's an overhead with TCP but that's the price of using a reliable transport mechanism. "Extreme slow down", that's a relative term. Back in the days of links measured in kilobits it was a major issue. If your link is in the 10's of megabits, not so much.

 

[outlaw78]

It was only a debugging suggestion.

Yes there's an overhead with TCP but that's the price of using a reliable transport mechanism. "Extreme slow down", that's a relative term. Back in the days of links measured in kilobits it was a major issue. If your link is in the 10's of megabits, not so much.

Ah, gotcha. Well it did work at one time, then when I tried again it wasn't working. I honestly think either sprint is doing something (blocking/disabling) or from what I read, it can be that LTE uses IPV6 and CDMA uses IPV4 (verified it by checking phone connected status) and VPN's don't play well with IPV6? Would enabling it on the router help with that? My IP offers it but I haven't enabled it.

 

[ColinTaylor]

Sorry, no idea. Personally I'd stick with all-IPv4, that's only one protocol to debug instead of two.

You edited post #1 to say that it was now working locally using SSH but not HTTP(S)? Is that still the case or is it random?

 

[outlaw78]

Sorry, no idea. Personally I'd stick with all-IPv4, that's only one protocol to debug instead of two.

You edited post #1 to say that it was now working locally using SSH but not HTTP(S)? Is that still the case or is it random?

I could always access the SSH (set for allow lan only) either locally or via the VPN. However, I can not access the web-gui to router thru VPN while on the LTE network, but I can if I connect to say, my work Wi-Fi or CDMA..

 

[ColinTaylor]

I could always access the SSH (set for allow lan only) either locally or via the VPN. However, I can not access the web-gui to router thru VPN while on the LTE network, but I can if I connect to say, my work Wi-Fi or CDMA..

I'm at a loss then. Once the VPN tunnel is established there's no way the carrier can differentiate what traffic is flowing through it, be it SSH or HTTP.

Perhaps the client is configured for split tunnelling and the IPv6 connection is confusing it. Or maybe the client's web browser is bypassing the VPN and trying to go straight out to the internet. Have you got another client device you can try, something completely different like a Windows PC?

 

[outlaw78]

I'm at a loss then. Once the VPN tunnel is established there's no way the carrier can differentiate what traffic is flowing through it, be it SSH or HTTP.

Perhaps the client is configured for split tunnelling and the IPv6 connection is confusing it. Or maybe the client's web browser is bypassing the VPN and trying to go straight out to the internet. Have you got another client device you can try, something completely different like a Windows PC?

Yeah, its only happening on the LTE network for my phone. I haven't had to take my laptop anywhere to test it that way. The funny thing is, while on the mobile network, connected to the VPN, if I enter the router's local IP address, it hangs. It also hangs the current computer that is actually on the LAN in the web-gui. (I should get "You can't connect while another device is connected" but I don't on my phone) until I stop trying to load it from the VPN connection and then it frees the web-gui for the computer on the LAN. (Hope that makes sense).

 

[ColinTaylor]

Yeah, its only happening on the LTE network for my phone. I haven't had to take my laptop anywhere to test it that way.

For testing purposes can you force your phone to use the errant LTE connection whilst at home?

If so you could do that (and make sure the phone's VPN is off) and turn on the phone's WiFi hotspot feature (so you now have a WiFi to LTE link).

Then connect to the WiFi hotspot from the laptop.... Then run a Windows VPN client on the laptop to connect to your server. Phew! Now test again.

 

[outlaw78]

For testing purposes can you force your phone to use the errant LTE connection whilst at home?

If so you could do that (and make sure the phone's VPN is off) and turn on the phone's WiFi hotspot feature (so you now have a WiFi to LTE link).

Then connect to the WiFi hotspot from the laptop.... Then run a Windows VPN client on the laptop to connect to your server. Phew! Now test again.

Ill give that a try tomorrow.

 

[outlaw78]

Ok tried this on my laptop connected to phone hotspot. Was getting bad header packet.

 

[outlaw78]

When I turn off TLS Incoming 0, the error goes away but still a no-go when using hotspot to my LTE network using my laptop. The connection is timing out to the router. OpenVPN program on windows 10 gives no error.

 

[outlaw78]

Ok so I got it working. Apparently my config was incorrect. At first, when I would watch the logs on my router, it said something about "Warning: MTU is different from client to host. Client 1384 (or something and host is 1500 mtu". Never thought much of it cause it was working. Then it stopped saying that. Well it turns out I found a post talking about packet size and how there 20kb for adding this and 60kb for adding that, etc to the packet; Basically you have to use smaller packets to avoid fragmentation. This is what was happening. The openVPN app on their website (links to playstore) has very limited options for setting that kind of thing and I'm not very config file savvy. So I found an app called OpenVPN for android by Arne Schwabe. This has a setting "Set MSS of TCP payload" which basically tells the packets to not be over a certain size. When enabled (set for 1380), UDP connection works flawlessly. The only drawback is the program automatically disables compression on sent packets. Compression is enabled for received packets.

So my next few questions are these:
1. I know my download to my client will never exceed 20 Mb/s because that is the upload of my ISP (which is the speed I'm receiving when I do a speed test). However, my upload only reaches about 2 Mb/s upload, which should be 400 Mb/s because that is the download speed of my ISP. I'd be happy if I just got the same up as down 20 Mb/s. Is this because compression is disabled on sent packets by the app?

2. Is there command line to enter in the .ovpn to specify packet size or MTU size to avoid fragmentation?

 

[outlaw78]

Just did some more testing...

I found the commands to change packet size (mssfix #) and tun-mtu # seems to work too. However, when using the official openvpn client, the log states that mssfix is an "Unused Option" and won't enable it. I have to use the tun-mtu option. However, in the 3rd party app, its listed in the config and appears to work. Not sure why this is happening. Compression (lz4-v2) enabled both ways on the official app seems to slow down both directions. On the 3rd party app that only enables it on the received packets and seems to make the download slightly faster. Should I use compression at all?

 

[RMerlin]

Should I use compression at all?

Personally I'd say no. Most network data these days is encrypted, therefore not really compressible.

 

[outlaw78]

Personally I'd say no. Most network data these days is encrypted, therefore not really compressible.

Thanks Merlin. Quick question, layman here when it comes to VPN since I'm just starting out in VPN waters... I've searched about the difference in LZ4 and LZ4-v2 and I don't quite understand what I read. Which is better if I were to use one?

 

[RMerlin]

LZ4-v2 is supposed to be slightly faster than LZ4. Make sure both ends support it however, as it's not officially documented by OpenVPN.