Ac68u, openvpn-server blocks all WAN traffic on reboot

[boomshalek]

Hi
I have configured open-vpn and it generally works. But only until I reboot. As I think this might be related to having disabled IPV6 and the router while booting falling back to ipv6. Then all traffic to WAN is blocked.

Jan 27 10:38:21 ovpn-server1[737]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 8 2018
Jan 27 10:38:21 ovpn-server1[737]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.08
Jan 27 10:38:21 ovpn-server1[738]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jan 27 10:38:21 ovpn-server1[738]: Diffie-Hellman initialized with 2048 bit key
Jan 27 10:38:21 ovpn-server1[738]: TUN/TAP device tun21 opened
Jan 27 10:38:21 ovpn-server1[738]: TUN/TAP TX queue length set to 100
Jan 27 10:38:21 ovpn-server1[738]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 27 10:38:21 ovpn-server1[738]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jan 27 10:38:21 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Jan 27 10:38:21 ovpn-server1[738]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Jan 27 10:38:21 ovpn-server1[738]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jan 27 10:38:21 ovpn-server1[738]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 27 10:38:21 ovpn-server1[738]: setsockopt(IPV6_V6ONLY=0)
Jan 27 10:38:21 ovpn-server1[738]: UDPv6 link local (bound): [AF_INET6][undef]:51194
Jan 27 10:38:21 ovpn-server1[738]: UDPv6 link remote: [AF_UNSPEC]
Jan 27 10:38:21 ovpn-server1[738]: MULTI: multi_init called, r=256 v=256
Jan 27 10:38:21 ovpn-server1[738]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jan 27 10:38:21 ovpn-server1[738]: Initialization Sequence Completed


I have tried to set proto udp4 in the server config via SSH, but this gets overwritten all the time.

Can you help me ?

 

[boomshalek]

As I think this might be related to having disabled IPV6 and the router while booting falling back to ipv6.

It wasn't related to ipv6.
I have now set proto udp4 in the custom configuration section and this works but the problem remains, that I can use the router as normal when disabling OpenVPN Server followed by a reboot. I can continue using it after manually enabling the OpenVPN Server. I can then connect through VPN. If I now initiate a reboot all WAN connection is dead for all clients including non-VPN ones.

 

[ColinTaylor]

I have tried to set proto udp4 in the server config via SSH, but this gets overwritten all the time.

It does indeed look like it's trying to use IPv6. Try putting your command in the "Custom configuration" box in the VPN server GUI.

 

[martinr]

As part of the troubleshooting, have you tried turning off both OpenVPN servers and rebooting, and then perhaps rebooting a second time? Do you still lose all WAN connections? (This would possibly help determine if OpenVPN is to blame.)

Which firmware? When did you last update the firmware and which firmware did you update from? Finally, how long ago (firmware-wise) did you do a factory reset?

 

[ColinTaylor]

I have now set proto udp4 in the custom configuration section and this works but the problem remains

Can you show us the syslog after a reboot now that you have made this change.

 

[boomshalek]

As part of the troubleshooting, have you tried turning off both OpenVPN servers and rebooting, and then perhaps rebooting a second time? Do you still lose all WAN connections? (This would possibly help determine if OpenVPN is to blame.) Which firmware? When did you last update the firmware and which firmware did you update from? Finally, how long ago (firmware-wise) did you do a factory reset?

Hi all
Thank you very much for getting into this.
I rebootet twice after newly rebooting with Server 1 disabled and then enabling only Server 1. In general I only have Server 1 enabled.
I did update the firmware recently (~1 week ago, but the same problem was there before !) to 384.8_2 and before about 2 month ago. Bit I enabled VPN Server 1 one month ago and did the initial config then. The last factory reset is probably 1.5 years ago. Since then i have probably updated to the recent version every 3 months. Can I export ALL settings, do a factory reset and then re-import them without loosing any settings? I am leaving for a long foreign trip in a week and do not have the time to setup everything in that time from scratch...

Here is the log after two reboots attached.

 

[martinr]

I’ll have to leave syslog analysis to Colin.

Can you clarify what happens if you leave the OpenVPN server turned OFF? Do you still lose the WAN after a reboot?

The word is that if you restore your settings from a backup after having done a factory reset, you’ll be back to where you started ie the reset will have been invalidated.

Perhaps Colin or someone else will spot something in your syslog that might lead to an easy fix.

 

[ColinTaylor]

The problem seems to be that the OpenVPN server cannot determine what your WAN IP address is at boot time:

Jan 27 13:06:12 ovpn-server1[738]: UDPv4 link local (bound): [AF_INET][undef]:51194

I don't know why this is as the timing appears to be perfectly normal. Perhaps a bug in OpenVPN, but that hasn't changed for some time AFAIK.

 

[martinr]

By the way, when you say you lose the WAN connection, Have you tried pinging, say, google.com, when you believe the WAN is disconnected?

 

[martinr]

The problem seems to be that the OpenVPN server cannot determine what your WAN IP address is at boot time:

Jan 27 13:06:12 ovpn-server1[738]: UDPv4 link local (bound): [AF_INET][undef]:51194

I don't know why this is as the timing appears to be perfectly normal. Perhaps a bug in OpenVPN, but that hasn't changed for some time AFAIK.

Thanks, Colin; I can confirm that my own router, running both OpenVPN servers, works fine after a reboot. So the glitch seems to be limited to the OP..

 

[boomshalek]

Can you clarify what happens if you leave the OpenVPN server turned OFF? Do you still lose the WAN after a reboot?

If I disable the VPN Server and reboot I can access WAN normally.

 

[dave14305]

How long is your WAN DHCP lease time? I see 900 and 721 seconds mentioned in the log.

 

[boomshalek]

Some more info (as requested):
I can ping to the WAN from the router. The Asus GUI shows that i am connected to my ISP.
I cannot access the WAN from all clients behind the router.

AFAIK there is no setting for the WAN DHCP lease time in the WAN GUI section. So i don't know its setting value.

 

[ColinTaylor]

What kind of internet connection do you have? Cable modem, ADSL, PPPoE, etc.?

 

[boomshalek]

What kind of internet connection do you have? Cable modem, ADSL, PPPoE, etc.?

Cable, Down 20 Mbps , Up 2 Mbps

 

[dave14305]

AFAIK there is no setting for the WAN DHCP lease time in the WAN GUI section. So i don't know its setting value.

On the main router page, click the globe to the left of “Internet Status”.

 

[ColinTaylor]

On the main router page, click the globe to the left of “Internet Status”.

On that same panel can you compare your WAN IP address from when your WAN works and when it doesn't. The syslog you provided indicates your IP address ends in .137.18 when it doesn't, but you've edited the file and removed the parts from when it does.

 

[boomshalek]

On the main router page, click the globe to the left of “Internet Status”.

Thanks for that.

Lease time is '1 days' with VPN Server ON and '15 minutes' with VPN Server OFF. Strange ...
WAN IP, DNS and Gateway are they same in both states.

 

[boomshalek]

In the meantime:

1. I first did a factory reset, imported settings from a file. Same problem
2. I then defaulted VPN Server 1 settings and manually re-entered its settings. Problem persists.

Do you have other hints ? Should I provide other logs?

 

[ColinTaylor]

Try doing a factory reset but don't import your old settings. Then manually configure just the basics to test for the problem. You can then re-import your settings to get back to where you were.