Costant VPN failures

[Thorton]

AC87U on 380.67. Running VPN client, which disconnects every few hours and the only way to get connection up and running again is to click OFF and then ON in VPN clients list. Not very sure if it's router or VPN provider fault. The system log is full of those messages every few hours:

Aug 7 13:53:27 openvpn[14416]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ch11.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Aug 7 13:53:27 openvpn[14416]: VERIFY KU OK
Aug 7 13:53:27 openvpn[14416]: Validating certificate extended key usage
Aug 7 13:53:27 openvpn[14416]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 7 13:53:27 openvpn[14416]: VERIFY EKU OK
Aug 7 13:53:27 openvpn[14416]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ch11.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Aug 7 13:53:29 openvpn[14416]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 7 13:53:29 openvpn[14416]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 7 13:53:29 openvpn[14416]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

...and then connection goes down.

 

[iMx]

Out of curiosity, do you still see the same if you set 'Accept DNS Configuration' to 'Disabled'? This fixed it for me, when the firewall is set to Automatic at least, be careful for DNS leaks if you do try this - make sure an external IP is set for DNS on your devices, to force it over the tunnel.

I just haven't found time to look at the iptables rules that are inserted. Basically I was seeing the VPN restart, or try to at least, but the connection not timing out from the VPN providers end and so failed with an AUTH_FAILED if there were too many reconnects in a short space of time (presumably hitting their concurrent login limit), shortly after my router gave up trying to reconnect.

EDIT: Just to clarify, the pushed DNS servers for me are 8.8.8.8 and 8.8.4.4, which are accessible should the VPN drop (so it shouldn't be a case of DNS not resolvable if the tunnel goes down), but I still see the same with an IP server address. But when I set Accept DNS Configuration to Disabled, the tunnel stays up just fine.

Edit 2: The rest of the forum will probably want to see details of your config, custom config, etc.

 

[Thorton]

Yes, I also see AUTH_FAILED error often.

 

[Thorton]

I'm going to try setting DNS to Disabled as you suggested, could you please clarify what do you mean with "be careful for DNS leaks if you do try this"?

 

[iMx]

DNS requests could/may/will bypass the VPN tunnel and go out of your regular internet connection, unencrypted:

https://www.dnsleaktest.com/

 

[Thorton]

Sorry for not being very clear. I know what DNS leak is, I'm just not very sure what "make sure an external IP is set for DNS on your devices, to force it over the tunnel" means.

I have VPN provider's DNS servers entered into DNS Server1/DNS Server2 fields in WAN section on router itself. Is it enough, or you mean that I should also configure each device (which connects via router) separately to prevent leaks?

 

[iMx]

If the DNS server is assigned by the router via DHCP to your clients, by default it is going to be the routers IP address - 192.168.1.1 for example. This means that when your device makes a DNS request, the router doesn't have to look up the route in its routing table, because its a local connection it simply works at Layer 2 (no Layer 3 route look up required).

By statically setting 8.8.8.8/8.8.4.4 on your device(s), when the device goes to make a DNS request it will follow the default route (unless there is some NAT-ing) over the VPN tunnel as it is a non-local destination. I don't mean to distract from your original query, but this was what solved things for me, I just haven't had time to delve deeper to work out why this keeps the VPN stable for me at least (Accept DNS Set to Disabled, then any external DNS server Google/OpenDNS statically configured on the client/device side).

 

[Thorton]

Thanks.

 

[Brenneke]

Thank you IMx for your suggestion to set 'Accept DNS Configuration' to 'Disabled', this worked for me as well. Have been battling this same problem for quite some time.

 

[Thorton]

Unfortunately, it didn't work for me - still disconnects every 2 hours or so...

 

[Brenneke]

What does your config look like? I don't profess to know a great deal about this but mine looks like this and is working well: (on Nord)

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
auth-retry nointeract

 

[Thorton]

remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
explicit-exit-notify 3
remote-cert-tls server
pull
fast-io