Detecting dead NordVPN tunnel quickly?

[Atlantica]

I am using OpenVPN (UDP) – mainly for Teams/Meet video meetings – to a NordVPN server in Europe, from an Asus RT-86U PRO client. Normally things work fine.

Lately there have been small “breaks” in the internet connection (to Europe?), causing the VPN to stop. However, even though I can see from other non-VPN devices that the local connection is back, the VPN takes up to 2 minutes to detect the link is down, and re-connect.

2 minutes is a LONG time when I am the one talking on Teams.

To me the objective is to detect a dead tunnel as soon as possible, and re-connect.

As a test I have replaced

--ping 15
--ping-timer-rem

with

--keepalive 2 10
--explicit-exit-notify 1

Any better ideas/advice?

Thanks!

 

[ColinTaylor]

I am using OpenVPN (UDP) – mainly for Teams/Meet video meetings – to a NordVPN server in Europe,

Why? For a latency sensitive application like video conferencing you're just adding more latency and complexity together with another point of failure. If you can use Teams/Meet without a VPN that would be preferable.

 

[Atlantica]

Why? For a latency sensitive application like video conferencing you're just adding more latency and complexity together with another point of failure. If you can use Teams/Meet without a VPN that would be preferable.

Because I am in country X, and the company expects calls/login from its home country Y.
(Not doing anything illegal! )

Do you have any advice regarding the question above?

 

[RMerlin]

If you are using a PC for the meeting, try using their application instead of a router tunnel - it might behave more nicely with tunnel drops. Tunnels shouldn't drop however, so also consider trying a different server.

 

[cptnoblivious]

If you are using a PC for the meeting, try using their application instead of a router tunnel - it might behave more nicely with tunnel drops. Tunnels shouldn't drop however, so also consider trying a different server.

Definitely!

Though, I'm wondering if perhaps the OP is trying to use a corporate laptop (i.e. no way to install Nord) and trying to appear to be located elsewhere ...

 

[Atlantica]

If you are using a PC for the meeting, try using their application instead of a router tunnel - it might behave more nicely with tunnel drops. Tunnels shouldn't drop however, so also consider trying a different server.

Thank you. As cptoblivious says, I'm on a corporate machine (several, in fact) which I cannot install applications on.

Since it is often I who do a lot of the talking in these meetings, and therefore I don't notice immediately that the VPN is down, I'm looking for a configuration which quickly detects the VPN is down.

(The VPN in question is NordVPN, and this seems to happen several days a week, at approximately (but not exactly) the same time.)

Thank you for your help! It is appreciated.

 

[RMerlin]

Try a different server then. I used to use NordVPN for my tests, and the local servers were always very stable for me. You probably do get the key rotation that might possibly interfere with a meeting, but that rotation interval is not configurable from the client side, it's determined by the server, so nothing you can do about it. I haven't noticed what NordVPN uses, but 1 hour is a common rotation period. They shouldn`t require a complete reconnection however, something else must be interrupting your tunnel.

 

[Atlantica]

I will try a different server - I'm unsure whether it is the server which is down (or kicks off users), or the link between Latin-America and Europe. There has been issues going from Brazil to Europe. (So I get about 500/500 Mbps nationally normally, but some days I only got 300/5 Mbps (!) to Speedtest servers in Europe/USA/South Africa. Very unbalanced.)


I also discovered something strange: the UDP ovpn config file from NordVPN has a remote-random already, but when I add extra servers both stock ASUS and Merlin only ever select the last, and when I put a "dead" VPN server as the last one, it never starts at the top of the list. It just tries the last VPN again and again.

 

[Atlantica]

Try a different server then. I used to use NordVPN for my tests, and the local servers were always very stable for me. You probably do get the key rotation that might possibly interfere with a meeting, but that rotation interval is not configurable from the client side, it's determined by the server, so nothing you can do about it. I haven't noticed what NordVPN uses, but 1 hour is a common rotation period. They shouldn`t require a complete reconnection however, something else must be interrupting your tunnel.

In addition to my reply above:

I tried to remove the X509 check from the NordVPN config file (because I was trying several servers), on both stock and Merlin. Asus Stock accepted it, but Merlin stopped with a fatal error. (I put a semi-colon first.)

;verify-x509-name CN=no238.nordvpn.com

Gave the following with Merlin

Nov 25 11:17:57 ovpn-client1[3926]: TUN/TAP device tun11 opened
Nov 25 11:17:57 ovpn-client1[3926]: TUN/TAP TX queue length set to 1000
Nov 25 11:17:57 ovpn-client1[3926]: /usr/sbin/ip link set dev tun11 up mtu 1500
Nov 25 11:17:57 ovpn-client1[3926]: /usr/sbin/ip link set dev tun11 up
Nov 25 11:17:57 ovpn-client1[3926]: Linux ip link set failed: external program exited with error status: 1
Nov 25 11:17:57 ovpn-client1[3926]: Exiting due to fatal error

Removing the semi-colon, and it connects.

 

[ColinTaylor]

Try using # instead of ;

 

[Ripshod]

Tangential thinking. Have you ever tried the nord wireguard servers?

 

[Atlantica]

Try using # instead of ;

Hi Colin,
Thanks for the idea. I've tried with both # and with ;

Now I even tried removing the line altogether, and same fatal error in all three cases.

I'm litterally using the same config file on an Asus RT-AX86U PRO with stock, and an RT-AC68U with Merlin. (I put Merlin on an old router to get used to it, so I would not have to irritate everbody by "playing" on the main router.) The stock accepts, the Merlin doesn't.

 

[Atlantica]

Tangential thinking. Have you ever tried the nord wireguard servers?

Hi Ripsho,

Thanks for the suggestion. I haven't, because NordVPN will not release config files for Wireguard. It is only available in the NordVPN application, which I can't install on a corporate PC. I had a LONG discussion with their customer support about it! Thanks!

When my NordVPN subscription runs out in about 3 months, I may try Proton.