OpenVPN client fails to reconnect automatically "Error connecting - Authentication failed")

[coqypef]

May be worth forcing a WAN restart to see if the VPN recovers correctly.

I restarted the WAN by executing service restart_wan in putty (while the VPN connection was working). The VPN connection came back up automatically without my intervention. Log file: https://pastebin.com/raw/aCTUH38M

(I've previously also tried disconnecting the WAN cable etc. with the same result)

 

[eibgrad]

OK, then try my previous suggestions for tonight. It might just be that they're taking down that server for some reason, and given that's your only option at the moment, it might explain why it never restarts.

 

[coqypef]

I think it may be due to your ISP's DHCP malfunction, which leads to network being unreachable

Possibly, but I didn't get that error in the second log file i posted (Link to post). My connection is a fiber connection that is supposed to have pretty much 100% uptime, but I notice that my internet connection (outside my VPN) gets disconnected rather frequently (perhaps 1-5 times per week or even more). I'm not sure that is also what's triggering my "Error connecting - Authentication failed" VPN problem. Nevertheless, I think the OpenVPN connection should be able to reconnect properly.

OK, then try my previous suggestions for tonight.

Thanks, I've implemented your suggestions. I also replaced the CAT5 cable between the WAN port of my router and the fiber converter installed by my ISP (just in case).

I'll reply here with updates.

 

[Quoc Huynh]

Possibly, but I didn't get that error in the second log file i posted (Link to post). My connection is a fiber connection that is supposed to have pretty much 100% uptime, but I notice that my internet connection (outside my VPN) gets disconnected rather frequently (perhaps 1-5 times per week or even more). I'm not sure that is also what's triggering my "Error connecting - Authentication failed" VPN problem. Nevertheless, I think the OpenVPN connection should be able to reconnect properly.



Thanks, I've implemented your suggestions. I also replaced the CAT5 cable between the WAN port of my router and the fiber converter installed by my ISP (just in case).

I'll reply here with updates.

Sorry I forgot to view your second log file As I see, your VPN connection was stable until 6:52 am, when the first disconnection occurred. So, I think the problem may be due to either your ISP or VPN server connection (as @eibgrad said). In my opinion, you should follow his instructions and see whether the issue comes back or not

 

[RMerlin]

Those were the settings in my first post. It doesn't work.

Just disable auth tokens, not caching.

 

[coqypef]

@eibgrad @Quoc Huynh
Unfortunately it's happened again. My custom settings at this time were:

resolv-retry infinite
remote-cert-tls server
pull-filter ignore "auth-token"
server-poll-timeout 10
remote v.v.v.v 443
remote v.v.v.v 992
remote v.v.v.v 5555
#remote v.v.v.v 1194
remote w.w.w.w 443
remote w.w.w.w 992
remote w.w.w.w 1194
remote w.w.w.w 5555
remote r.r.r.r 443
remote r.r.r.r 1194
remote j.j.j.j 443
remote j.j.j.j 992
remote j.j.j.j 5555
remote j.j.j.j 1194

I was also using UDP instead of TCP.
Full settings: https://i.imgur.com/VPR8gaY.png
Log file: https://pastebin.com/raw/N8HVE0bM

This time i had to switch the "Service state" slider to the ON position two times to get it working again. (The first time i got yet another "authentication failed" (auth-failure) error.)

BTW I now also run a python script that's constantly connected to a websocket (outside the vpn connection) to log any internet down-time. It's only registered an extremely short (<1 sec) moment of down-time at 21:45:18 which doesn't seem to have affected anything AFAICT by my router's log file.

Just disable auth tokens, not caching.

That's what i'm doing now, right? It's not working.

Any more suggestions? This is killing me. I ran an OpenVPN client on my RT-AC66U B1 for 1.5 years towards the same VPN provider without issue, it always reconnected automatically.

 

[eibgrad]

I'm beginning to think that maybe this auth-token directive is the issue, and by simply ignoring it, it doesn't prevent the server from expecting it to be used. And unless you bring down the tunnel entirely, it won't accept your username/password in the GUI.

The problem in restarting the tunnel is that, by default, the config file contains the persist-tun directive, which prevents a complete shutdown prior to a restart. You'd have to use a postconf script to remove it because you can't override a no-arguments directive by adding anything to custom config. It's one of the reasons I would prefer persist-tun was an option in the GUI. But I understand why it isn't; it complicates things. But when something like this happens, you need to delete that directive.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

Btw, when it fails, are you busy using it? Or does it appear to be a legit case of inactivity? Because I'm just wondering what would happen if you kept the tunnel busy, perhapsw/ a ping, download a small file every 10 mins, etc. Anything to convince the server you're active.

 

[Quoc Huynh]

Maybe you can try to add these parameters to the custom settings section:

auth-retry nointeract
persist-tun
persist-key

I learnt those from other members when encountering on-and-off disconnection from my VPN server's provider (NordVPN) some years ago. Hope they can help

 

[coqypef]

Maybe you can try to add these parameters to the custom settings section:

auth-retry nointeract
persist-tun
persist-key

I tried adding those. Didn't work (same problem as before).

The problem in restarting the tunnel is that, by default, the config file contains the persist-tun directive, which prevents a complete shutdown prior to a restart. You'd have to use a postconf script to remove it (..) Btw, when it fails, are you busy using it? Or does it appear to be a legit case of inactivity?

The connection is not idle, at least not more than five minutes.

OK so now I've went to Advanced Settings, Administration, System and enabled "Enable JFFS custom scripts and configs". Then i saved /jffs/scripts/openvpnclient1.postconf with the following content:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "persist-tun" "#persist-tun" $CONFIG

My custom settings are still the same as before, .i.e;

resolv-retry infinite
remote-cert-tls server
pull-filter ignore "auth-token"
server-poll-timeout 10
remote v.v.v.v 443
remote v.v.v.v 992
remote v.v.v.v 5555
#remote v.v.v.v 1194
remote w.w.w.w 443
remote w.w.w.w 992
remote w.w.w.w 1194
remote w.w.w.w 5555
remote r.r.r.r 443
remote r.r.r.r 1194
remote j.j.j.j 443
remote j.j.j.j 992
remote j.j.j.j 5555
remote j.j.j.j 1194

I've also restarted the OpenVPN client. Log file says:

custom_script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn ) - max timeout = 120s

So i guess it has loaded my script. I'll let you know if this solves the problem.

 

[coqypef]

At least i didn't have to wait long. Failed after 20 minutes. Same problem as before (AUTH_FAILED -> auth-failure -> Error connecting - Authentication failed.).

This time i can confirm that the connection was not idle when it failed.

Log file: https://pastebin.com/raw/e1khDuRN

Suggestions? Did i do the script right?

 

[eibgrad]

While the OpenVPN client is running, you need to dump the config file in order to tell if the postconf worked.

cat /tmp/etc/openvpn/client1/config.ovpn

(assuming you're using client #1, of course)

 

[eibgrad]

Even if the postconf works, it's still bizarre that it's reporting inactivity after only 20 mins, then you can clearly see it trying to run through the other remote directives to establish a connection, all of which timeout, until it just quits entirely.

I suppose you could try increasing the timeout, say 30 secs. But still, it makes no sense why it generates this soft restart based on inactivity in the first place. This has all the signs of the VPN provider initiating the soft restart, for whatever reasons.

P.S.

Did you pay your PIA bill this past month? LOL

 

[coqypef]

While the OpenVPN client is running, you need to dump the config file in order to tell if the postconf worked.

cat /tmp/etc/openvpn/client1/config.ovpn

(assuming you're using client #1, of course)

Thank you. My script had in fact not been running.

I've now fixed it by CHMOD'ing /jffs/scripts/openvpnclient1.postconf to 0777 and restarted the client.

The "persist-tun" line is now preceded by a # in /tmp/etc/openvpn/client1/config.ovpn. For the record, here's the complete file: https://pastebin.com/raw/LpBqYYHh

I only ever use client 1. Let's wait and see again if this solves my problem.

Unpaid bill is not the problem but i guess i can't rule out a fault on my VPN provider's end. But i only started getting this problem after i got a new router. Most likely the error is with me

 

[eibgrad]

If this doesn't work, then all I can recommend is setting the router to factory defaults and manually reconfiguring. Even if it does work, it might still be a good idea. You shouldn't be getting all these soft restarts in the first place. Getting one after only 20 mins is ridiculous.

 

[Quoc Huynh]

I tried adding those. Didn't work (same problem as before).

I am so sorry to hear that they didn't work for you What a pity that's all I know. Maybe @eibgrad or other members can have better solutions

 

[eibgrad]

Hmm, haven't heard a peep all day, I hope this means good news!

 

[coqypef]

@eibgrad
@Quoc Huynh
Unfortunately not. Same problem as before. Log file: https://pastebin.com/raw/es0CZfRJ

I verified again that the "persist-tun" line is in fact preceded by a # in
/tmp/etc/openvpn/client1/config.ovpn.

Could it be possible that the "Accept DNS Configuration" = Exclusive setting has anything to do with my problem? IIRC i didn't use Exclusive on my previous router

 

[eibgrad]

Here's what I'm seeing.

At the beginning, you can see a series of hourly soft restarts/resets that are just the session key being regenerated. They occur @ 5:26, 6:26, and 7:26. So no problems there.

At 7:39, 13 minutes after the last key regen, we get the first soft restart/reset due to inactivity. And you can see the effects of having removed persist-tun. The whole connection is brought down and rebuilt from the ground up. And eventually completes w/ the message "initialization sequence completed" @ 7:40.

24 mins later, @ 8:04, we get another soft restart/reset due to inactivity, and once again the connection is restablished w/ the message "initialization sequence completed". A mere 87 seconds later, you get yet another soft restart/reset due to inactivity, and now it just dies, but now due to this AUTH_FAILED issue.

This doesn't seem to me to be an issue w/ the configuration. It has the smell of the server (or their system in general) wanting to kick off the user for some reason. And iirc, this usually happens around the same time every day. How can authorization suddenly fail when it's been working just fine, even after repeated restarts?! That's why this doesn't seem like a configuration error. It seems like a deliberate action by the VPN provider.

I would complain to the VPN provider, and ask them to explain that log. And if they can't, perhaps it's time to change VPN providers.

 

[coqypef]

I would complain to the VPN provider, and ask them to explain that log. And if they can't, perhaps it's time to change VPN providers.

Thanks. I've explained the problem in detail and I'm awaiting their response. I'll let you know what happens.

 

[coqypef]

Confirmed server problem. Response: "Too many connection attempts [by other users, i guess], creating a long stack for our API servers (responsible for the sign in process) and higher process times. Request is dropped when processing time > timeout".

I did not expect that, as it was stable for 1.5 years. Thanks a lot for the help though @eibgrad and @Quoc Huynh.

One last question though, after this has happened:

SIGTERM[soft,auth-failure] received, process exiting

is there a way to have my router automatically restart the openvpn client?

I mean, I'll probably change VPN provider, but I could still face this situation where i'd have to log into my router and manually restart the openvpn client sometimes. I'd like my setup to be as robust and maintenance-free as possible.