OpenVPN server fails after changing WAN MAC

[truglodite]

I am running Marlin 384.6 with Diversion (+pixelserv-tls) & Skynet on an ac86u. The vpn server has worked great before. The server was running and wan was connected, along with several clients. I may have goofed by changing the WAN MAC and hitting apply. After a minute my ISP assigned me a different IP, then the log shows this openvpn failure:

https://pastebin.com/eJFscB2S

Note that the X in the IP is just privacy, but that was the IP I had previous to changing the WAN MAC. My new IP has different first and second octets. I have already tried rebooting, turning the server off/rebooting, on/rebooting... reflashing 384.6... disabled Diversion & Skynet and all of the above again. The same error pops up in the log, and the openvpn server page says "OpenVPN server daemon failed to start. Please check your device environment or contents on the Advanced Setting page" in yellow. Everything on advanced settings checks out no different than before when it was working.

I am not sure if/where there is just a file I can to edit to fix this. I hope there is a simpler solution than initializing the firmware to defaults and redoing everything from scratch. I would also like to know how this may have happened so I can avoid it again (perhaps turn off the openvpn server before changin WAN MAC?). Any help is greatly appreciated.

Kev

 

[Deleted member 59998]

Hi Kev,

I notice a bug introduced in the Merlin 384.6 regarding OpenVPN Client using a RT-AC5300. It sounds like it could be partly related to your problem. I notice when the WAN connection dropped, the OpenVPN Client would kill the connection to its clients, until the VPN connection could be reestablished as it should. The VPN would reestablish but the TUN/TAP read and write bytes would come up as zero. In other words, the VPN connection was dead. Through a bit of testing it seems like the TUN/TAP connection is establishing itself to quickly causing the failure.

The solution I have found is as follows for my issue,

First the "VPN Client Service state" must be off
and "automatic start at boot time" set to off.
(You can enable them later).

Navigate to the WAN Section.
"Connect to DNS Server automatically" change from yes to no OR no to yes. Click "Apply".
Wait for about 10-20 seconds before enabling VPN Client after WAN restart.
Otherwise the TUN/TAP will fail to work.

You will have to do this every time your WAN connection drops or WAN MAC address changes I guess. I haven't found another solution to the problem running stock Merlin on 384.6. The issue was not present in the 384.5 version.

I hope this information is helpful.

Cheers,
Curlz

 

[truglodite]

Thanks for the reply, however my problem relates to the vpn server, not client. Also I have tried starting the service long after the wan connection is established.

 

[Martineau]

Thanks for the reply, however my problem relates to the vpn server, not client. Also I have tried starting the service long after the wan connection is established.

Do you already have OpenVPN Server 1 using port 1194?

Try changing OpenVPN Server 2 to use port 1195

 

[truglodite]

No server1 is a TCP/443 server, and is not used often (it is actually off). Everything was working fine until I changed the wan mac. No other changes were made.

Out of curiosity, I tried turning on server1 to see if it would work, and the exact same failure popped up in the log. So neither of the 2 servers are working.

 

[Martineau]

No server1 is a TCP/443 server, and is not used often (it is actually off). Everything was working fine until I changed the wan mac. No other changes were made.

Out of curiosity, I tried turning on server1 to see if it would work, and the exact same failure popped up in the log. So neither of the 2 servers are working.

Ahh indeed.... error=98 is for a duplicate port

                ovpn-server2[26704]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=98)

You posted error=99

Sep 12 23:40:01 ovpn-server2[5158]:  TCP/UDP: Socket bind failed on local address [AF_INET]65.78.144.X:1194: Cannot assign requested address (errno=99)

Do you have the 'local' directive specified in your OpenVPN configurations? 'config.conf'?
e.g.

local 65.78.144.X

 

[truglodite]

I do have local, but not that ip...

local myddnsusername.asuscomm.com

I noted that the ddns page shows my username is 'registered', same as before when everything was working.

 

[Martineau]

I do have local, but not that ip...

local myddnsusername.asuscomm.com

I noted that the ddns page shows my username is 'registered', same as before when everything was working.

So either (temporarily) remove the 'local' directive or specify your current WAN IP address

local xxx.xxx.xxx.xxx

and see if the OpenVPN server(s) start?

If they do then there are posts to assist in unlinking your MAC from the Asus DNS service.

 

[truglodite]

Now we're getting somewhere. Before I read your last post I tried starting the server with the local line removed, and it started successfully. I put that in there a while ago so I could use the tcp/443 server with absolution/pixelserv-tls. So I suppose it isn't even needed for the UDP vpn server anyways. I will look into unlinking my old MAC from asus dns service so I can get the tcp server going again.

Thank you very much Martineau!

 

[Martineau]

Now we're getting somewhere. Before I read your last post I tried starting the server with the local line removed, and it started successfully. I put that in there a while ago so I could use the tcp/443 server with absolution/pixelserv-tls. So I suppose it isn't even needed for the UDP vpn server anyways. I will look into unlinking my old MAC from asus dns service so I can get the tcp server going again.

Thank you very much Martineau!

Not sure if this is relevant FAQ [DDNS] How do I remove the registered DDNS name from my previous router?

P.S. Perhaps I should sell my openvpnserverX.postconf

Spoiler: Allow the use of pseudo OpenVPN directive 'local wan0' or local 'wan1' rather than use external DDNS service

#======================================================================================================= © 2016-2018 Martineau, v1.02
#
#  1. Allows you to specify via the GUI, which WAN interface is to be strictly used for this VPN Server...
#
#
# Option 1.
# =========
#
#     e.g. WAN0 may be a SLOW/Expensive/Data-capped 3/4G link
#          WAN1 may be a FAST VDSL/Fibre link
#
#          So in the VPN Server X Custom Configuration dialog box enter
#
#                local wan1
#             or if you *REALLY* want to allow the VPN tunnel via the slow/expensive 3/4G WAN...
#                local wan0
#
#          and the current ACTIVE BIND I/P address for the requested virtual WAN interface will be extracted from the DUAL-WAN tables
#
#              e.g.   ip route show table wan0 -> ifconfig interface name's I/P Address for the device (eth0/usb0/vlanX etc.)
#                     or
#                     ip route show table wan1 -> ifconfig interface name's I/P Address for the device (eth0/usb0/vlanX etc.)
#
#
# NOTE: If the BIND is successful there will be messages in Syslog
#
#       (openvpnserverX.postconf): nnnn VPN Server X will BIND to xxx.xxx.xxx.xxx via virtual interface 'wan0'
#
#        ovpn-serverX[18889]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:443
#
#       This script will also attempt to update the VPN Server GUI with a '#' Comment!
#
#       local wan0 # yyymmddhhmm Last BIND to xxx.xxx.xxx.xxx via zzzz
#
#       NOTE: If you have a static WAN0/WAN1 IP then this single code line does it!
#             pc_replace "nobind" "local xxx.xxx.xxx.xxx" $CONFIG
#

 

[kvic]

The essence of using "local" is building up a static relationship. If it depends on a dynamic IP or a DDNS, you're risking yourself of bouncing the OPVN processes manually.

So if you use "local 192.168.1.1" (replace that with your main IP on br0). Your OpenVPN processes will always be up and running. Will never run into race or weird conditions like this.

To close the loop, add a port forward rule to the above IP. Your WAN to OpenVPN will always work after reboot.

 

[truglodite]

So either (temporarily) remove the 'local' directive or specify your current WAN IP address

local xxx.xxx.xxx.xxx

and see if the OpenVPN server(s) start?

If they do then there are posts to assist in unlinking your MAC from the Asus DNS service.

So the server SEEMED to start up without errors this morning (no errors in log). However while at work I fired up my vpn client on my phone and the connection failed. From the client log it is clear why it failed... my username is still linked to my old ip.

So looks like I need to call asus and wait some days before this is sorted. I thought asus would see it is the same router serial# and let me be.

[edit: My solution for now is use the old mac. Works as good as before, even though there is the yellow warning "username registered". :/ ]

 

[truglodite]

The essence of using "local" is building up a static relationship. If it depends on a dynamic IP or a DDNS, you're risking yourself of bouncing the OPVN processes manually.

So if you use "local 192.168.1.1" (replace that with your main IP on br0). Your OpenVPN processes will always be up and running. Will never run into race or weird conditions like this.

To close the loop, add a port forward rule to the above IP. Your WAN to OpenVPN will always work after reboot.

I have never had issues like this before even when my IP changed. I think this may be caused by both the mac and IP change together. I suppose I should appreciate asus efforts to add security on their end of ddns service, but it would be nice if things were more resilient in this case. I can't be the only noob changing wan mac on a dynamic ip... without a plan to go without vpn service for some days.

 

[kvic]

it would be nice if things were more resilient in this case. I can't be the only noob changing wan mac on a dynamic ip... without a plan to go without vpn service for some days.

Based on the discussion in this thread, I see your setup has multiple failure points for VPN access. Asus DDNS is one of them. Not sure about its current status, it used to be quite good and then followed by multiple service disruptions a few months in a row. That time invited me switching to NO-IP. Now I'm mostly Cloudflare.

With adjustment as suggested, VPN availability should be pretty good even your router sometimes want a reboot by itself or someone resets its power supply abruptly. OpenVPN when setup properly is like a workhorse but I no longer run it since a few years ago.

Use IPsec VPN instead if it's available as direct replacement. What most people running pixelserv-tls need is not access the private LAN directly. But want to benefit from some of its services on LAN such as DNSmasq (with blocked domains) and pixelserv-tls. Shadowsocks could be an excellent replacement of OpenVPN in such case. It'll give you a much snappier browsing experience!

As an aside, pixelserv-tls 2.2 will have improved performance over WAN.

 

[truglodite]

After this problem I am certainly interested in alternatives to asus ddns. Cloudflare looks to be the fastest, but then noip seems absent for most speed tests... not sure how much speed matters with ddns though. I like noip because it seems the most popular these days.

I looked at shadowsocks. I haven't looked outside of ovpn for merlin though... I'll read up on how to setup an ipsec vpn. Either way I don't usually do much through my vpn. The diversion+pixelserv is nice to ha e while I'm on mobile networks, and I use my home network resources too (mostly checking on cameras). With my 4k certs and openvpn, my average up/down is 12/15... plenty for what I'm doing. But I like learning new things, and likely in a month or 2 I'll get the itch to implement ipsec.