OpenVPN stop working spontaneously on RT-AC88U with 386.2_4 (but already with older releases)

[Scheggiaimpazzita]

Hello Everyone,
I'm in trouble with my router having the problem listed in object.
I've configured an openvpn server for SSL connection and it works for some weeks (2, max 3 it seems), then it stops accepting connections. The client hangs trying connection but doesn't establish it.
This is an example:
Sun Jul 25 21:02:48 2021 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
Sun Jul 25 21:02:48 2021 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

Sun Jul 25 21:02:48 2021 OpenVPN 2.5.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 24 2021
Sun Jul 25 21:02:48 2021 Windows version 10.0 (Windows 10 or greater) 64bit
Sun Jul 25 21:02:48 2021 library versions: OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10
Sun Jul 25 21:02:50 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]<obscured IP>:1194
Sun Jul 25 21:02:50 2021 UDP link local: (not bound)
Sun Jul 25 21:02:50 2021 UDP link remote: [AF_INET]<obscured IP>:1194

The only method I found to restore the functionality is to disable and re-enable the server by the "0N-OFF" button in the configuration menu.
I'm running also Skynet and Diversion with auto update (and they update regularly) and some specific iptables setting to avoid Chinese cameras to communicate externally.
During the problem persistence I tried also:
- Disable weekly auto reboot that I thought was the root cause for unknown reason
- Disable Skynet and Diversion
- Clearing all non manual bans on skynet so a reboot with following re activation of skynet should have not triggered the problem
- Software Reboot the router
- Issuing an HALT and powering down and up
I have this problem from a lot of time and also with older release in my opinion, but because I didn't need to be away for very long time and/or had time to troubleshoot deeply disabling Skynet and Diversion.
Thanks to anyone can help

 

[Scheggiaimpazzita]

Any suggestion yet?

Just to add some data, after coming home I tried connection from smaprtphone and absolutely no log was added to syslog.log (on jffs or on /etc) with (wireless turned off to use cellular, so external, or even from internal.



So I upgraded to 386.3, and after reboot, still not working at all, no logs.



I went into VPN configuration screen from https gui and found that in the recap screen the openvpn server was "stopped" but on "VPN Server" screen the "Enable OpenVPN Server" was shown as "ON".

So I turned it off and being in tail -f on syslog I got this:



Jul 28 18:19:11 rc_service: httpds 622:notify_rc stop_vpnserver1
Jul 28 18:19:11 custom_script: Running /jffs/scripts/service-event (args: stop vpnserver1)

Then I turned back to "ON" and saved, observing these logs:



Jul 28 18:19:48 rc_service: httpds 622:notify_rc restart_chpass;restart_vpnserver1
Jul 28 18:19:49 custom_script: Running /jffs/scripts/service-event (args: restart chpass)
Jul 28 18:19:49 custom_script: Running /jffs/scripts/service-event (args: restart vpnserver1)
Jul 28 18:19:50 ovpn-server1[4665]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jul 28 18:19:50 ovpn-server1[4665]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
Jul 28 18:19:50 ovpn-server1[4665]: OpenVPN 2.5.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 23 2021
Jul 28 18:19:50 ovpn-server1[4665]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.08
Jul 28 18:19:50 ovpn-server1[4666]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 28 18:19:50 syslog: PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
Jul 28 18:19:50 ovpn-server1[4666]: PLUGIN AUTH-PAM: initialization succeeded (fg)
Jul 28 18:19:50 ovpn-server1[4666]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jul 28 18:19:50 ovpn-server1[4666]: Diffie-Hellman initialized with 2048 bit key
Jul 28 18:19:50 ovpn-server1[4666]: Outgoing Control Channel Encryption: Cipher 'RRR-nnn-QQQ' initialized with nnn bit key
Jul 28 18:19:50 ovpn-server1[4666]: Outgoing Control Channel Encryption: Using nnn bit message hash 'LLLnnn' for HMAC authentication
Jul 28 18:19:50 ovpn-server1[4666]: Incoming Control Channel Encryption: Cipher 'RRR-nnn-QQQ' initialized with nnn bit key
Jul 28 18:19:50 ovpn-server1[4666]: Incoming Control Channel Encryption: Using nnn bit message hash 'LLLnnn' for HMAC authentication
Jul 28 18:19:50 ovpn-server1[4666]: TUN/TAP device tun21 opened
Jul 28 18:19:50 ovpn-server1[4666]: TUN/TAP TX queue length set to 1000
Jul 28 18:19:50 ovpn-server1[4666]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jul 28 18:19:51 ovpn-server1[4666]: /usr/sbin/ip link set dev tun21 up
Jul 28 18:19:51 ovpn-server1[4666]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24
Jul 28 18:19:51 ovpn-server1[4666]: ovpn-up 1 server tun21 1500 1621 10.8.0.1 255.255.255.0 init
Jul 28 18:19:51 ovpn-server1[4666]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jul 28 18:19:51 ovpn-server1[4666]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jul 28 18:19:51 ovpn-server1[4666]: setsockopt(IPV6_V6ONLY=0)
Jul 28 18:19:51 ovpn-server1[4666]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Jul 28 18:19:51 ovpn-server1[4666]: UDPv6 link remote: [AF_UNSPEC]
Jul 28 18:19:51 ovpn-server1[4666]: MULTI: multi_init called, r=nnn v=nnn
Jul 28 18:19:51 ovpn-server1[4666]: IFCONFIG POOL IPv4: base=10.8.0.2 size=252
Jul 28 18:19:51 ovpn-server1[4666]: Initialization Sequence Completed


Then I tried a connection and obviously it was successful logging the following:



Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 Outgoing Control Channel Encryption: Cipher 'RRR-nnn-QQQ' initialized with nnn bit key
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 Outgoing Control Channel Encryption: Using nnn bit message hash 'LLLnnn' for HMAC authentication
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 Incoming Control Channel Encryption: Cipher 'RRR-nnn-QQQ' initialized with nnn bit key
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 Incoming Control Channel Encryption: Using nnn bit message hash 'LLLnnn' for HMAC authentication
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 TLS: Initial packet from [AF_INET6]::ffff:A.B.C.D:30563, sid=56865a45 47f344a3
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_VER=3.git:released:662eae9a:Release
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_PLAT=android
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_NCP=2
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_TCPNL=1
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_PROTO=2
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_SSO=openurl
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 peer info: IV_BS64DL=1
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 TLS: Username/Password authentication succeeded for username 'xxxxxxxxx' [CN SET]
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_LLLnnn
Jul 28 18:20:49 ovpn-server1[4666]: A.B.C.D:30563 [--------] Peer Connection Initiated with [AF_INET6]::ffff:A.B.C.D:30563
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 MULTI: Learn: 10.8.0.2 -> xxxxxxx/A.B.C.D:30563
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 MULTI: primary virtual IP for xxxxxxxx/A.B.C.D:30563: 10.8.0.2
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 Data Channel: using negotiated cipher 'RRR-nnn-KKK'
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 Outgoing Data Channel: Cipher 'RRR-nnn-KKK' initialized with nnn bit key
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 Incoming Data Channel: Cipher 'RRR-nnn-KKK' initialized with nnn bit key
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 PUSH: Received control message: 'PUSH_REQUEST'
Jul 28 18:20:49 ovpn-server1[4666]: --------/A.B.C.D:30563 SENT CONTROL [--------]: 'PUSH_REPLY,route 192.168.x.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN XXXXXXDomain,dhcp-option DNS 192.168.x.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher RRR-nnn-KKK' (status=1)
Jul 28 18:20:52 ovpn-server1[4666]: --------/A.B.C.D:30563 SIGTERM[soft,remote-exit] received, client-instance exiting

Thanks

 

[rwps]

Hello Everyone,
I'm in trouble with my router having the problem listed in object.
I've configured an openvpn server for SSL connection and it works for some weeks (2, max 3 it seems), then it stops accepting connections. The client hangs trying connection but doesn't establish it.

Same for me on my RT AC68U,
I'm on Firmware Version:386.2_4 , but I'm sure it's happened on previous versions of the firmware too.
When I go in to the VPN Status Tab, it shows OpenVPN Server 1 as 'stopped'
And in the Server Tab, I can see that the it is enabled.
The fix is to click the APPLY button at bottom, and server starts again.
I only find out it isn't working again is when I'm out and about and go to connect, and it just hangs.

 

[rwps]

I'm not sure if this will work, but am trying the solution of changing port noted in this thread:
https://www.snbforums.com/threads/o...86-2_4-but-already-with-older-releases.73852/
Will see how I go

 

[Scheggiaimpazzita]

I'm not sure if this will work, but am trying the solution of changing port noted in this thread:
https://www.snbforums.com/threads/o...86-2_4-but-already-with-older-releases.73852/
Will see how I go

The topic linked is this one. I solved only setting into cron job a daily service reset, if this can be called a solution...

 

[rwps]

Thanks, I've updated the link. The suggestion there was for a change to a non-standard port (i.e. larger random port number) to reduce likelihood of attacks. Not sure if that will fix my issue, thought I'd try. Will have to look how to set a cron job if this doesn't work.

 

[Scheggiaimpazzita]

Thanks, I've updated the link. The suggestion there was for a change to a non-standard port (i.e. larger random port number) to reduce likelihood of attacks. Not sure if that will fix my issue, thought I'd try. Will have to look how to set a cron job if this doesn't work.

I also thought that the failed function can be a results of some tipe of attack. Perhaps, looking at how long it takes to stop and how this happen almost exactly into certain time interval, I changed idea thinking that it is some sort of unfixed software malfunction. Also because there are absolutely no logs of any access attempt, it simply stop working.