Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OVPN connection loss after TLS re-key

Discussion in 'Asuswrt-Merlin' started by Andaman, Jul 10, 2017.

  1. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    Hi, new user here. I wanted to ask if anyone can give me some guidance on a problem:

    I set up an ASUS AC-68U with Merlin software for full-time VPN connection, using NordVPN. It basically works, but the problem is an intermittent loss of connectivity, always coincident with one of the cipher renegotiations that occurs every 60 minutes. It happens maybe once every day or two.

    Log file below. At 09:45 I lose connection. I was streaming TV and noted loss of connection at that time. At 09:55 the inactivity timeout kicks in and restores the connection. I'll also attach screen shots of my OVPN client config. Appreciate any tips. Thanks!

    HTML:
     Jul 10 09:45:25 openvpn[14026]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, [email protected]
     Jul 10 09:45:25 openvpn[14026]: VERIFY KU OK
     Jul 10 09:45:25 openvpn[14026]: Validating certificate extended key usage
     Jul 10 09:45:25 openvpn[14026]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
     Jul 10 09:45:25 openvpn[14026]: VERIFY EKU OK
     Jul 10 09:45:25 openvpn[14026]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, [email protected]
     Jul 10 09:45:28 openvpn[14026]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
     Jul 10 09:45:28 openvpn[14026]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
     Jul 10 09:45:28 openvpn[14026]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
     Jul 10 09:55:18 openvpn[14026]: [us415.nordvpn.com] Inactivity timeout (--ping-restart), restarting
     Jul 10 09:55:18 openvpn[14026]: SIGUSR1[soft,ping-restart] received, process restarting
     Jul 10 09:55:18 openvpn[14026]: Restart pause, 5 second(s)
     Jul 10 09:55:23 openvpn[14026]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
     Jul 10 09:55:23 openvpn[14026]: TCP/UDP: Preserving recently used remote address: [AF_INET]23.108.32.9:1194
     Jul 10 09:55:23 openvpn[14026]: Socket Buffers: R=[122880->245760] S=[122880->245760]
     Jul 10 09:55:23 openvpn[14026]: UDP link local: (not bound)
     Jul 10 09:55:23 openvpn[14026]: UDP link remote: [AF_INET]23.108.32.9:1194
     Jul 10 09:55:24 openvpn[14026]: TLS: Initial packet from [AF_INET]23.108.32.9:1194, sid=42a75906 c7db0840
     Jul 10 09:55:24 openvpn[14026]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, [email protected]
     Jul 10 09:55:24 openvpn[14026]: VERIFY KU OK
     Jul 10 09:55:24 openvpn[14026]: Validating certificate extended key usage
     Jul 10 09:55:24 openvpn[14026]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
     Jul 10 09:55:24 openvpn[14026]: VERIFY EKU OK
     Jul 10 09:55:24 openvpn[14026]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, [email protected]
     Jul 10 09:55:25 openvpn[14026]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
     Jul 10 09:55:25 openvpn[14026]: [us415.nordvpn.com] Peer Connection Initiated with [AF_INET]23.108.32.9:1194
     Jul 10 09:55:26 openvpn[14026]: SENT CONTROL [us415.nordvpn.com]: 'PUSH_REQUEST' (status=1)
     Jul 10 09:55:26 openvpn[14026]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.11 255.255.255.0,peer-id 3,cipher AES-256-GCM'
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: timers and/or timeouts modified
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
     Jul 10 09:55:26 openvpn[14026]: Socket Buffers: R=[245760->245760] S=[245760->245760]
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --ifconfig/up options modified
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: route options modified
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: route-related options modified
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: peer-id set
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: adjusting link_mtu to 1657
     Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: data channel crypto options modified
     Jul 10 09:55:26 openvpn[14026]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
     Jul 10 09:55:26 openvpn[14026]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
     Jul 10 09:55:26 openvpn[14026]: Preserving previous TUN/TAP instance: tun15
     Jul 10 09:55:26 openvpn[14026]: Initialization Sequence Completed
    
    also attaching images of the client config
    settings 1.jpg settings2.jpg settings3.jpeg
     
    Last edited: Jul 10, 2017
  2. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,739
    Location:
    United States
    I've been working offline with one of my fork users ( @cowst ) that is experiencing the same problem, at about the same frequency. I've been running on a NordVPN account trying to recreate it, but haven't been able to hit it during the periods I was able test.

    I did spend some time looking at the NordVPN .ovpn file config, and in addition to being one of the only providers whose servers are OpenVPN 2.4.x, they are also using an usual setup on the renegotiation. They are disabling the client initiated renegotiation, relying strictly on the server. They also set a relatively long ping interval at 60 sec.

    There are a couple of things I think you can try....

    Change the 'TLS renegotiation time' from 0 to 3540 (this will make the client do the renegotiation 1 minute before the the server side default). You could even try a bit shorter time as a test.

    Add the following to the custom config section to increase the ping frequency
    pull-filter ignore "ping 60"
    push "ping 15"
     
  3. anthill

    anthill New Around Here

    Joined:
    Jun 24, 2017
    Messages:
    2
    I am having what sounds like the same problem. After an authentication failure, the router won't try to reconnect, ever (it seems). I would post the log entry but CloudFlare won't let me.
     
  4. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    Thanks... really good info! I will try the trick you suggested to have the client preempt the server-initiated reneg, and see if this has an effect.
     
  5. anthill

    anthill New Around Here

    Joined:
    Jun 24, 2017
    Messages:
    2
    Suggestions haven't worked for me. After making the changes yesterday I came home to no service on VPNed clients, and the status page showing the VPN is connected with

    Code:
    Statistics
    TUN/TAP read bytes    17,640    TUN/TAP write bytes    0
    TCP/UDP read bytes    0    TCP/UDP write bytes    210
    Auth read bytes    0    pre-compress bytes    0
    post-compress bytes    0    pre-decompress bytes    0
    Log shows 3 hours VPN uptime, 4 hours downtime (constant TLS failures), 12 hours uptime, then 4 hours downtime (until I manually toggled the VPN off then on). Most recent log entries:

    Code:
    Jul 11 18:05:37 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 11 18:05:37 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
    Jul 11 18:05:37 openvpn[8259]: UDP link local: (not bound)
    Jul 11 18:05:37 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
    Jul 11 18:06:38 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jul 11 18:06:38 openvpn[8259]: TLS Error: TLS handshake failed
    Jul 11 18:06:38 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting
    Jul 11 18:11:38 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 11 18:11:38 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
    Jul 11 18:11:38 openvpn[8259]: UDP link local: (not bound)
    Jul 11 18:11:38 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
    Jul 11 18:12:38 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jul 11 18:12:38 openvpn[8259]: TLS Error: TLS handshake failed
    Jul 11 18:12:38 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting
    Jul 11 18:17:38 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 11 18:17:39 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
    Jul 11 18:17:39 openvpn[8259]: UDP link local: (not bound)
    Jul 11 18:17:39 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
    Jul 11 18:18:39 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jul 11 18:18:39 openvpn[8259]: TLS Error: TLS handshake failed
    Jul 11 18:18:39 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting
     
    Last edited: Jul 11, 2017
  6. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,739
    Location:
    United States
    You have a completely different problem and symptom....suggest opening a separate thread to see if anyone has ideas.
     
  7. Brenneke

    Brenneke Occasional Visitor

    Joined:
    Jun 14, 2017
    Messages:
    11
    I am also on Nord and am quite sure I was having same issue - Nord looked at my logs and instructed me to add a few lines on the custom config for the OVPN client settings - has been good ever since. Please forgive me if I have misunderstood and if this is not relevant....have limited knowledge with this!

    Here is how my custom config looks now:

    Code:
    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0
    auth-retry nointeract
     
    atkinsom likes this.
  8. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    John, I tried the reduced renegotiation time on client side. Good news is this does preempt the server-initiated re-key and I ran about 24 hours with the client initiating re-keys - every 50 minutes. But just when I was starting to feel optimistic, the problem occurred again. With one of the re-keys, I lost connectivity and had an inactivity time-out.

    Appreciate your help. If you have any other ideas on ways I might be able to suppress the re-key process entirely or anything else I might try, let me know. If I come up with any solution I'll post it.
     
  9. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    Thanks. I have the same config except for the auth-retry nointeract directive. I'm not sure this would affect the problem I'm having, but I'll try adding it and see!
     
  10. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,739
    Location:
    United States
    The 'auth-rety nointeract' is a good thing to try that I hadn't thought of......

    But, from your last posted data, I tried to ping and tracert to the ip address of the vpn server you were trying to connect to and got no response. I can ping the NordVPN server I am using to test. So it looks like that server may have just gone down (or had a routing problem) and since NordVPN uses ip addresses instead of fqdn in their setup, it that happens you are in trouble. I'd also try a different server.
     
  11. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    I am actually trying a different NordVPN server now. Also, I am experimenting to see if this problem occurs when using TCP. Will post results.
     
  12. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    Using TCP did not help. I got another loss of connection and inactivity timeout on a cipher renegotiation, just after a couple of hours. I'm kind of at a loss regarding what to try next.
     
  13. Brenneke

    Brenneke Occasional Visitor

    Joined:
    Jun 14, 2017
    Messages:
    11
  14. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
  15. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    If it helps, and if I remember correctly, this issue started when @john9527 (and perhaps merlin) updated openvpn client to 2.4.
    Release 23 was working fine I think.
     
  16. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    Asked nordvpn.

    "Thank you for your letter.

    We currently do not have any additional information regarding this issue, although our system administrators have told they're going to look into this as soon as possible.

    Let us know if there's anything else we can assist you with."

    Meh.

     
  17. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    I got a reply from NordVPN which was a little more encouraging. They said they were going to investigate the problem with a Merlin router they have in their lab. It has been 3 days and I haven't heard anything further from them. Will post if I learn anything.
     
  18. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    Oh yes please!

     
  19. Brenneke

    Brenneke Occasional Visitor

    Joined:
    Jun 14, 2017
    Messages:
    11
    Letter? What is a letter? Did you chat with one of their router specialists online on the interweb?
     
  20. Andaman

    Andaman Occasional Visitor

    Joined:
    Jul 9, 2017
    Messages:
    10
    Been a couple of weeks and I have not heard anything back from NordVPN.
     

Share This Page