Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OVPN connection loss after TLS re-key

Discussion in 'Asuswrt-Merlin' started by Andaman, Jul 10, 2017.

  1. Swazz

    Swazz New Around Here

    Joined:
    Jun 30, 2017
    Messages:
    5
    I was the other one along with @cowst who had the same issue.

    First I cranked the logging up, almost to the max. Nothing in the logs to note. Just silence on server side.

    I own two RT-N66Us. One is the 450 variant which I was using until today. I swapped it for the 900 variant and changed NordVPN servers as well. Same issue again.

    I'll try the additional text in the config per the other posts and see if anything changes.
     
  2. Swazz

    Swazz New Around Here

    Joined:
    Jun 30, 2017
    Messages:
    5
    Oof. Unfortunately none of that has worked. @cowst, be glad to tag on to your NordVPN ticket. If you send me the ticket # I will reference it with NordVPN.
     
  3. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    I did not see the issue in the last week since I re-enabled the vpn client (5 days ago), but it doesn't mean the issue is gone, and if it is, it means something changed on server side, because I am still on 374.43_2-26BAj9527 for a while.

    About the ticket, twice I have been told the routing team was unavailable to chat, and I was invited to write them.
    Meh...
     
  4. OGroteKoning

    OGroteKoning Occasional Visitor

    Joined:
    Aug 26, 2012
    Messages:
    47
    What does your custom config look like?
     
  5. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    I had to open my mouth...
    Tonight the problem showed up again, so no need to share my non-working config. :(
     
  6. Pete

    Pete Occasional Visitor

    Joined:
    Sep 27, 2016
    Messages:
    17
    I am on 68U, Merlin 380.67, NordVPN. Had similar issue consistently and based on the NordVPN support chat, I added the line "auth-retry nointeract" to the custom configuration.

    Looking good so far.

    Note: Make sure that you are not exceeding six concurrent connections to the VPN server.

    Regards...
     
  7. Swazz

    Swazz New Around Here

    Joined:
    Jun 30, 2017
    Messages:
    5
    Hi Pete,

    I too have been using this line in custom config to no avail. Only using 2 connections at most concurrently. I fear your problem may reappear unfortunately.

     
  8. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,604
    Location:
    Canada
    Use the following configuration instead:

    Code:
    pull-filter ignore "auth-token"
    
    That fixes it for PIA (I had nearly a whole week without any disconnection in my last test).
     
    MacG32 likes this.
  9. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    Wow, I gave up and installed openvpn in every device (no downtime detected this way for a couple of weeks already).
    Perhaps I will give it a try again with this setting.
    Thanks :)

     
  10. Tom C

    Tom C New Around Here

    Joined:
    Apr 1, 2016
    Messages:
    4
    Nord gave me many disconnects so I switched to PIA this past weekend. Ran a ping test (24 hr every 60 sec) on PIA and not a single disconnect and no error messages in the log file.

    Here's my configuration:
    TLS control channel security (tls-auth / tls-crypt) DISABLED
    Auth digest SHA1
    Poll Interval 0
    Cipher Negotiation DISABLED
    Legacy/fallback cipher AES-128-CBC
    Compression LZ0 Adaptive
    TLS Renegotiation Time 0
    Connection Retry -1

    Here's my custom config:
    tls-client
    remote-cert-tls server
    disable-occ

    Running Merlin 380.68. The connection is stable. My config is bits and pieces of what I found on the forum here. I don't know much about networking so let me know if I should change or add anything for security.
    Thanks
     
  11. Galaxysurfer

    Galaxysurfer Occasional Visitor

    Joined:
    Dec 6, 2015
    Messages:
    15
    if you have disabled the cypher detection etc haven't you turned off the security features of the vpn?

    I want to find a better vpn myself since nordvpn seems to be playing games. constant disconnects defeats the role of vpn & opens up leaking your real contact info i want to be able to maintain a constant connection. is that dreaming? or is it achievable with a different provider? im using merlin 380.68 in process of upgrading so maybe that will help?
     
  12. Tom C

    Tom C New Around Here

    Joined:
    Apr 1, 2016
    Messages:
    4
    If I set Cipher Negotiation to "ENABLED" I get lots of errors in my log: openvpn[5394]: Authenticate/Decrypt packet error: cipher final failed
    If I set it to "DISABLED" or "ENABLED WITH FALLBACK" I can connect fine. So I assume its using the fallback AES-128-CBC when disabled.

    I agree the Nord disconnects are unacceptable. Hopefully they will fix this problem with an update to their server configuration or specify updated custom config options for routers with the Merlin firmware. I moved on to PIA.
     
    Last edited: Sep 14, 2017
  13. Wadadli

    Wadadli New Around Here

    Joined:
    Aug 16, 2017
    Messages:
    2
    My NordVPN connection seems to have stabilized since I made some changes. Yes, I run LZO compression (not adaptive). Cipher negotiation is disabled (just AES-256-CBC). I also added the following to the custom setup: explicit-exit-notify 3
    I don't know what it does but I saw the line in NordVPN's .ovpn file.
     
  14. Pete

    Pete Occasional Visitor

    Joined:
    Sep 27, 2016
    Messages:
    17
    You are correct.

    So, I cancelled NordVPN account and switched to PIA. I see a stable connection during the last two days. Unlike NordVPN, PIA does not refresh the keys every hour.

    Configured PIA on GL-MT300N-V2 and it rocks.
     
  15. Galaxysurfer

    Galaxysurfer Occasional Visitor

    Joined:
    Dec 6, 2015
    Messages:
    15
    I'm hitting the wall on sustained connection issues in rt-AC 68U with nordvpn. What tweaks can i do to fix this problem? It is very frustrating almost rendering vpn not doable with them other than my ikev2 mobile link. It seems like they have everyone on a timer so connection breaks at a predetermined interval. That is not the type of coverage I agreed to sign on for.
     
  16. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,604
    Location:
    Canada
    Try this:

    Code:
    pull-filter ignore "auth-token"
    
    It fixes it for PIA. I suspect something's broken with OpenVPN 2.4'x auth token support.
     
  17. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    Do you think other clients like openvpn for Android have some specific mechanism to recover immediately from this auth issue (since they also renegotiate every hour but I never noticed the connectivity loss i have on the router)?

     
  18. Wadadli

    Wadadli New Around Here

    Joined:
    Aug 16, 2017
    Messages:
    2
    For those who are interested; they can fill their boots at:
    <PIA website>/blog/2017/05/openvpn-2-4-evaluation-summary-report/
    It's all above my head.
     
  19. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,604
    Location:
    Canada
    Most of these clients are still using OpenVPN 2.3, which might be why they aren't affected. Also, the issue doesn't always occur immediately, for me it might take 6-10 hours before the PIA connection would fail its re-auth. A typical mobile client rarely stays connected that long.
     
  20. cowst

    cowst Regular Contributor

    Joined:
    Jun 14, 2012
    Messages:
    171
    I understand about the 2.3 client.

    In my case I have the satellite receiver behind router vpn, and it goes always down, within 1 to 5 days.

    The openvpn for Android is on my fire tv stick, again always on, and I never found it down.

     

Share This Page