PIA VPN always disconnects with policy routing

RMerlin

Asuswrt-Merlin dev
PIA is working fine for me.

I've noticed in 384.10 and 384.10.2 there are error messages I never saw in earlier firmwares:

Those are normal when you use Policy mode, these routes are replaced by your own selective routes. They've always been there.
 

Namrustler

Occasional Visitor
PIA is working fine for me.



Those are normal when you use Policy mode, these routes are replaced by your own selective routes. They've always been there.

Thanks for the reply. My preferred PIA server is Montreal because it is closer. In fact, this is the server I've used 99.99% of the time. I could try the Toronto server or I could try ibVPN's servers in Montreal or Toronto, Beauharnois. as they are all closer than the servers on the west coast.

Do you think it could be related to the server I've chosen?

The main thing that bothers me is it seems like the kill switch is in effect, when the logs and client status page suggest otherwise. Once the problem occurs, the only resolution it to interact with the router, something I'd like to avoid.
 

RMerlin

Asuswrt-Merlin dev
Do you think it could be related to the server I've chosen?

I don't know. Back when I was having disconnects happening after 1-2 days, adding the option to ignore auth tokens resolved it for me. I haven't used it for an extended period of time for quite a few months, so I don't know if anything changed on their end recently.
 

BlezZ

Occasional Visitor
Please see my config that works for me.

I have also included my routers IP in the policy route and set to WAN as suggested above by another member.

upload_2019-4-6_21-54-14.png


resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
auth-nocache
pull-filter ignore "auth token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
 

Namrustler

Occasional Visitor
Please see my config that works for me.

I have also included my routers IP in the policy route and set to WAN as suggested above by another member.

View attachment 16909

resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
auth-nocache
pull-filter ignore "auth token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"

Thanks for your input.

I changed the "Cipher Negotiation" to disabled, "Connection Retry Attempts" to -1 and added the router's IP in the policy route set to WAN.

The first four lines in your custom configuration are what were loaded there after uploading the ovpn file. I'd previously tried the last four lines earlier this week.

I'll see if the three changes I made are successful. As much as I'd like to sledgehammer the thing with a lot of changes hoping for a home run, if that worked it would not tell me what the the minimal set of changes I needed to make for success.

Everything worked well until I upgraded to 384.10. I've wondered if the problems I'm seeing are due to the presence of OpenVPN 2.7, but who knows?

If I run into the same problem, I'll then add the last four lines in your custom configuration.

Earlier today, I did a factory reset, upgraded to 384.10.2, factory reset again and then reconfigured. There was a glitch after a couple of hours and I was in the same boat for two router VPN clients, one for PIA and the other for ibVPN. However, I think my connection to my ISP dropped so I'm going to ignore that "failure" for the moment.
 

BlezZ

Occasional Visitor
What you could also try, is to setup multiple VPN clients on your router to PIA with different settings and connect all of them. That's what I did for testing.
That way you can see after a couple of hours which tunnel drops. PIA allows up to 10 connections.
 

Namrustler

Occasional Visitor
I have two VPN clients setup on the router. Client 1 is PIA Montreal and Client 2 is ibVPN Toronto. Both are configured to start at boot and both have the kill switch enabled. I have three IP addresses configured for each client because they are assigned to three Windows 7 VMs I use through the VPN. By changing the VM's IP address in Windows, I can switch the VPN client on the router without signing on to the router.

After the last changes I made I thought it was working; I was wrong. The Windows OpenVPN client on VM1 was tunneling through a European PIA server, and the Windows OpenVPN client on VM2 was tunneling through a different European VPN server. VM3 was simply tunneling through one of the router's VPN clients.

After a few hours, I noted VM3 was not able to access the Internet, as though the killswitch was engaged, but both clients reported as "Connected". At this time VM1 and VM2 maintained their OpenVPN connection through the Windows OpenVPN client, but as I exited each client, those two VMs could not access the Internet. Rebooting the VMs had no effect. I verified the TCP/IP settings and the routing table. Everything was fine. I already know that if I sign in to the router, go to the VPN client page and click apply, access is restored.

Don't ask me why I did this next, but I went to the Administration - System page, unchecked ping for network monitoring, clicked Apply, and poof, the three VMs suddenly had their Internet access restored. That makes no sense to me.

Alright I'll tell you why I did that. I was seeing messages in the log about the WAN connection going down (I don't believe it) and this seemed to cause the tunnel to go down and be restored. If that's what was happening, the tunnel didn't seem to come up at some point, even though the status is "Connected" for both VPN clients on the router.

And just to expand on something, when my VMs starts I use OpenVPN GUI to make a connection to some other VPN server. I bounce around between different VPN servers and generally have no issue unless there's a glitch on my Internet connection. But this would happen only every few days.

Now, I don't seem to get more than a half day before I have to sign into the router and click Apply at the bottom of the VPN client. Everuything had worked well for a couple of years until I upgraded to 384.10 which I believe has OpenVPN 2.4.7, so who knows it that has some bug in it.

Another crazy thing is that both VPN clients on the router get blocked.
 

Namrustler

Occasional Visitor
What you could also try, is to setup multiple VPN clients on your router to PIA with different settings and connect all of them. That's what I did for testing.
That way you can see after a couple of hours which tunnel drops. PIA allows up to 10 connections.

Sorry, I should have made that post a reply to you.
 

BlezZ

Occasional Visitor
Sorry, I should have made that post a reply to you.

No worries.

I had similar issues in the past that everything was fine and with a new firmware it stopped. I had to play with settings and reset a couple of times and then it started working.

My VPN is stable or at least it comes up again for now.

I still see below entries when the tunnel goes down and then up. It usually happens when I fire up devices which are using the VPN tunnel.
Then I see below entries. If no machine is running the tunnel remains unchanged.

19:59:34 openvpn-routing: Tunnel down - VPN client access blocked
(….)
19:59:53 openvpn-routing: Tunnel re-established, restoring WAN access to clients
 

Namrustler

Occasional Visitor
I've observed that pairing of messages far more often than I previously did, and I was beginning to think that had something to do with the killswitch not engaging or disengaging properly, but I wasn't able to prove it because I didn't have one of the VMs dedicated to monitoring it's access to the Internet. I'm doing that now, but since unchecking ping for network monitoring about 24 hours ago, I haven't seen those messages.

If those messages do correlate with the killswitch engaging, then I don't think it happens of the first couple of instances. I think if they occur too frequently or after a certain number of times, access to the Internet is not restores after the tunnel is re-established.

I could go back to ping monitoring and observer the behavior over the next day. On the other hand I just want this to work properly.

I don't believe this is an issue with PIA which is how this thread started out. I think it's about the killswitch.
 

Namrustler

Occasional Visitor
No worries.

I had similar issues in the past that everything was fine and with a new firmware it stopped. I had to play with settings and reset a couple of times and then it started working.

My VPN is stable or at least it comes up again for now.

I still see below entries when the tunnel goes down and then up. It usually happens when I fire up devices which are using the VPN tunnel.
Then I see below entries. If no machine is running the tunnel remains unchanged.

19:59:34 openvpn-routing: Tunnel down - VPN client access blocked
(….)
19:59:53 openvpn-routing: Tunnel re-established, restoring WAN access to clients

I botched the reply again.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top