RT-AC68U 386.2_6 packet loss on OpenVPN failed connection

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

automaton

New Around Here
I have an RT-AC68U with a wired Windows box running PingPlotter (although I've confirmed this with a wired Linux box running ping directly as well).

Basically at random times nefarious connections are attempted to my OpenVPN server running on the RT-AC68U. The log looks like this:

Code:
Jul 23 09:51:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS: Initial packet from [AF_INET6]::ffff:167.248.133.23:14872, sid=4d658221 07fcfd52
Jul 23 09:52:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS: Initial packet from [AF_INET6]::ffff:167.248.133.39:38677, sid=dd4262e7 c698de87
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS Error: TLS handshake failed
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 SIGUSR1[soft,tls-error] received, client-instance restarting
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS Error: TLS handshake failed
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 SIGUSR1[soft,tls-error] received, client-instance restarting

When that happens I get 100% packet loss for ~20 seconds across the board (google.com, akamai.com, twitter.com, pingplotter.com, pingman.com etc.).
This also causes unwanted behaviour in video conferencing and anything else that is not buffered.

Is there any solution to this problem other than off-loading the OpenVPN server to a box behind the router?

Thank you for your time.
 

ColinTaylor

Part of the Furniture
I can't think why restarting the VPN server would have an impact on your LAN clients. Maybe it makes changes with the routing tables when it restarts.

If you change your VPN server to use a non-standard port you will stop most, if not all of the bogus connection attempts.
 

automaton

New Around Here
I can't think why restarting the VPN server would have an impact on your LAN clients. Maybe it makes changes with the routing tables when it restarts.

If you change your VPN server to use a non-standard port you will stop most, if not all of the bogus connection attempts.

That is one option, I can consider it. I've left it on the standard port so far to avoid issues while travelling. Usually 'weird' ports are blocked, but the common ones for VPN are left open for people to do work.

I'd also like to note that when I connect with my own clients to the VPN this issue doesn't occur. It only occurs when the nefarious ones attempt, and fail, to connect.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top