Posted: Sat May 27, 2017 13:32 Post subject: openvpn client configuration?
31980M on R7000, up for 13 days. This morning the router lost VPN access (privateinternetaccess). I didn't reboot the router but killed openvpn and restarted it. VPN came back. This is what I see in the logs, before and after killing openvpn:
Code:
May 27 04:08:00 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]108.61.68.147:1197
Code:
May 27 04:55:01 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]66.55.144.248:1197
Did the VPN server change its IP or die, and openvpn was preserving the old IP and not picking up the new IP? The openvpn config has a "persist-tun" setting, is that what could cause openvpn to not change its remote address? Or any other suggestions to make openvpn client more reactive?
Enable the WDS/Connection Watchdog on the Administration->Keep Alive tab, and specify an IP address local to the VPN provider's network like a 10.x.x.x DNS server. The router will periodically ping that address and reboot if the ping fails. _________________ [Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
Enable the WDS/Connection Watchdog on the Administration->Keep Alive tab, and specify an IP address local to the VPN provider's network like a 10.x.x.x DNS server. The router will periodically ping that address and reboot if the ping fails.
Thanks, I do have a watchdog set up to the google dns IP. I could change that to the VPN providers DNS servers.
But I am still curious as to how to configure openvpn client to not preserve remote address. "persist-tun" is maybe the setting that needs to be removed, but there may be other consequences.
Happened again today, openvpn did a ping-restart and it never recovers, see log below. The router, in a telnet session, can ping 208.167.254.223.
Any openvpn experts here - will changing any openvpn options make this recover after a ping restart? The openvpn.conf file is posted below after the log.
Code:
Jun 21 09:07:40 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Inactivity timeout (--ping-restart), restarting
Jun 21 09:07:40 Netgear_R7000 openvpn: SIGUSR1[soft,ping-restart] received, process restarting
Jun 21 09:07:40 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:07:50 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:07:50 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:07:50 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:07:50 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:07:50 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:07:50 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=41e2e97a 02789ca0
Jun 21 09:07:50 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:07:50 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:07:50 Netgear_R7000 openvpn: NOTE: --mute triggered...
Jun 21 09:07:53 Netgear_R7000 openvpn: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jun 21 09:07:53 Netgear_R7000 openvpn: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 21 09:07:53 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Peer Connection Initiated with [AF_INET]208.167.254.223:1197
Jun 21 09:07:54 Netgear_R7000 openvpn: SENT CONTROL [b24472d73a8801b4f1be3aec30f90bd6]: 'PUSH_REQUEST' (status=1)
Jun 21 09:07:54 Netgear_R7000 openvpn: AUTH: Received control message: AUTH_FAILED
Jun 21 09:07:54 Netgear_R7000 openvpn: SIGUSR1[soft,auth-failure] received, process restarting
Jun 21 09:07:54 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:08:04 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:08:04 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:08:04 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:08:04 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:08:04 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:08:04 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=99a681bb c43bdf86
Jun 21 09:08:04 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:08:04 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:08:04 Netgear_R7000 openvpn: NOTE: --mute triggered...
Jun 21 09:08:08 Netgear_R7000 openvpn: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jun 21 09:08:08 Netgear_R7000 openvpn: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 21 09:08:08 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Peer Connection Initiated with [AF_INET]208.167.254.223:1197
Jun 21 09:08:09 Netgear_R7000 openvpn: SENT CONTROL [b24472d73a8801b4f1be3aec30f90bd6]: 'PUSH_REQUEST' (status=1)
Jun 21 09:08:09 Netgear_R7000 openvpn: AUTH: Received control message: AUTH_FAILED
Jun 21 09:08:09 Netgear_R7000 openvpn: SIGUSR1[soft,auth-failure] received, process restarting
Jun 21 09:08:09 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:08:19 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:08:19 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:08:19 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:08:19 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:08:19 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:08:19 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=c378a7b9 36f25c04
Jun 21 09:08:19 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:08:19 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:08:19 Netgear_R7000 openvpn: NOTE: --mute triggered...
Whatever server you are trying to connect with log shows:
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
That is the recommended config per the provider (PIA) and those Warnings are always there even on successful connections.
20170625 12:56:58 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1542'
20170625 12:56:58 W WARNING: 'cipher' is used inconsistently local='cipher AES-256-CBC' remote='cipher BF-CBC'
20170625 12:56:58 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1'
20170625 12:56:58 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20170625 12:56:58 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20170625 12:56:58 I [917bc8f95cfd723d30971370d4cff7fd] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xxx:1197
20170625 12:56:59 SENT CONTROL [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]: 'PUSH_REQUEST' (status=1)
20170625 12:56:59 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS xxx.xxx.xx.xxx dhcp-option DNS xxx.xxx.xx.xxx ping 10 comp-lzo no route xx.xx.xx.x topology net30 ifconfig xx.xx.xx.x xx.xx.xx.x auth-token'
20170625 12:56:59 OPTIONS IMPORT: timers and/or timeouts modified
20170625 12:56:59 NOTE: --mute triggered...
20170625 12:56:59 4 variation(s) on previous 3 message(s) suppressed by --mute
20170625 12:56:59 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170625 12:56:59 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
20170625 12:56:59 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170625 12:56:59 NOTE: --mute triggered...
20170625 12:56:59 1 variation(s) on previous 3 message(s) suppressed by --mute
20170625 12:56:59 I TUN/TAP device tun1 opened
20170625 12:56:59 TUN/TAP TX queue length set to 100
20170625 12:56:59 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170625 12:56:59 I /sbin/ifconfig tun1 xx.xx.xx.x pointopoint xx.xx.xx.x mtu 1500
20170625 12:57:03 I Initialization Sequence Completed