Posted: Thu Oct 15, 2015 8:24 Post subject: VPN provider service "keep connected" solution?
Hi guys,
I am using an Archer C9 and a 1043ND router by TP-Link with latest versions of DD-WRT (beta ftp server) in dual router setup. The 1043ND runs the VPN client.
I have a 3-year plan with VPN Unlimited and have setup OpenVPN client correctly.
My problem is that the connection to the VPN server drops maybe 2 to 3 times a day.
Is there a way or a script to restart OpenVPN service when its status is down instead of CONNECTED? At the moment I have to do it manually just by pressing Apply button under the Services -> VPN tab.
I have tried all that... keepalive, ping-restart etc. the tunnel comes up and can either stay up for a few hours or drop in less than 60 minutes.
When ever the tunnel stays up for more than an hour I can see the hourly reconnection (tls key renewal?) which means things are as they should.. but it does not last.
I must have literally tried all combinations.
The server side has ping 10 and ping-exit 60 I think.. is that a problem?
is there a script that checks if the tunnel is up and just restart the OpenVPN service?
Granted the above is specifically about tomato, but dd-wrt suffers from many of these same issues. Note my comments specifically.
eibgrad Im without words. Your analysis is great and I think this is what is haunting my connection. What I cant figure out is how to solve it.
I am using VPNunlimited as my VPN provider and I will try first to see if their domain is static i.e. translates to a static IP.
Then if that is not the case and it is dynamic I will try a static route to 8.8.8.8 for DNS (the provider is also using that when the connection is established). Unortunately I do not know how to implement this static route and I could use your help.
At the moment I only have a "forward tables" command in the firewall since this dd-wrt router is after my MAIN router so the two subnets can be visible and connected.
eibgrad again I need to thank you and also point out that you are the ONLY person I have found online who explained this issue and suggested a work around. Not even the technicians of the Provider bothered to look into this since "manual settings i.e. dd-wrt" for a device (router that is) are not officially supported (and I very much doubt they posses your skills).
I m also here to report that changing the domain to IP has kept the tunnel alive since yesterday.
I will now let this be for as long as it stays connected to check if the domain is locked to that IP, and also test the total duration of the tunnel longevity.
If that fails I will then add your script to the startup, much obliged for all your input.
Note: I also used what the provider suggests for additional config:
ns-cert-type server
nobind
persist-tun (should I get rid of this???)
persist-key
this is part of the log showing the tunnel has been up since yesterday:
(the last line showing irrelevant date/time is a bit puzzling...)
20151111 23:19:46 I Initialization Sequence Completed
20151111 23:19:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151111 23:19:47 D MANAGEMENT: CMD 'state'
20151111 23:19:47 MANAGEMENT: Client disconnected
20151111 23:19:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151111 23:19:47 D MANAGEMENT: CMD 'state'
20151111 23:19:47 MANAGEMENT: Client disconnected
20151111 23:19:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151111 23:19:47 D MANAGEMENT: CMD 'state'
20151111 23:19:47 MANAGEMENT: Client disconnected
20151111 23:19:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151111 23:19:48 D MANAGEMENT: CMD 'status 2'
20151111 23:19:48 MANAGEMENT: Client disconnected
20151111 23:19:48 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151111 23:19:48 D MANAGEMENT: CMD 'log 500'
20151111 23:19:48 MANAGEMENT: Client disconnected
20151112 00:19:44 TLS: soft reset sec=0 bytes=72549/0 pkts=1376/0
20151112 00:19:46 VERIFY OK: depth=1 C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
20151112 00:19:46 VERIFY OK: nsCertType=SERVER
20151112 00:19:46 NOTE: --mute triggered...
20151112 10:23:10 106 variation(s) on previous 3 message(s) suppressed by --mute
20151112 10:23:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151112 10:23:10 D MANAGEMENT: CMD 'state'
20151112 10:23:10 MANAGEMENT: Client disconnected
20151112 10:23:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151112 10:23:10 D MANAGEMENT: CMD 'state'
20151112 10:23:10 MANAGEMENT: Client disconnected
20151112 10:23:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151112 10:23:10 D MANAGEMENT: CMD 'state'
20151112 10:23:10 MANAGEMENT: Client disconnected
20151112 10:23:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151112 10:23:10 D MANAGEMENT: CMD 'status 2'
20151112 10:23:10 MANAGEMENT: Client disconnected
20151112 10:23:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20151112 10:23:10 D MANAGEMENT: CMD 'log 500'
19700101 02:00:00"
I need to have the router participate since all devices behind it need to connect to the VPN...
I so far discovered that when I ping the domain to see its IP that keeps the tunnel up until the IP changes. The code you gave me did not resolve the server so I lost connection when I used it with the domain name of the Provider. Are there any modifications necessary?
Note that I have disabled dnsmasq and I just use OpenDNS or google DNS servers under Setup tab. Latest DD-WRT beta.
Is there a command maybe for the OpenVPN additional config dialog that forces some DNS server?
I hope Im not wasting your time here. I very much like to solve this for two reasons, one for proper and trouble-free operation and secondly to mail the Provider with the link to this thread to see that maybe they should hire more experienced engineers.
It was definitely a resolve issue as eibgrad mentioned but in my situation was a bit more complicated since I have a dual router setup. So the second router has a WAN port on the first router. The first router is using OpenDNS servers so in order to make everything work I have to use the first router address as LOCAL DNS in the second VPN router. See attached screenshot.
The script eibgrad made is probably working for single router setup and forces a DNS server to resolve the VPN provider's domain names and thus re-connect successfully.
I also got rid of the persist-tun command in the additional config and added a ping 10 command which seems to help.
At the moment the tunnel is up for more than 24 hours which is a 10 fold improvement to say the least.
ok this explanation is now a lot clearer to me, unfortunately I think it does not meet my needs if I understand this correctly. i.e. if a friend comes to my house he can use the VPN by connecting to the VPN router WiFi and then I wont have to add any IP addresses to that list you mentioned right? Same goes for most mobile devices I use.
Also my mac machines can use the location feature and just change the gateway and thus use or not the VPN connection.
the disadvantage is that this router cannot use ddns for direct remote management since as you said all goes through the VPN? something goes wrong there..
I am satisfied with how it works now as I find the router permanently connected to the VPN server unlike before. And it resolves everything like its own time, plus all requests that originate from connected devices.
Thanks for all the details eibgrad. I don't have a VPN, but set an Archer c7 up with one for a friend a while back. It has worked well for him, but reading here and there about the catch-22 with DNS had me a bit worried he'd be calling asking for help soon. I should be in the clear though, as I added br1 with a separate subnet for the VPN, so his family can just choose the desired WiFi network. In effect, I did what you're suggesting without realizing it. I used startup and firewall commands to do it though I found out about policy based routing later. My way seems to work, but it would've simplified the setup process.
I must thank you again for taking all this time to explain.
I think I will also try to use policy based routing for the VPN, I just need to learn more about it at this stage. Also the fact that I use a dual router setup is probably complicating things a bit. But I will investigate this route.
I am sure this thread is of help to others thanks to you.
I found out about policy based routing later. My way seems to work, but it would've simplified the setup process.