Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Wed Apr 26, 2017 10:14 Post subject:
mac913 wrote:
Keepalive basically uses ping & ping-restart commands but the persist-tun command disallows it for doing it's job. I believe the TUN/TAP connection needs to restart for the reconnection start up correctly.
The server should take care of any ping and ping-restart so I don't think the client needs it. Also persist-remote-ip is useful for static IPs but can be a problem for dynamic IPs which most VPN Services providers use. I have described persist-tun which doesn't like to 'let-go' of the TUN/TAP connection.
I've created a script without keepalive,ping,ping-restart,persist-tun & persist-remote-ip in the openvpn configuration to see if I will get a constant re-connect when it needed to from the VPN server.
I hope you dont mind me jumping in, but this is the thread which matches my current problem most. Therefore I hope you could share your solution, if you found it in the end.
I am running Kong's DD-WRT version v3.0-r31900M (on a Linksys EA8500). I have OpenVPN client up and running with my PIA subscribtion. However about every 24-26 hours, the connection is lost because of: "AUTH: Received control message: AUTH_FAILED".
I have tried the additional config provided by PIA (also listed earlier in this thread). Tried it with and without "persist-tun" and/or "auth-retry nointeract". I have also tried using the additional config provided by egc instead. Using the latter, I receive the following errors in the syslog:
Code:
May 29 16:25:04 Linksys EA8500 daemon.notice openvpn[29744]: [6e3389298c82e01bb930fa65a53a2e61] Inactivity timeout (--ping-restart), restarting
May 29 16:25:04 Linksys EA8500 daemon.notice openvpn[29744]: SIGUSR1[soft,ping-restart] received, process restarting
May 29 16:25:04 Linksys EA8500 daemon.notice openvpn[29744]: Restart pause, 5 second(s)
May 29 16:25:09 Linksys EA8500 daemon.warn openvpn[29744]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.157.7.178:1198
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: Socket Buffers: R=[180224->360448] S=[180224->360448]
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: UDPv4 link local: (not bound)
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: UDPv4 link remote: [AF_INET]5.157.7.178:1198
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: VERIFY KU OK
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: NOTE: --mute triggered...
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: 5 variation(s) on previous 3 message(s) suppressed by --mute
May 29 16:25:09 Linksys EA8500 daemon.notice openvpn[29744]: [6e3389298c82e01bb930fa65a53a2e61] Peer Connection Initiated with [AF_INET]5.157.7.178:1198
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: SENT CONTROL [6e3389298c82e01bb930fa65a53a2e61]: 'PUSH_REQUEST' (status=1)
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: AUTH: Received control message: AUTH_FAILED
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: /tmp/openvpncl/route-down.sh tun1 1500 1622 10.32.10.6 10.32.10.5 init
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: Closing TUN/TAP interface
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: /sbin/ifconfig tun1 0.0.0.0
May 29 16:25:11 Linksys EA8500 daemon.notice openvpn[29744]: SIGTERM[soft,auth-failure] received, process exiting
I am not sure what the issue is, but I also suspect, that it has something to do with PIA using dynamic IPs. Which is great, except the line in my syslog:
Code:
TCP/UDP: Preserving recently used remote address: [AF_INET]5.157.7.178:1198
That seems to indicate, that the "persist remote ip" is set somewhere (in the default connection settings perhaps?).
Also I hoped, that the config "keepalive 10 120" would re-resolve the hostname so as to not just use the same IP address?
Any help here is appreciated, since I have been toying around with different settings for almost 2 weeks now. Thanks.
Edit: I found the original post from user "sploit", who egc was refering to, here: https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1076048#1076048
I am now trying with all the settings sploit suggested (except comp-lzo since that is already set through the GUI).
Joined: 24 Mar 2015 Posts: 175 Location: Tacoma, Wa
Posted: Tue May 30, 2017 16:49 Post subject:
Blacksheep wrote:
So unfortunately, even when using all the settings from sploit, the connection still disconnects after about 24 hours:
Code:
May 30 16:38:05 Linksys EA8500 daemon.notice openvpn[2202]: [697a2631d36dca8eff022955d655caa6] Inactivity timeout (--ping-restart), restarting
May 30 16:38:05 Linksys EA8500 daemon.notice openvpn[2202]: Restart pause, 5 second(s)
May 30 16:38:10 Linksys EA8500 daemon.warn openvpn[2202]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: TCP/UDP: Preserving recently used remote address: [AF_INET]91.108.183.74:1198
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: Socket Buffers: R=[180224->360448] S=[180224->360448]
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: UDPv4 link local: (not bound)
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: UDPv4 link remote: [AF_INET]91.108.183.74:1198
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: TLS: Initial packet from [AF_INET]91.108.183.74:1198, sid=44d7c8dd 50b0c738
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: VERIFY KU OK
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: NOTE: --mute triggered...
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: 5 variation(s) on previous 3 message(s) suppressed by --mute
May 30 16:38:10 Linksys EA8500 daemon.notice openvpn[2202]: [697a2631d36dca8eff022955d655caa6] Peer Connection Initiated with [AF_INET]91.108.183.74:1198
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: SENT CONTROL [697a2631d36dca8eff022955d655caa6]: 'PUSH_REQUEST' (status=1)
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: AUTH: Received control message: AUTH_FAILED
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: /tmp/openvpncl/route-down.sh tun1 1500 1622 10.41.10.6 10.41.10.5 init
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: Closing TUN/TAP interface
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: /sbin/ifconfig tun1 0.0.0.0
May 30 16:38:12 Linksys EA8500 daemon.notice openvpn[2202]: SIGTERM[soft,auth-failure] received, process exiting
I am now officially out of ideas. I think I will post a new subject in the "Advanced Networking" subforum, to get more eyes on it.
I "solved" the problem by moving to IPVanish.. I've gone for days, connections stayed live and haven't had a problem.
PIA had no solutions that helped the issue at all. _________________ Routers:
Netgear R8000 - DD-WRT v3.0-r43420 std (06/15/20)
Netgear R9000 - DD-WRT v3.0-r43420 std (06/15/20)
I also had the problem of my R7000 disconnecting from the VPN (Private Internet Access), and not reconnecting. It would happen every 24 hours or so. Reading other forum topics, I did manage to set it up to automatically reconnect, and has been working for 4 or 5 days now.
To get the VPN to automatically reconnect, I first had to create a script which stopped and restarted the OpenVPN service. This script needs to be created when the router first starts.
I had to use Telnet to create the script: whenever I tried creating the script through the web interface the script name would have a question mark at the end (even when I logged in from a Linux box). I expect it has something to do with CRLF.
Step 1: Create script
1. Using Telnet (Putty on PC) log on to the router.
2. run the following command:
This script creates the OpenVPN directory, puts a script in it, and then runs the script at startup. The script stops the VPN, waits 30 seconds, then starts it again.
After running command, commit it to the nvram with this command:
Code:
nvram commit
Reboot the router. Ensure that the script shows in the GUI (but don't modify it). Log on to router through telnet. Check the /tmp/openvpn directory, ensure the script exists.
Step 2: Tell OpenVPN to run the script when the VPN is goes down
This just requires you to add the two commands to the additional config section in the OpenVPN:
Code:
script-security 2
down /tmp/openvpn/fw-down.sh
For reference, my complete additional config section is:
Code:
sndbuf 524288
rcvbuf 524288
reneg-sec 0
keepalive 10 120
remote-cert-tls server
disable-occ
script-security 2
down /tmp/openvpn/fw-down.sh
That's all there is to it.
I recognise this isn't the most elegant solution, and think it could be better. For example checking to ensure the Internet is up, not waiting 30 seconds, etc. It also isn't necessary to create the openvpn directory under tmp. But it works for me (plus I'm somewhat new to dd-wrt). I might tweak it in the future if I find it necessary. This topic has some good ideas:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1078188
I also had the problem of my R7000 disconnecting from the VPN (Private Internet Access), and not reconnecting. It would happen every 24 hours or so. Reading other forum topics, I did manage to set it up to automatically reconnect, and has been working for 4 or 5 days now.
To get the VPN to automatically reconnect, I first had to create a script which stopped and restarted the OpenVPN service. This script needs to be created when the router first starts.
I had to use Telnet to create the script: whenever I tried creating the script through the web interface the script name would have a question mark at the end (even when I logged in from a Linux box). I expect it has something to do with CRLF.
Step 1: Create script
1. Using Telnet (Putty on PC) log on to the router.
2. run the following command:
This script creates the OpenVPN directory, puts a script in it, and then runs the script at startup. The script stops the VPN, waits 30 seconds, then starts it again.
After running command, commit it to the nvram with this command:
Code:
nvram commit
Reboot the router. Ensure that the script shows in the GUI (but don't modify it). Log on to router through telnet. Check the /tmp/openvpn directory, ensure the script exists.
Step 2: Tell OpenVPN to run the script when the VPN is goes down
This just requires you to add the two commands to the additional config section in the OpenVPN:
Code:
script-security 2
down /tmp/openvpn/fw-down.sh
For reference, my complete additional config section is:
Code:
sndbuf 524288
rcvbuf 524288
reneg-sec 0
keepalive 10 120
remote-cert-tls server
disable-occ
script-security 2
down /tmp/openvpn/fw-down.sh
That's all there is to it.
I recognise this isn't the most elegant solution, and think it could be better. For example checking to ensure the Internet is up, not waiting 30 seconds, etc. It also isn't necessary to create the openvpn directory under tmp. But it works for me (plus I'm somewhat new to dd-wrt). I might tweak it in the future if I find it necessary. This topic has some good ideas:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1078188
Wow! This actually worked! Sorry for the old bump but I had to show my appreciation.
So unfortunately, even when using all the settings from sploit, the connection still disconnects after about 24 hours: