We are having network connectivity issues with our wifi network when using NordVPN through the OpenVPN client. Connection to the internet is lost across multiple devices / device types connected to the network. These outages do not occur when connected to the internet without the VPN. The OpenVPN client configuration in DD-WRT was performed via the browser webpage control panel according to instructions in the following webpage: https://support.nordvpn.com/Connectivity/Router/1047410342/DD-WRT-setup-with-NordVPN.htm . We have been troubleshooting the issue with the VPN provider ( mostly trying different VPN servers ), but haven't resolved the issue. We are connecting to the VPN server by TCP; UDP connection is available, but hasn't been tried yet.
In an attempt to investigate the source of the issue, the following shell commands were executed on a device while connected to the wifi network during a period when internet connectivity is lost:
Command: ping -v 8.8.8.8
Result: Request timeout for icmp_seq
Command: traceroute 8.8.8.8
Result: 1 wap 2.327 ms 0.925 ms 2.952 ms
2 * * *
3 * * *
The network connection appears to be lost after our router. Syslogd was started in DD-WRT; below are log warnings and errors during a period when internet connectivity is lost:
Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
Dec 31 16:00:35 WAP daemon.warn openvpn[1393]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:38 WAP daemon.warn openvpn[1393]: --mtu-disc is not supported on this OS
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
Dec 31 16:00:38 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:38 WAP daemon.warn openvpn[1800]: --mtu-disc is not supported on this OS
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: VERIFY ERROR: depth=2, error=certificate is not yet valid: C=PA, O=NordVPN, CN=NordVPN Root CA, serial=1
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: TLS_ERROR: BIO read tls_read_plaintext error
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: Fatal TLS error (check_tls_errors_co), restarting
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: --mtu-disc is not supported on this OS
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jul 26 08:43:56 WAP daemon.warn openvpn[1800]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 26 09:43:56 WAP daemon.warn openvpn[1800]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Jul 26 09:43:56 WAP daemon.warn openvpn[1800]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jul 26 10:04:41 WAP daemon.err openvpn[1800]: read TCP_CLIENT: Operation timed out (code=110)
Jul 26 10:04:41 WAP daemon.err openvpn[1800]: Connection reset, restarting [0]
Jul 26 10:04:46 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 10:04:49 WAP daemon.err openvpn[1800]: TCP: connect to [AF_INET]104.216.216.194:443 failed: Host is unreachable
Jul 26 10:04:54 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 10:04:59 WAP daemon.err openvpn[1800]: RESOLVE: Cannot resolve host address: us2932.nordvpn.com:443 (Try again)
Jul 26 10:05:04 WAP daemon.err openvpn[1800]: RESOLVE: Cannot resolve host address: us2932.nordvpn.com:443 (Try again)
Jul 26 10:05:04 WAP daemon.warn openvpn[1800]: Could not determine IPv4/IPv6 protocol
Jul 26 10:05:09 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
These log warnings and errors are consistent among the various configuration changes we have made while troubleshooting this issue, and seem to indicate that the source may be the OpenVPN configuration, however, we have not been able to fix the issue. Any help with this matter would be greatly appreciated; please let me know if any additional information is required. Thank you for your time.
Last edited by Z112358 on Sun Aug 15, 2021 19:46; edited 1 time in total
Looks like the user needs to pick either UDP, or TCP protocol. Looks like Port, and Tunnel Protocol conflicts.
Also additional configuration issues.
Its saying resolve now 🤣
--mtu-disc is not supported on this OS
Cannot resolve host address: us2932.nordvpn.com:443
Could not determine IPv4/IPv6 protocol
For some better instructions see the OpenVPN client setup guide link in my signature.
I will need to read these more thoroughly. I will respond if I notice any discrepancies in our configuration.
If keys/certs/credentials are the same for all servers you can specify more servers for redundancy/fail over as described in the Client setup Guide paragraph: "Adding Servers/Country"
Unfortunately, the keys/certs/credentials are different for each VPN server; the troubleshooting recommendation from the VPN provider was to try different servers, but this doesn't appear to help.
You need to be using the DNS server on the router from your real ISP not from the Nord VPN provider.
I will have to determine what the ISP DNS server is. The original configuration was using the VPN DNS servers ( Static DNS 1: 103.86.96.100, Static DNS 2: 103.86.99.100 ), and this was changed to Cloudflare DNS servers ( Static DNS 1: 1.1.1.1, Static DNS 2: 1.0.0.1 ) while troubleshooting with the VPN provider.
You did NOT say whether these "outages" are permanent or temporary. Meaning, if the VPN to Nord goes down, does it come back up a minute later or not? Or do you have to reboot the router to get it to come back up?
The outages are never permanent, however, they can last several minutes to hours, and rebooting the router doesn't always result in a successful connection.
Looks like the user needs to pick either UDP, or TCP protocol. Looks like Port, and Tunnel Protocol conflicts.
The OpenVPN Client configuration is the following:
Port: 443
Tunnel Device: TUN
Tunnel Protocol: tcp
Please let me know if you require any additional information. Thank you for your time.
If you don't mind sharing what region are you picking NordVPN servers from? Maybe I can see if I can find multiples with same TLS and CA keys.
Have you had the same outcome with just one server selected?
Have you tried UDP protocol? With any improvements?
Selecting Tunnel Protocol: tcp is causing warning --mtu-disc is not supported on this OS try UDP4, or TCP4.
I notice us2932.nordvpn.com:443 US region) What city? Mine is Atlanta. In the US region of the same city you shouldn't have any issues finding multiple servers with the same keys.
I will read this and see if I notice any discrepancies.
If you don't mind sharing what region are you picking NordVPN servers from?
United States.
Have you had the same outcome with just one server selected?
I believe the OpenVPN Client configuration permits only one VPN server to be configured at a time, but I may be wrong.
Have you tried UDP protocol? With any improvements?
I have not tried UDP yet, but will try respond if there are any improvements.
Selecting Tunnel Protocol: tcp is causing warning --mtu-disc is not supported on this OS try UDP4, or TCP4.
I will try this, and will respond if there are any improvements.
I notice us2932.nordvpn.com:443 US region) What city? Mine is Atlanta. In the US region of the same city you shouldn't have any issues finding multiple servers with the same keys.
We are closest to Los Angeles. I've tried using the VPN provider server recommendation webpage ( https://nordvpn.com/servers/tools/ ), but using the resulting VPN servers did not fix the issue.
However, during recent troubleshooting, I disabled the OpenVPN client, and experienced and outage roughly a half hour after the router was rebooted. I did not see any warnings or errors in the logs, and the rest of the logs do not show any dis-/connections that cannot be accounted for. I am not sure if this completely discredits the OpenVPN client as the culprit, and will see if the issue repeats itself. Besides checking the logs and executing commands like ping and traceroute during outages, are there any other diagnostic methods that we should be using to find the source of this issue?
We upgraded the DD-WRT firmware from v3.0-r45891 std (03/04/21) to v3.0-r47090 std (07/26/21); no improvement. We then reflashed the OEM factory firmware, and are no longer experiencing this issue. The issue appears to be due to misconfiguration of the DD-WRT firmware, and not simply an OpenVPN misconfiguration. Since this is outside the scope of the OP, this thread can be closed if need be. Thank you all for your help.
Many users use DDWRT, many use a VPN client and even some use NordVPN and they all got it working so I doubt it is the software which is at fault.
I don't believe it is the software which is at fault; I believe it is a misconfiguration which I am responsible for. This issue has been mentioned on other threads ( see below ):