[SOLVED] OpenVPN client internet connection lost

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Z112358
DD-WRT Novice


Joined: 26 Jul 2021
Posts: 10

PostPosted: Mon Jul 26, 2021 21:03    Post subject: [SOLVED] OpenVPN client internet connection lost Reply with quote
Router Firmware: DD-WRT v3.0-r45891 std (03/04/21)


We are having network connectivity issues with our wifi network when using NordVPN through the OpenVPN client. Connection to the internet is lost across multiple devices / device types connected to the network. These outages do not occur when connected to the internet without the VPN. The OpenVPN client configuration in DD-WRT was performed via the browser webpage control panel according to instructions in the following webpage: https://support.nordvpn.com/Connectivity/Router/1047410342/DD-WRT-setup-with-NordVPN.htm . We have been troubleshooting the issue with the VPN provider ( mostly trying different VPN servers ), but haven't resolved the issue. We are connecting to the VPN server by TCP; UDP connection is available, but hasn't been tried yet.

In an attempt to investigate the source of the issue, the following shell commands were executed on a device while connected to the wifi network during a period when internet connectivity is lost:

Command: ping -v 8.8.8.8
Result: Request timeout for icmp_seq

Command: traceroute 8.8.8.8
Result: 1 wap 2.327 ms 0.925 ms 2.952 ms
2 * * *
3 * * *

The network connection appears to be lost after our router. Syslogd was started in DD-WRT; below are log warnings and errors during a period when internet connectivity is lost:

Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:35 WAP daemon.warn openvpn[1386]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
Dec 31 16:00:35 WAP daemon.warn openvpn[1393]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:38 WAP daemon.warn openvpn[1393]: --mtu-disc is not supported on this OS
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:38 WAP daemon.warn openvpn[1798]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
Dec 31 16:00:38 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:38 WAP daemon.warn openvpn[1800]: --mtu-disc is not supported on this OS
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: VERIFY ERROR: depth=2, error=certificate is not yet valid: C=PA, O=NordVPN, CN=NordVPN Root CA, serial=1
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: TLS_ERROR: BIO read tls_read_plaintext error
Dec 31 16:00:38 WAP daemon.err openvpn[1800]: Fatal TLS error (check_tls_errors_co), restarting
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: --mtu-disc is not supported on this OS
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Jul 26 08:43:55 WAP daemon.warn openvpn[1800]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jul 26 08:43:56 WAP daemon.warn openvpn[1800]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 26 09:43:56 WAP daemon.warn openvpn[1800]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Jul 26 09:43:56 WAP daemon.warn openvpn[1800]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Jul 26 10:04:41 WAP daemon.err openvpn[1800]: read TCP_CLIENT: Operation timed out (code=110)
Jul 26 10:04:41 WAP daemon.err openvpn[1800]: Connection reset, restarting [0]
Jul 26 10:04:46 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 10:04:49 WAP daemon.err openvpn[1800]: TCP: connect to [AF_INET]104.216.216.194:443 failed: Host is unreachable
Jul 26 10:04:54 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 10:04:59 WAP daemon.err openvpn[1800]: RESOLVE: Cannot resolve host address: us2932.nordvpn.com:443 (Try again)
Jul 26 10:05:04 WAP daemon.err openvpn[1800]: RESOLVE: Cannot resolve host address: us2932.nordvpn.com:443 (Try again)
Jul 26 10:05:04 WAP daemon.warn openvpn[1800]: Could not determine IPv4/IPv6 protocol
Jul 26 10:05:09 WAP daemon.warn openvpn[1800]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

These log warnings and errors are consistent among the various configuration changes we have made while troubleshooting this issue, and seem to indicate that the source may be the OpenVPN configuration, however, we have not been able to fix the issue. Any help with this matter would be greatly appreciated; please let me know if any additional information is required. Thank you for your time.


Last edited by Z112358 on Sun Aug 15, 2021 19:46; edited 1 time in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Jul 26, 2021 21:48    Post subject: Reply with quote
On what router? Also, the documentation you need to read is in this forum in a sticky, most likely. And you should be running a newer build.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/07-26-2021-r47090/

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jul 27, 2021 11:58    Post subject: Reply with quote
Let us know what router you are using

Probably upgrade to the latest build 47090 although your current build also should work.

How is the router setup, basic gateway mode connected to the internet?

Most instructions from providers are obsolete (as are these)

For some better instructions see the OpenVPN client setup guide link in my signature.

Your log shows the server is not reachable (among other things indicating wrong settings but those are not show stoppers)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Tue Jul 27, 2021 13:04; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jul 27, 2021 12:03    Post subject: Reply with quote
Addendum:

If keys/certs/credentials are the same for all servers you can specify more servers for redundancy/fail over as described in the Client setup Guide paragraph: "Adding Servers/Country"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Justanotherbrokenrouter
DD-WRT User


Joined: 27 Apr 2019
Posts: 172

PostPosted: Tue Jul 27, 2021 16:54    Post subject: Reply with quote
Looks like the user needs to pick either UDP, or TCP protocol. Looks like Port, and Tunnel Protocol conflicts.
Also additional configuration issues.

Its saying resolve now 🤣
--mtu-disc is not supported on this OS
Cannot resolve host address: us2932.nordvpn.com:443
Could not determine IPv4/IPv6 protocol

I agree this guide is outdated but it should have at least got you to establish a successful connection 😉.
https://support.nordvpn.com/Connectivity/Router/1047410342/DD-WRT-setup-with-NordVPN.htm
Z112358
DD-WRT Novice


Joined: 26 Jul 2021
Posts: 10

PostPosted: Tue Jul 27, 2021 20:54    Post subject: Reply with quote
Thank you for your responses. Please find below answers to your questions.


On what router?

Linksys WRT3200ACM


And you should be running a newer build.

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/07-26-2021-r47090/


I will upgrade the firmware and respond with the results.


How is the router setup, basic gateway mode connected to the internet?

I believe so, but need to verify this. The router was setup according to the Installation webpage ( https://forum.dd-wrt.com/wiki/index.php/Installation ) and the Linksys WRT1900AC webpage ( https://forum.dd-wrt.com/wiki/index.php/Linksys_WRT1900AC ) in the dd-wrt wiki, in addition to the guide from the VPN provider given in the original post.


For some better instructions see the OpenVPN client setup guide link in my signature.

I will need to read these more thoroughly. I will respond if I notice any discrepancies in our configuration.


If keys/certs/credentials are the same for all servers you can specify more servers for redundancy/fail over as described in the Client setup Guide paragraph: "Adding Servers/Country"

Unfortunately, the keys/certs/credentials are different for each VPN server; the troubleshooting recommendation from the VPN provider was to try different servers, but this doesn't appear to help.


You need to be using the DNS server on the router from your real ISP not from the Nord VPN provider.

I will have to determine what the ISP DNS server is. The original configuration was using the VPN DNS servers ( Static DNS 1: 103.86.96.100, Static DNS 2: 103.86.99.100 ), and this was changed to Cloudflare DNS servers ( Static DNS 1: 1.1.1.1, Static DNS 2: 1.0.0.1 ) while troubleshooting with the VPN provider.


You did NOT say whether these "outages" are permanent or temporary. Meaning, if the VPN to Nord goes down, does it come back up a minute later or not? Or do you have to reboot the router to get it to come back up?

The outages are never permanent, however, they can last several minutes to hours, and rebooting the router doesn't always result in a successful connection.


Looks like the user needs to pick either UDP, or TCP protocol. Looks like Port, and Tunnel Protocol conflicts.

The OpenVPN Client configuration is the following:
Port: 443
Tunnel Device: TUN
Tunnel Protocol: tcp


Please let me know if you require any additional information. Thank you for your time.
Justanotherbrokenrouter
DD-WRT User


Joined: 27 Apr 2019
Posts: 172

PostPosted: Tue Jul 27, 2021 21:20    Post subject: Reply with quote
Maybe this guide will help.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328049

If you don't mind sharing what region are you picking NordVPN servers from? Maybe I can see if I can find multiples with same TLS and CA keys.

Have you had the same outcome with just one server selected?

Have you tried UDP protocol? With any improvements?

Selecting Tunnel Protocol: tcp is causing warning --mtu-disc is not supported on this OS try UDP4, or TCP4.

I notice us2932.nordvpn.com:443 US region) What city? Mine is Atlanta. In the US region of the same city you shouldn't have any issues finding multiple servers with the same keys.
Z112358
DD-WRT Novice


Joined: 26 Jul 2021
Posts: 10

PostPosted: Wed Jul 28, 2021 19:59    Post subject: Reply with quote
Please find answers to your questions below.

Maybe this guide will help.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328049


I will read this and see if I notice any discrepancies.


If you don't mind sharing what region are you picking NordVPN servers from?

United States.


Have you had the same outcome with just one server selected?

I believe the OpenVPN Client configuration permits only one VPN server to be configured at a time, but I may be wrong.


Have you tried UDP protocol? With any improvements?

I have not tried UDP yet, but will try respond if there are any improvements.


Selecting Tunnel Protocol: tcp is causing warning --mtu-disc is not supported on this OS try UDP4, or TCP4.

I will try this, and will respond if there are any improvements.


I notice us2932.nordvpn.com:443 US region) What city? Mine is Atlanta. In the US region of the same city you shouldn't have any issues finding multiple servers with the same keys.

We are closest to Los Angeles. I've tried using the VPN provider server recommendation webpage ( https://nordvpn.com/servers/tools/ ), but using the resulting VPN servers did not fix the issue.


However, during recent troubleshooting, I disabled the OpenVPN client, and experienced and outage roughly a half hour after the router was rebooted. I did not see any warnings or errors in the logs, and the rest of the logs do not show any dis-/connections that cannot be accounted for. I am not sure if this completely discredits the OpenVPN client as the culprit, and will see if the issue repeats itself. Besides checking the logs and executing commands like ping and traceroute during outages, are there any other diagnostic methods that we should be using to find the source of this issue?

Thank you for your time.
Z112358
DD-WRT Novice


Joined: 26 Jul 2021
Posts: 10

PostPosted: Fri Aug 06, 2021 19:15    Post subject: Reply with quote
We upgraded the DD-WRT firmware from v3.0-r45891 std (03/04/21) to v3.0-r47090 std (07/26/21); no improvement. We then reflashed the OEM factory firmware, and are no longer experiencing this issue. The issue appears to be due to misconfiguration of the DD-WRT firmware, and not simply an OpenVPN misconfiguration. Since this is outside the scope of the OP, this thread can be closed if need be. Thank you all for your help.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sat Aug 07, 2021 6:13    Post subject: Reply with quote
Many users use DDWRT, many use a VPN client and even some use NordVPN and they all got it working so I doubt it is the software which is at fault.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Z112358
DD-WRT Novice


Joined: 26 Jul 2021
Posts: 10

PostPosted: Sun Aug 15, 2021 19:42    Post subject: Reply with quote
egc wrote:
Many users use DDWRT, many use a VPN client and even some use NordVPN and they all got it working so I doubt it is the software which is at fault.


I don't believe it is the software which is at fault; I believe it is a misconfiguration which I am responsible for. This issue has been mentioned on other threads ( see below ):

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329518
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1242589
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1242618
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329358
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329003
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329829

I will need to read more before I understand how to fix it. Again, I don't believe the issue is OpenVPN or the DD-WRT firmware.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Aug 15, 2021 20:39    Post subject: Reply with quote
If you are talking about the wireless problems then yes the situation is bad.

The manufacturer has abandoned driver support a long time ago.

Openvpn should work though. Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum