OpenVPN client disconnects following Inactivity Timeout

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
deedeedoubleyourt
DD-WRT Novice


Joined: 22 Oct 2021
Posts: 14

PostPosted: Mon Jan 10, 2022 20:14    Post subject: Reply with quote
eibgrad wrote:
Well, I successfully forced a restart w/ inactivity here, and guess what? The PBR rules are now GONE once the VPN gets reconnected!

Going to look into this further.

P.S. And if I hit Apply, the PBR rules come back.


Well I'm glad I'm not going crazy. I've been trying to chase this down for months by changing all kinds of settings, trying different builds.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Mon Jan 10, 2022 20:29    Post subject: Reply with quote
Enable the Killswitch in the GUI and you should be good

(also Enable the Inbound firewall on Tun if you not already have done so)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Mon Jan 10, 2022 20:35    Post subject: Reply with quote
There is a bug here, but I can see how this happened to the OP. He was using his own kill switch in the firewall script. Had he used the OpenVPN kill switch, this wouldn't have happened. Then again, we wouldn't know about this problem w/ PBR when the kill switch is disabled either.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Mon Jan 10, 2022 20:39    Post subject: Reply with quote
Yes indeed thanks to all!

Will update the code so that this bug is squashed Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
deedeedoubleyourt
DD-WRT Novice


Joined: 22 Oct 2021
Posts: 14

PostPosted: Mon Jan 10, 2022 20:53    Post subject: Reply with quote
I have enabled the Inbound Firewall on Tun and also checked the Killswitch in the GUI. I assume this only applies to my PBR so other devices are not impacted during a drop.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Mon Jan 10, 2022 20:58    Post subject: Reply with quote
Certainly it is in the documentation: https://forum.dd-wrt.com/phpBB2/download.php?id=48550

It is an intelligent killswitch it should only block the entries in PBR.

You might also have a look at the PBR chapter especially CIDR notation and at the Nord specific settings.

Having the Inbound firewall on Tun disabled like you had is a big security risk!

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
deedeedoubleyourt
DD-WRT Novice


Joined: 22 Oct 2021
Posts: 14

PostPosted: Mon Jan 10, 2022 21:10    Post subject: Reply with quote
egc wrote:
Certainly it is in the documentation: https://forum.dd-wrt.com/phpBB2/download.php?id=48550

It is an intelligent killswitch it should only block the entries in PBR.

You might also have a look at the PBR chapter especially CIDR notation and at the Nord specific settings.

Having the Inbound firewall on Tun disabled like you had is a big security risk!


I will take a look into that documentation. I only disabled that Inbound Firewall temporarily yesterday to see if it would make any impact.

Appreciation for all the responses in this thread!
deedeedoubleyourt
DD-WRT Novice


Joined: 22 Oct 2021
Posts: 14

PostPosted: Fri Jan 14, 2022 13:10    Post subject: Reply with quote
Update : Although enabling the Killswitch did solve the VPN reconnect with PBR, it's still not working as I'd expect. Post Inactivity Timeout and reconnect my log file is no longer being populated. So after some duration (day or two) the connection dropped, killswitch kicked in but since there's no log updates I can't see what's going on. I did reboot after enabling the killswitch per the setup guide.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Jan 14, 2022 13:24    Post subject: Reply with quote
You can check with:
ip route show
ip route show table 10
ip rule show

If that is as it should be than you should use a watchdog script to restart the tunnel, unfortunately that is often necessary Sad

See third post of this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686


Edit from the Troubleshooting paragraph:
Quote:
Connection Problems
When the tunnel goes down and does not reconnect because it cannot resolve the url address of the server and cannot set a route to the new server, this can be due to the route-up and down script are not being reread (because of the persist-tun parameter).
This will keep the resolv.dnsmasq with pushed DNS servers which are not publicly available and keep the pre-existent routes.
So the tunnel should be restarted, you can force a restart with adding in the additional config:
remap-usr1 SIGHUP

Other things which might help:
keepalive 10 120 #check if provider does not pushes ping-exit, that takes precedence and you have to use a watchdog
resolv-retry infinite

You can also try adding the server's domain name as a route directive to force *all* its public IPs to be bound to the WAN, add in the additional config (this can be useful if you have the error: RESOLVE: Cannot resolve host address ….):
route <server url> 255.255.255.255 net_gateway

In the end you might need a tunnel watchdog see third post of this thread or simply use the built-in connection watchdog to reboot the router if a connection is lost.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jan 14, 2022 18:12    Post subject: Reply with quote
ddwrt-ovpn-watchdog.sh
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
deedeedoubleyourt
DD-WRT Novice


Joined: 22 Oct 2021
Posts: 14

PostPosted: Fri Jan 14, 2022 18:56    Post subject: Reply with quote
eibgrad wrote:
ddwrt-ovpn-watchdog.sh


What bugs me about this is what's listed as purpose of the script "(re)start failed/stopped/unresponsive openvpn client". My connection status shows CONNECTED SUCCESSFUL again, IP tables look fine. The client itself appears to be fine but Killswitch kicks in for PBR devices. I'm adding in remap-usr1 SIGHUP to config to see if that helps before looking at the watchdog script.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jan 14, 2022 19:16    Post subject: Reply with quote
deedeedoubleyourt wrote:
eibgrad wrote:
ddwrt-ovpn-watchdog.sh


What bugs me about this is what's listed as purpose of the script "(re)start failed/stopped/unresponsive openvpn client". My connection status shows CONNECTED SUCCESSFUL again, IP tables look fine. The client itself appears to be fine but Killswitch kicks in for PBR devices. I'm adding in remap-usr1 SIGHUP to config to see if that helps before looking at the watchdog script.


One of the unfortunate aspects of OpenVPN as implemented by *some* providers, esp. the cheaper, less reputable ones, is that they will sometimes force an AUTH FAIL condition to manage their servers. IOW, even though the username/password provided is perfectly valid, they'll restrict access to the server through this method (perhaps for reasons of maintenance, overloading, etc.). The problem from the perspective of the OpenVPN client is that this is considered a FATAL ERROR! It will KILL the OpenVPN client process, trigger the kill switch (if enabled), and produce no further output in the syslog.

IMO, this is the number one reason the watchdog script is necessary. VPN providers are essentially "breaking the rules" for their own reasons. And the only way to combat it is to detect if and when the OpenVPN process gets killed off in this manner and force a restart.

Even if you include multiple servers (in the form of additional remote directives in the Additional Config field), it won't help. It's assumed that any incorrect username/password will fail for ANY and ALL servers you have specified in the config.

Admittedly, I'm guessing here that this is your present problem. Maybe I'm wrong. But regardless, for most ppl, it's prudent to include a watchdog process for the OpenVPN client because of how some VPN providers manage their servers, something the router has no control over. Frankly, I think there's a case to be made for adding a watchdog option directly to the GUI given how much of a problem this can be.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum