VPN Dropping Connections

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Wed Oct 14, 2020 13:31    Post subject: VPN Dropping Connections Reply with quote
Hi

I am new to VPN and DD-WRT. I followed a string on URLs to this final one which to my eye looks to be relevant to me, I just want to confirm that what I am doing is correct - maybe this will help someone in the future.

So I have a VPN which has connection drop outs every few minutes. This could be the Broadband but I never get problems streaming music or TV.

So here is the post I came too: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=311060&postdays=0&postorder=asc&start=15 is this still an accepted standard to do this?

I would really like to know how to firm up my VPN so all answers welcome.

Kind regards


Last edited by youdsmedia on Wed Oct 14, 2020 14:23; edited 1 time in total
Sponsor
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Wed Oct 14, 2020 13:33    Post subject: Reply with quote
P.S. to give a bit of perspective, I'm not even sure if my DD-WRT build is the "right" one to be using:

Firmware: DD-WRT v3.0-r43209 std (05/21/20)

Kind regards
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 2891

PostPosted: Wed Oct 14, 2020 15:04    Post subject: Reply with quote
Which model/version router do you have? Who is your VPN provider? See the stickies and egc's signature.

A new build was released yesterday, but cannot make a blind recommendation.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7749
Location: Netherlands

PostPosted: Wed Oct 14, 2020 15:25    Post subject: Reply with quote
To get the best out of DDWRT and the forum, read and follow the forum guidelines:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

You have to give more useful information.

What router? You are talking about VPN, VPN server or client?
How is it setup?
To a commercial provider, if so which one?
What instructions did you use?
What is the log (VPN status page) reporting?

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Wed Oct 14, 2020 16:49    Post subject: Reply with quote
I use Linksys WRT1900ACS, VPN is fully operational as OpenVPN but the connection drops, a lot. I have it setup with DigitalOcean privately. Log is below.

Code:
Clientlog:
19700101 01:00:37 I TCP/UDP: Preserving recently used remote address: [AF_INET]134.209.190.50:1194
19700101 01:00:37 Socket Buffers: R=[180224->180224] S=[180224->180224]
19700101 01:00:37 I UDPv4 link local: (not bound)
19700101 01:00:37 I UDPv4 link remote: [AF_INET]134.209.190.50:1194
19700101 01:00:37 TLS: Initial packet from [AF_INET]134.209.190.50:1194 sid=b05a41e4 a744564a
19700101 01:00:37 N VERIFY ERROR: depth=1 error=certificate is not yet valid: CN=vpn.gethosted.online
19700101 01:00:37 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 01:00:37 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 01:00:37 NOTE: --mute triggered...
19700101 01:00:37 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 01:00:37 I SIGUSR1[soft tls-error] received process restarting
19700101 01:00:37 Restart pause 5 second(s)
20201012 16:51:07 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20201012 16:51:07 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20201012 16:51:07 I TCP/UDP: Preserving recently used remote address: [AF_INET]134.209.190.50:1194
20201012 16:51:07 Socket Buffers: R=[180224->180224] S=[180224->180224]
20201012 16:51:07 I UDPv4 link local: (not bound)
20201012 16:51:07 I UDPv4 link remote: [AF_INET]134.209.190.50:1194
20201012 16:51:07 TLS: Initial packet from [AF_INET]134.209.190.50:1194 sid=47c70992 462f5da3
20201012 16:51:07 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 16:51:07 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 16:51:07 NOTE: --mute triggered...
20201012 16:51:07 1 variation(s) on previous 3 message(s) suppressed by --mute
20201012 16:51:07 I [vpn.gethosted.online] Peer Connection Initiated with [AF_INET]134.209.190.50:1194
20201012 16:51:08 SENT CONTROL [vpn.gethosted.online]: 'PUSH_REQUEST' (status=1)
20201012 16:51:08 PUSH: Received control message: 'PUSH_REPLY route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.4 255.255.255.0 peer-id 1 cipher AES-256-GCM'
20201012 16:51:08 OPTIONS IMPORT: timers and/or timeouts modified
20201012 16:51:08 NOTE: --mute triggered...
20201012 16:51:08 5 variation(s) on previous 3 message(s) suppressed by --mute
20201012 16:51:08 Data Channel: using negotiated cipher 'AES-256-GCM'
20201012 16:51:08 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 16:51:08 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 16:51:08 I TUN/TAP device tun1 opened
20201012 16:51:08 TUN/TAP TX queue length set to 100
20201012 16:51:08 I /sbin/ifconfig tun1 10.8.0.4 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
20201012 16:51:08 /sbin/route add -net 134.209.190.50 netmask 255.255.255.255 gw 192.168.2.1
20201012 16:51:08 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20201012 16:51:08 I Initialization Sequence Completed
20201012 17:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 17:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 17:51:07 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 17:51:07 NOTE: --mute triggered...
20201012 20:12:03 13 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443068 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443069 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443070 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 NOTE: --mute triggered...
20201012 20:51:06 3 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:51:06 TLS: tls_process: killed expiring key
20201012 20:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 20:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 20:51:07 NOTE: --mute triggered...
20201012 20:58:50 3 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:58:50 N AEAD Decrypt error: bad packet ID (may be a replay): [ #167006 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 21:51:06 TLS: tls_process: killed expiring key
20201012 21:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 21:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 21:51:07 NOTE: --mute triggered...
20201014 15:50:12 238 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793544 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793545 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793546 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 NOTE: --mute triggered...
20201014 15:51:42 16 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 15:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 15:51:42 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201014 15:51:42 NOTE: --mute triggered...
20201014 15:52:04 2 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176406 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176407 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176408 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 NOTE: --mute triggered...
20201014 16:51:42 1822 variation(s) on previous 3 message(s) suppressed by --mute
20201014 16:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 16:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 16:51:42 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201014 16:51:42 NOTE: --mute triggered...
20201014 16:57:44 2 variation(s) on previous 3 message(s) suppressed by --mute
20201014 16:57:44 N AEAD Decrypt error: bad packet ID (may be a replay): [ #595735 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 16:57:44 N AEAD Decrypt error: bad packet ID (may be a replay): [ #595736 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 17:51:42 TLS: soft reset sec=0 bytes=3815823151/-1 pkts=4524914/0
20201014 17:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 17:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 17:51:42 NOTE: --mute triggered...
20201014 18:49:27 3 variation(s) on previous 3 message(s) suppressed by --mute
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'status 2'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 11:02    Post subject: Reply with quote
So I now have ddwrt-vpn-pbr-watchdog-05.sh running on my router, via "sh /tmp/root/watchdog.sh &" but connection drops still occurring. Can anybody help?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8719

PostPosted: Thu Oct 15, 2020 11:16    Post subject: Reply with quote
I don't see any evidence in the log of the OpenVPN client being disconnected from the OpenVPN server. Not unless you're referring to the following:

Code:
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected


Those are NOT the OpenVPN client disconnecting w/ the OpenVPN server.

OpenVPN provides a management UI (currently running as localhost (127.0.0.1), port 16) that you can call when it's running. The router is calling it to get updated statistics from OpenVPN, then updating the OpenVPN status page. Every time you visit that page or refresh it, you'll see these messages as it connects, issues the state command, and disconnects.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh (new) * ddwrt-ovpn-watchdog.sh (new) * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 11:19    Post subject: Reply with quote
So where do I start diagnosing? The watchdog script could of worked but when I left computer on overnight it disconnected - so not a good start. Hopefully there is some way to see more logs?
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 15:45    Post subject: Reply with quote
I've not had any troubles with my internet today but I've mostly been on LAN.

I'll update you as to whether or not the script I installed worked.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7749
Location: Netherlands

PostPosted: Thu Oct 15, 2020 16:29    Post subject: Reply with quote
I saw two problems , an occasional AEAD decrypt error which if not too many does not hurt and a problem when renegotiating the session key.

Regarding the AEAD decrypt error (this is from the OpenVPN server troubleshooting guide):
Code:
When you receive this error it has to do with using the new GCM ciphers (AES-128-GCM is the one advised), be sure that both client and server use the new ciphers (only available starting with OpenVPN 2.4). Depending on setup add the following to the Additional Config or configuration file of client:
ncp-disable
If your setup is OK and you still are seeing this error then an occasional warning should not pose a problem, it happens when using UDP and packets are lost/or mangled and resend under way.
Otherwise it could signify an MTU problem so see the MTU size Problems section or other network problem.
It happens only when using UDP so consider using TCP or use the old cipher: AES-256-CBC.


The renegotiating problem is strange but it happens and some providers want you to stop renegotiating (which is a bit of a security problem)
As a test you can add to the additional config:
Code:
reneg-sec 0


The default is 3600 (one hour)

If this is the problem consider setting it to one day and boot the router in off hours (it will renegotiate after 24 hours)

One other thing: consider upgrading to the latest build

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 17:48    Post subject: Reply with quote
To be fair, I've not had any connection drops today so I might be clear of the problem.

For others, I am using the script found here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1179379#1179379

Kind regards

EDIT: according to https://dd-wrt.com/support/router-database/?model=WRT1900ACS_v2 I am up to date
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7749
Location: Netherlands

PostPosted: Thu Oct 15, 2020 19:13    Post subject: Reply with quote
I already pointed you to the forum guidelines, if you bothered to read it you would have known that you should not use the router database Sad
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 19:22    Post subject: Reply with quote
Oh. My bad. What should I use?
youdsmedia
DD-WRT User


Joined: 14 May 2020
Posts: 62

PostPosted: Thu Oct 15, 2020 22:06    Post subject: Reply with quote
Been looking around, as you say I'm not up to speed. Found this:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1206818#1206818

It suggests:
Code:
keepalive 10 120


This is the sort of thing that could be the problem. Anyway, in the meantime I need my VPN working after trying to flash the router I have been unable to connect.

I am getting:
Code:
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'status 2'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'log 500'


and so on. This can be the entire log screen if I keep at it.

Any advice appreciated. Thanks for your contribution.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7749
Location: Netherlands

PostPosted: Fri Oct 16, 2020 6:02    Post subject: Reply with quote
That is just you connecting to the GUI Smile

If it further is blank it signifies a major configuration error.

Either a wrong setting in Additional Config or something wrong with keys/cert.

So check this

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum