Posted: Sat Feb 06, 2021 20:51 Post subject: Openvpn does not restart netgear r6700v3
Hi to all, my issue is quite frequent in this period, because my WAN connection is repeatedly falling.
After it came back up, OpenVPN client does not restart-
I have to disable/enable it from panel.
I have only added this string to additional config :
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Feb 07, 2021 16:17 Post subject:
Also, when OpenVPN has failed, is the process still running? Do ps | grep [o]penvpn in the CLI. If it is running, you get something like this:
xxxx root yyyy S openvpn --daemon --config /tmp/openvpncl/openvpn.conf
If it has exited, you get nothing.
The keepalive thing is great, but the server needs a corresponding setting. Generally they'll decide on and set parameters on their end then "push" the client commands they want your end to use. They may use "ping" and "ping-restart" to specify the two numbers separately or "keepalive" to do it in one command. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
@egc : My version is DD-WRT v3.0-r43320 std, what type of conf you refer? This is aditional conf:
Code:
sndbuf 524288
rcvbuf 524288
log /tmp/var/log/messages
verb 5
keepalive 10 120
@SurprisedItWorks: The strange thing is that when I tried to force the disconnection of the wan from my isp modem and then always reactivate it manually, from the state of openvpn I could see that it was constantly trying to connect and once the Internet connection was re-established it was able to connect to the openvpn server, after about 2 minutes. But when I disconnected the DSL on my own, openvpn didn't work and the status page was blank. I don't know how to explain it, I should wait for a new disconnection on the provider side and re-run the command you gave me
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Feb 08, 2021 16:19 Post subject:
What you could try is to let OpenVPN restart , the usual setup is with persist tun and persist key, so when a disconnection takes place it just tries to make a connection with the same key and tunnel.
This will not always work depending on what has changed in the network.
With the following commands (add to additional config) OpenVPN restarts after disconnection:
Code:
remap-usr1 SIGHUP
resolv-retry infinite
This can have unwanted side effects if the keys are renegotiated (usually every hour) you can have a short period of disconnection, you can add:
Code:
reneg-sec 0
to disable key renegotiating (this does not always help as the provider can also do this).
For the record, rekeying does NOT typically have any effect on the OpenVPN connection. The renegotiation of keys is a normal part of the ongoing conversation held between the client and server on the control channel. That said, there may be *other* reasons the connection has to be renegotiated, thus causing a disconnect/reconnect, but it's NOT typically due to rekeying.
Notice in the following syslog that my own OpenVPN client became established at 8:00, then an hour later (due to the default of 3600 secs) rekeying took place, but without causing any disconnect/reconnect.
Code:
20210209 08:00:02 I Initialization Sequence Completed
20210209 09:00:01 VERIFY KU OK
20210209 09:00:01 Validating certificate extended key usage
20210209 09:00:01 ++ Certificate has EKU (str) TLS Web Server Authentication expects TLS Web Server Authentication
20210209 09:00:01 NOTE: --mute triggered...
20210209 09:00:01 2 variation(s) on previous 3 message(s) suppressed by --mute
20210209 09:00:01 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1605' remote='link-mtu 1606'
20210209 09:00:01 W WARNING: 'comp-lzo' is present in remote config but missing in local config remote='comp-lzo'
20210209 09:00:01 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20210209 09:00:01 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
20210209 09:00:01 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20210209 09:00:01 NOTE: --mute triggered...
20210209 09:17:02 2 variation(s) on previous 3 message(s) suppressed by --mute
20210209 09:17:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210209 09:17:02 D MANAGEMENT: CMD 'state'
20210209 09:17:02 MANAGEMENT: Client disconnected
20210209 09:17:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
…
Posted: Sun Feb 21, 2021 17:09 Post subject: Openvpn failed to restart after DSL ko
@egc: I was unable to solve, SIGHUP does not keep openvpn active, with reneg-sec 0 I have continuous disconnections of a few seconds over 2-3 minutes.
I tried to install watchdog on a usb stick but once my DSL connection failed it was not able to restart the vpn autonomously, this is the log:
Code:
Sat Feb 20 13:12:19 2021 us=523694 [XXXXX] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:12:19 2021 us=524438 TCP/UDP: Closing socket
Sat Feb 20 13:12:19 2021 us=524620 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:12:19 2021 us=524706 Restart pause, 5 second(s)
Sat Feb 20 13:12:24 2021 us=569753 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:12:24 2021 us=569861 Re-using SSL/TLS context
Sat Feb 20 13:12:24 2021 us=570183 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:12:24 2021 us=570293 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:12:24 2021 us=570466 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:12:24 2021 us=570518 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:12:24 2021 us=570583 TCP/UDP: Preserving recently used remote address: [AF_INET]141.XXX.YYY.ZZZ:443
Sat Feb 20 13:12:24 2021 us=570718 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:12:24 2021 us=570805 UDPv4 link local: (not bound)
Sat Feb 20 13:12:24 2021 us=570886 UDPv4 link remote: [AF_INET]141.XX.YYY.ZZZ:443
WWWrrrrrrrWrrrrrWrrrrrrrrrSat Feb 20 13:13:24 2021 us=865389 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:13:24 2021 us=865690 TCP/UDP: Closing socket
Sat Feb 20 13:13:24 2021 us=865817 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:13:24 2021 us=865900 Restart pause, 5 second(s)
Sat Feb 20 13:13:29 2021 us=903617 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:13:29 2021 us=903726 Re-using SSL/TLS context
Sat Feb 20 13:13:29 2021 us=904045 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:13:29 2021 us=904170 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:13:29 2021 us=904375 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:13:29 2021 us=904431 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:13:29 2021 us=904496 TCP/UDP: Preserving recently used remote address: [AF_INET]141.98.102.178:443
Sat Feb 20 13:13:29 2021 us=904593 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:13:29 2021 us=904650 UDPv4 link local: (not bound)
Sat Feb 20 13:13:29 2021 us=904705 UDPv4 link remote: [AF_INET]141.XXX.YYY.ZZZ:443
WrWrWrrrWrrrWrrrrrrrSat Feb 20 13:14:30 2021 us=37842 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:14:30 2021 us=38161 TCP/UDP: Closing socket
Sat Feb 20 13:14:30 2021 us=38297 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:14:30 2021 us=38378 Restart pause, 5 second(s)
Sat Feb 20 13:14:35 2021 us=83989 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:14:35 2021 us=84101 Re-using SSL/TLS context
Sat Feb 20 13:14:35 2021 us=84432 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:14:35 2021 us=84560 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:14:35 2021 us=84735 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:14:35 2021 us=84787 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:14:35 2021 us=84854 TCP/UDP: Preserving recently used remote address: [AF_INET]141.XX.YYY.ZZZ:443
Sat Feb 20 13:14:35 2021 us=84947 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:14:35 2021 us=85000 UDPv4 link local: (not bound)
Sat Feb 20 13:14:35 2021 us=85052 UDPv4 link remote: [AF_INET]141.XX.YYY.ZZZ:443
WrrWrWrWrrrrWrrrrrrSat Feb 20 13:15:35 2021 us=667870 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:15:35 2021 us=668204 TCP/UDP: Closing socket
Sat Feb 20 13:15:35 2021 us=668335 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:15:35 2021 us=668420 Restart pause, 5 second(s)
Sat Feb 20 13:15:40 2021 us=714016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:15:40 2021 us=714126 Re-using SSL/TLS context
Sat Feb 20 13:15:40 2021 us=714448 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:15:40 2021 us=714578 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:15:40 2021 us=714749 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:15:40 2021 us=714798 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:15:40 2021 us=714864 TCP/UDP: Preserving recently used remote address: [AF_INET]141.XXX.YYY.ZZZ:443
Sat Feb 20 13:15:40 2021 us=714961 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:15:40 2021 us=715016 UDPv4 link local: (not bound)
Sat Feb 20 13:15:40 2021 us=715069 UDPv4 link remote: [AF_INET]141.XXX.YYY.ZZZ:443
WrrWrWrWrrrrWrrrrrrrSat Feb 20 13:16:41 2021 us=94593 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:16:41 2021 us=94930 TCP/UDP: Closing socket
Sat Feb 20 13:16:41 2021 us=95070 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:16:41 2021 us=95176 Restart pause, 5 second(s)
Sat Feb 20 13:16:46 2021 us=140570 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:16:46 2021 us=140680 Re-using SSL/TLS context
Sat Feb 20 13:16:46 2021 us=141005 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:16:46 2021 us=141131 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:16:46 2021 us=141302 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:16:46 2021 us=141356 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:16:46 2021 us=141421 TCP/UDP: Preserving recently used remote address: [AF_INET]141.XXX.YYY.ZZZ:443
Sat Feb 20 13:16:46 2021 us=141521 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:16:46 2021 us=141577 UDPv4 link local: (not bound)
Sat Feb 20 13:16:46 2021 us=141629 UDPv4 link remote: [AF_INET]141.XX.YYY.ZZZ:443
WrWrrWrWrrrrWrrrrrrrSat Feb 20 13:17:46 2021 us=967913 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sat Feb 20 13:17:46 2021 us=968238 TCP/UDP: Closing socket
Sat Feb 20 13:17:46 2021 us=968363 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 20 13:17:46 2021 us=968444 Restart pause, 5 second(s)
Sat Feb 20 13:17:51 2021 us=4817 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Feb 20 13:17:51 2021 us=4920 Re-using SSL/TLS context
Sat Feb 20 13:17:51 2021 us=5235 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sat Feb 20 13:17:51 2021 us=5357 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:17:51 2021 us=5530 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Feb 20 13:17:51 2021 us=5580 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Feb 20 13:17:51 2021 us=5643 TCP/UDP: Preserving recently used remote address: [AF_INET]141.XXX.YYY.ZZZ:443
Sat Feb 20 13:17:51 2021 us=5736 Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Feb 20 13:17:51 2021 us=5793 UDPv4 link local: (not bound)
Sat Feb 20 13:17:51 2021 us=5844 UDPv4 link remote: [AF_INET]141.XX.YYY.ZZZ:443
WRSat Feb 20 13:17:51 2021 us=41840 TLS: Initial packet from [AF_INET]141.XX.YYY.ZZZ:443sid=d4b3bfd2 087f75ab
WWRWRSat Feb 20 13:17:51 2021 us=85100 VERIFY OK: depth=1, C=IT, ST=IT, L=XXX, O=xxxx.org, CN=xxxx.org CA, emailAddress=xxxx@yyyy.org
Sat Feb 20 13:17:51 2021 us=89585 VERIFY KU OK
Sat Feb 20 13:17:51 2021 us=89657 NOTE: --mute triggered...
WRWWWRRRWRWSat Feb 20 13:17:51 2021 us=388350 5 variation(s) on previous 3 message(s) suppressed by --mute
Sat Feb 20 13:17:51 2021 us=388418 [XXXXXX] Peer Connection Initiated with [AF_INET]141.XXX.YYY.ZZZ:443
rSat Feb 20 13:17:52 2021 us=929800 SENT CONTROL [XXXXX]: 'PUSH_REQUEST' (status=1)
WRRSat Feb 20 13:17:52 2021 us=964542 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.X.Y.Z.,route-gateway 10.X.Y.Z,topology subnet,ping 10,ping-restart 60,ifconfig 10.X.Y.Z 255.25
.255.0,peer-id 3,cipher AES-256-GCM'
Sat Feb 20 13:17:52 2021 us=964726 Pushed option removed by filter: 'redirect-gateway def1 bypass-dhcp'
Sat Feb 20 13:17:52 2021 us=964995 NOTE: --mute triggered...
Sat Feb 20 13:17:52 2021 us=965055 8 variation(s) on previous 3 message(s) suppressed by --mute
Sat Feb 20 13:17:52 2021 us=965097 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Feb 20 13:17:52 2021 us=965180 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Sat Feb 20 13:17:52 2021 us=965636 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Feb 20 13:17:52 2021 us=965707 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Feb 20 13:17:52 2021 us=965760 Preserving previous TUN/TAP instance: tun1
Sat Feb 20 13:17:52 2021 us=965852 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sat Feb 20 13:17:52 2021 us=965986 /tmp/openvpncl/route-down.sh tun1 1500 1553 10.XX.YY.ZZ 255.255.255.0 init
ip: RTNETLINK answers: No such file or directory
iptables v1.3.7: invalid mask `' specified
Sat Feb 20 13:17:53 2021 us=78127 WARNING: Failed running command (--up/--down): external program exited with error status: 255
Sat Feb 20 13:17:53 2021 us=78211 Exiting due to fatal error
Posted: Sun Feb 21, 2021 18:41 Post subject: Re: Openvpn failed to restart after DSL ko
Code:
/tmp/openvpncl/route-down.sh tun1 1500 1553 10.XX.YY.ZZ 255.255.255.0 init
ip: RTNETLINK answers: No such file or directory
iptables v1.3.7: invalid mask `' specified
Sat Feb 20 13:17:53 2021 us=78127 WARNING: Failed running command (--up/--down): external program exited with error status: 255
Sat Feb 20 13:17:53 2021 us=78211 Exiting due to fatal error
Posted: Mon Feb 22, 2021 1:16 Post subject: Re: Openvpn failed to restart after DSL ko
eibgrad wrote:
Code:
/tmp/openvpncl/route-down.sh tun1 1500 1553 10.XX.YY.ZZ 255.255.255.0 init
ip: RTNETLINK answers: No such file or directory
iptables v1.3.7: invalid mask `' specified
Sat Feb 20 13:17:53 2021 us=78127 WARNING: Failed running command (--up/--down): external program exited with error status: 255
Sat Feb 20 13:17:53 2021 us=78211 Exiting due to fatal error
Now that doesn't look good. Regardless how the connection might be brought down, the event script (route-down) should NOT be existing w/ a 255 return code and "invalid mask" message. It should always come down cleanly. Presumably this is the problem. IOW, when a script fails, OpenVPN is assuming it will *always* fail, and so why bother continuing.
I am sorry, but don't understand what you mean and if possible to correct anything
Because you've edited the syslog, it's hard for me to be sure exactly what's happening. For example, I can't tell if the public IP to which you are connecting is the same or different each time the client attempts a connection. I understand the necessity if this is your own OpenVPN server, but not for a public one (ExpressVPN, PIA, etc.). The reason I care is because I'm trying to determine *why* it keeps trying to reconnect, then suddenly gets connected (makes sense if the client is trying different public IPs, but not if they are the same), but ultimately fails due to the route-down script failing.
At the following point in the syslog, it *finally* appears to be connecting after many failed attempts.
Code:
Sat Feb 20 13:17:51 2021 us=388418 [XXXXXX] Peer Connection Initiated with [AF_INET]141.XXX.YYY.ZZZ:443
rSat Feb 20 13:17:52 2021 us=929800 SENT CONTROL [XXXXX]: 'PUSH_REQUEST' (status=1)
WRRSat Feb 20 13:17:52 2021 us=964542 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.X.Y.Z.,route-gateway 10.X.Y.Z,topology subnet,ping 10,ping-restart 60,ifconfig 10.X.Y.Z 255.25
.255.0,peer-id 3,cipher AES-256-GCM'
…
But given some of the negotiated options have changed (suggesting this is a commercial OpenVPN server), it has to bring the tunnel down and start over.
Code:
Sat Feb 20 13:17:52 2021 us=965760 Preserving previous TUN/TAP instance: tun1
Sat Feb 20 13:17:52 2021 us=965852 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
...
But then the route-down script (which is part of the the shutdown process before the tunnel can be reestablished) fails for some reason, and the OpenVPN client treats it as a fatal error, and just exits.
Code:
Sat Feb 20 13:17:52 2021 us=965986 /tmp/openvpncl/route-down.sh tun1 1500 1553 10.XX.YY.ZZ 255.255.255.0 init
ip: RTNETLINK answers: No such file or directory
iptables v1.3.7: invalid mask `' specified
Sat Feb 20 13:17:53 2021 us=78127 WARNING: Failed running command (--up/--down): external program exited with error status: 255
Sat Feb 20 13:17:53 2021 us=78211 Exiting due to fatal error
The route-up/route-down scripts are created and managed by the OpenVPN client itself. I'm not sure why the route-down script is failing, but that is the reason that despite eventually getting reconnected, it just quits. Other than an outright scripting error, this shouldn't happen. The route-up/route-down scripts should always succeed so this sort of thing doesn't happen.
This build also still has (as did my last builds: 42926, 43904) an OpenVPN firewall error, in that the /tmp/openvpncl/route-up.sh line
iptables -t raw -I PREROUTING ! -i $dev -d $ifconfig_local/$route_netmask_1 -j DROP
(and the corresponding -D route-down.sh line) fails and creates an error in the vpn log because $route_netmask_1 is not defined. The intended firewall rule is not created. Replacing the above (and similarly fixing corresponding -D route-down.sh line) with
iptables -t raw -I PREROUTING ! -i $dev -d $ifconfig_local/$ifconfig_netmask -j DROP
fixes it. It's probably the least-important OpenVPN-client firewall rule, but perfectionist that I am, I use a workaround: create an up.sh that edits the route-*.sh files. I can't create it before openvpn is run, however, so openvpn crashes and must be restarted. Awkward and kind of in the "do not try this at home" category.
I maintain four of these WRT1900ACSv2 routers on this build and found that not all had the problem. I think on the others the "missing" variable actually wasn't missing. I vaguely recall that using the route command in Additional Config may cause the missing variable to appear (emphasis on vaguely).
A certain amount of back and forth with @egc established this was actually a bug, and my understanding was that he queued it up to fix, but I don't know the status of that. (The bugocity (not a real word!) of that is easy to verify: read the definitions of those two variables on the openvpn man page.)
A more reasonable workaround would be using your own route-up.sh and route-down.sh files (@egc's suggestion), if you can handle the details involved. (I've never done it.) _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.