OpenVPN regular time out

Hi everyone,

My OpenVPN connection regularly times out after a couple of hours to a couple of days. I run a WRT1900ACS with OpenWrt 21.02.3 and a NordVpn TCP connection.

logread -e openvpn

Fri May 20 18:57:06 2022 daemon.warn openvpn(ch358nordvpn_tcp)[18673]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: NOTE: --fast-io is disabled since we are not using UDP
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.203.xxx:xxx
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: Socket Buffers: R=[131072->360448] S=[16384->360448]
Fri May 20 18:57:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[18673]: Attempting to establish TCP connection with [AF_INET]217.138.203.xxx:xxx [nonblock]
Fri May 20 18:59:06 2022 daemon.err openvpn(ch358nordvpn_tcp)[18673]: TCP: connect to [AF_INET]217.138.203.xxx:xxx failed: Operation timed out

If I stop and start the VPN instance again, it works again for some while until next time out.

Any ideas?

Welcome @bnnii
May I ask why OpenVpn is your goto solution to Vpn when NordVpn also supports WireGuard and your router supports this package.

To "shotgun" answer your question however; you can use a cron job (scheduled task) to run a script pinging your OpenVpn connection for connectivity, and the script will restart the IF (interface) if ping replies fall off. That the "Shotgun" answer. The precise script will be tailored to your Interface requirement.

Have a look at the work @pavelgl did for @Surfer2010 with the understanding that we know from your post that 4G LTE is not an alternate WAN interface, and that your request is much simpler. This reading it to give you a primer on what can occur for your solution.

See ya after some due diligent reading of my own.

A change in your wan IP could be the reason for the disconnect.
I suppose there is keepalive enabled in the OpenVPN config.
Also in most cases udp is preferred over tcp in vpn connections.

As far as I have understood, it is issue of OpenWRT 21.X. When I stop OpenVPN-instance manually, it looses default route. Manual restarting of network service restores default route, so I recommend you to add network restart in up-down scripts.

Thanks for your quick response.
Would then be something like

#!/bin/sh

IP1=103.86.96.100   # NordVPN DNS address
IF1=tun0            # Logical name of the VPN interface

if ! ping -c 3 -W 1 $IP1 >/dev/null; then
    ifup $IF1
else
    exit 0
fi

in a cron ~every 1 minute? hm, smells like the definition of a workaround nevertheless, I'll give it a try.

I just can say, it used to be very stable on 19.07.??
Just can't tell the exact version, because I messed it up on my last upgrade.

I can now perfectly reproduce the failure.

When I restart the ISP router, and hence the WAN connection, the VPN instance on the WRT1900ACS gets stuck immediately.

Sun May 22 19:20:50 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: /usr/libexec/openvpn-hotplug up ch358nordvpn_tcp tun0 1500 1587 10.7.1.4 255.255.255.0 init
Sun May 22 19:20:50 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: net_route_v4_add: 217.138.203.219/32 via 192.168.0.1 dev [NULL] table 0 metric -1
Sun May 22 19:20:50 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: net_route_v4_add: 0.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metric -1
Sun May 22 19:20:50 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: net_route_v4_add: 128.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metric -1
Sun May 22 19:20:50 2022 daemon.warn openvpn(ch358nordvpn_tcp)[22246]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 22 19:20:50 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Initialization Sequence Completed
Sun May 22 19:29:58 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: [ch358.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Sun May 22 19:29:58 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: SIGUSR1[soft,ping-restart] received, process restarting
Sun May 22 19:29:58 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Restart pause, 5 second(s)
Sun May 22 19:30:03 2022 daemon.warn openvpn(ch358nordvpn_tcp)[22246]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: NOTE: --fast-io is disabled since we are not using UDP
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.203.219:443
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Socket Buffers: R=[131072->360448] S=[16384->360448]
Sun May 22 19:30:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: Attempting to establish TCP connection with [AF_INET]217.138.203.219:443 [nonblock]
Sun May 22 19:32:03 2022 daemon.err openvpn(ch358nordvpn_tcp)[22246]: TCP: connect to [AF_INET]217.138.203.219:443 failed: Operation timed out
Sun May 22 19:32:03 2022 daemon.notice openvpn(ch358nordvpn_tcp)[22246]: SIGUSR1[connection failed(soft),init_instance] received, process restarting

At Sun May 22 19:29:58 2022 the ISP router restarts.

Thanks for your reply.
I've tried both UDP and TCP, didn't make a difference.
Should I play with the

ping 15
ping-restart 0
ping-timer-rem

values? any suggestions?

Can you give me further guide please? Or should I simply downgrade to 19.07 until this issue is fixed?

Let's see what you've got for fall back plan.

ubus call system board; dmesg

You can try if @pavelgl checks off on the edits.

And if it's not to personal a question to answer (since it's off topic to your issue) Have you investigated WireGuard w/ NordVPN?

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.4.188",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT1900ACS",
	"board_name": "linksys,wrt1900acs",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.3",
		"revision": "r16554-1d4dea6d4f",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
	}
}

trying a fresh install currently, so now access to dmesg, had the ubus call in a txt file from last time...

ah forgot to answer your WireGuard question: quick research turned up, that it's kind of a hassle to get NordVPN running AND NordVPN how-to also refers to OpenVPN...

ping-restart 0 is not good.

Are there any log events regarding the wan interface when the problem occurs and the reason is not restarting the ISP router?

Post the output of the following commands (after you lose the vpn connection)

pgrep openvpn; ifconfig | grep tun

I do not know, I suppose, it is feature of new kernel etc.

Try to create file /etc/hotplug.d/iface/99-restart-network:

#!/bin/sh 
if [ "$ACTION" = ifdown ] && [ "$INTERFACE" = tun0 ]; then
        sleep 300
        service network restart
        sleep 300
        service openvpn restart
fi

on my way to vacations now for 14 days. need to keep it up an running during that time for the rest of the family.
downgraded to OpenWrt 19.07.10 and guess what, it's working like a charm.

here's the openVPN log, when I restart the ISP router:

Mon May 23 18:02:29 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Mon May 23 18:02:29 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: [ch358.nordvpn.com] Peer Connection Initiated with [AF_INET]217.138.203.219:443
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: SENT CONTROL [ch358.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: timers and/or timeouts modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: compression parms modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Socket Buffers: R=[327680->327680] S=[327680->327680]
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --ifconfig/up options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: route options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: route-related options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: peer-id set
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: adjusting link_mtu to 1659
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: data channel crypto options modified
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Preserving previous TUN/TAP instance: tun0
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 217.138.203.219 netmask 255.255.255.255
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Closing TUN/TAP interface
Mon May 23 18:02:30 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/ifconfig tun0 0.0.0.0
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TUN/TAP device tun0 opened
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TUN/TAP TX queue length set to 100
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/ifconfig tun0 10.7.3.2 netmask 255.255.255.0 mtu 1500 broadcast 10.7.3.255
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 217.138.203.219 netmask 255.255.255.255 gw 192.168.0.1
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.3.1
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.3.1
Mon May 23 18:02:31 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Initialization Sequence Completed
Mon May 23 18:08:01 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: [ch358.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Mon May 23 18:08:01 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: SIGUSR1[soft,ping-restart] received, process restarting
Mon May 23 18:08:01 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Restart pause, 5 second(s)
Mon May 23 18:08:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: NOTE: --fast-io is disabled since we are not using UDP
Mon May 23 18:08:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.203.219:443
Mon May 23 18:08:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Socket Buffers: R=[87380->327680] S=[16384->327680]
Mon May 23 18:08:06 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Attempting to establish TCP connection with [AF_INET]217.138.203.219:443 [nonblock]

restart isp router here

Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TCP connection established with [AF_INET]217.138.203.219:443
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TCP_CLIENT link local: (not bound)
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TCP_CLIENT link remote: [AF_INET]217.138.203.219:443
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TLS: Initial packet from [AF_INET]217.138.203.219:443, sid=d70503f1 db6ef891
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: VERIFY KU OK
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Validating certificate extended key usage
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: VERIFY EKU OK
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: VERIFY OK: depth=0, CN=ch358.nordvpn.com
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Mon May 23 18:09:12 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: [ch358.nordvpn.com] Peer Connection Initiated with [AF_INET]217.138.203.219:443
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: SENT CONTROL [ch358.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.6 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: timers and/or timeouts modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: compression parms modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Socket Buffers: R=[327680->327680] S=[327680->327680]
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --ifconfig/up options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: route options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: route-related options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: peer-id set
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: adjusting link_mtu to 1659
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: OPTIONS IMPORT: data channel crypto options modified
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Preserving previous TUN/TAP instance: tun0
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 217.138.203.219 netmask 255.255.255.255
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Closing TUN/TAP interface
Mon May 23 18:09:13 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/ifconfig tun0 0.0.0.0
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TUN/TAP device tun0 opened
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: TUN/TAP TX queue length set to 100
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/ifconfig tun0 10.7.2.6 netmask 255.255.255.0 mtu 1500 broadcast 10.7.2.255
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 217.138.203.219 netmask 255.255.255.255 gw 192.168.0.1
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.2.1
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.2.1
Mon May 23 18:09:14 2022 daemon.notice openvpn(ch358nordvpn_tcp)[5398]: Initialization Sequence Completed

after vacations I'll follow your advice and keep on investigating. I'll report back.