Topic: OPENVPN keeps losing connection.

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

randomhuman

18 Feb 2017, 23:27

So i followed this guide for setting up openvpn on my omnia router. hxxps://support.nordvpn.com/hc/en-us/articles/115000254305-OpenWRT-router-tutorial

The issue is it drops connection within 5-10 minutes and gets a new vpn ip address over and over.

Looking at the logs in /var/log/messages i have a hard time understanding the log and what needs to be fixed. I was hoping someone could look at this log and tell me what is most likely the cause? If there is another detailed log file to look at let me know. Here is a portion of my log with some errors. Appreciate any advice or insight. Thank you.

2017-02-18T22:13:01-08:00 info /usr/sbin/cron[28937]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2017-02-18T22:13:44-08:00 notice netifd[]: wan (2132): udhcpc: sending renew
2017-02-18T22:14:01-08:00 info /usr/sbin/cron[28976]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2017-02-18T22:14:01-08:00 info /usr/sbin/cron[28975]: (root) CMD (nethist_stats.lua)
2017-02-18T22:14:21-08:00 notice netifd[]: wan (2132): udhcpc: sending renew
2017-02-18T22:14:39-08:00 notice netifd[]: wan (2132): udhcpc: sending renew
2017-02-18T14:14:44-08:00 info dnsmasq-dhcp[2293]: DHCPINFORM(br-lan) 192.168.xxx.246 
2017-02-18T14:14:44-08:00 info dnsmasq-dhcp[2293]: DHCPACK(br-lan) 192.168.xxx.246 
2017-02-18T22:14:48-08:00 notice netifd[]: wan (2132): udhcpc: sending renew
2017-02-18T14:14:54-08:00 notice netifd[]: Last message 'wan (2132): udhcpc: ' repeated 1 times, supressed by syslog-ng on turris
2017-02-18T22:14:54-08:00 notice netifd[]: wan (2132): udhcpc: sending renew
2017-02-18T14:14:55-08:00 notice netifd[]: Last message 'wan (2132): udhcpc: ' repeated 1 times, supressed by syslog-ng on turris
2017-02-18T22:14:55-08:00 notice netifd[]: wan (2132): udhcpc: lease lost, entering init state
2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan' has lost the connection
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 209.148.113.36 netmask 255.255.255.255
2017-02-18T22:15:45-08:00 warning openvpn(sonicvpn)[2600]: ERROR: Linux route delete command failed: external program exited with error status: 1
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: Closing TUN/TAP interface
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/ifconfig tun0 0.0.0.0
2017-02-18T22:15:45-08:00 notice netifd[]: Network device 'tun0' link is down
2017-02-18T22:14:55-08:00 notice netifd[]: Network alias 'eth1' link is up
2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan6' has link connectivity
2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan6' is setting up now
2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan' is now up
2017-02-18T22:14:55-08:00 notice firewall[]: Reloading firewall due to ifup of wan (eth1)
2017-02-18T22:14:55-08:00 err openvpn(sonicvpn)[2600]: write UDPv4: Operation not permitted (code=1)
2017-02-18T14:14:55-08:00 err openvpn(sonicvpn)[]: Last message 'write UDPv4: Operati' repeated 12 times, supressed by syslog-ng on turris
2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan6' is now up
2017-02-18T22:14:56-08:00 notice firewall[]: Reloading firewall due to ifup of wan6 (eth1)
2017-02-18T22:14:56-08:00 err openvpn(sonicvpn)[2600]: write UDPv4: Operation not permitted (code=1)
2017-02-18T14:14:56-08:00 err openvpn(sonicvpn)[]: Last message 'write UDPv4: Operati' repeated 57 times, supressed by syslog-ng on turris
2017-02-18T22:14:56-08:00 warning odhcpd[1703]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!
2017-02-18T22:15:01-08:00 info /usr/sbin/cron[29415]: (root) CMD (/usr/bin/watchdog.sh)
2017-02-18T22:15:01-08:00 info /usr/sbin/cron[29414]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2017-02-18T22:15:01-08:00 info /usr/sbin/cron[29418]: (root) CMD (   /usr/bin/notifier)
2017-02-18T22:15:12-08:00 warning watchdog[]: Restarted nethist
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 209.148.113.36 netmask 255.255.255.255
2017-02-18T22:15:45-08:00 warning openvpn(sonicvpn)[2600]: ERROR: Linux route delete command failed: external program exited with error status: 1
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: Closing TUN/TAP interface
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: /sbin/ifconfig tun0 0.0.0.0
2017-02-18T22:15:45-08:00 notice netifd[]: Network device 'tun0' link is down
2017-02-18T22:15:45-08:00 notice netifd[]: Interface 'sonicvpntun' has link connectivity loss
2017-02-18T22:15:45-08:00 notice netifd[]: Interface 'sonicvpntun' is now down
2017-02-18T22:15:45-08:00 notice netifd[]: Interface 'sonicvpntun' is disabled
2017-02-18T22:15:45-08:00 warning odhcpd[1703]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: SIGUSR1[soft,ping-restart] received, process restarting
2017-02-18T22:15:45-08:00 notice openvpn(sonicvpn)[2600]: Restart pause, 2 second(s)
2017-02-18T22:15:46-08:00 warning odhcpd[1703]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!
2017-02-18T22:15:47-08:00 notice openvpn(sonicvpn)[2600]: Control Channel Authentication: tls-auth using INLINE static key file
2017-02-18T22:15:47-08:00 notice openvpn(sonicvpn)[2600]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-02-18T22:15:47-08:00 notice openvpn(sonicvpn)[2600]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-02-18T22:15:47-08:00 notice openvpn(sonicvpn)[2600]: Socket Buffers: R=[163840->200000] S=[163840->200000]
2017-02-18T22:15:47-08:00 notice openvpn(sonicvpn)[2600]: UDPv4 link local: [undef]

Post #2

ulmwind

19 Feb 2017, 00:03

Thank you kindly for using my manual.

Your issue, to my mind, is in your WAN connection, we see the string just before OpenVPN loosing connection:

2017-02-18T22:14:55-08:00 notice netifd[]: Interface 'wan' has lost the connection

I don't know, why it took place.

Post #3

randomhuman

19 Feb 2017, 05:17

Thank you putting that together. I was so happy to get port forwarding working etc via vpn once it was all setup on my router. Even though i am losing connection every 5 minutes i am sure i will figure out the cause eventually. just need to dissect these logs better.

I also had this error in the log so was looking into that and found this page interesting.
Error: Inactivity timeout (--ping-restart)
ww w.sparklabs.com/support/kb/article/error-inactivity-timeout-ping-restart/

That said my WAN has been 100% stable for months before i put this on my router. and i was using the standard openvpn client on my windows computer. So I know it has to be some setting i got wrong.

Post #4

randomhuman

19 Feb 2017, 07:45

So i found a post that seems to fit my issue. He says that his WAN is dropping connection when requesting renewal lease. because it a expects a reply from different DHCP server.

I am not familiar with iptables or uci commands. Should i try applying this posts solution? Would anyone have a recommendation on the best way to correct this in opewrt?

Thanks.

Solved by Oleg (thanks Oleg!)
Turns out my ISP has a funny way of doing dhcp.
When I boot my asus, it gets a dhcp lease from 82.161.88.1. So far so good. About half way through the lease time (normal behavior) it starts requesting renewal of the lease. So my asus gets a reply to its request from 82.161.247.54. My asus expects a reply from the original dhcp server and drops the reply from 82.161.247.54. It then keeps on requesting renewal until the lease runs out and the lease expires.
Then my asus starts reinit process, gets a lease from 82.161.88.1 and the whole thing starts all over again. Wouldn't be too bad if leasetime wasn't 3600 (an hour).
My asus only accepts a reply from the originating dhcp server as it does statefull firewalling.
I've send them an email with a little piece of MY log as they weren't keen on sending theirs, and I ask them why they have it set up this way, but haven't got the answer yet. Don't think I will get a satisfying answer to this question but one can hope.
Solution:
put this in post-firewall
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT

(Last edited by randomhuman on 19 Feb 2017, 07:47)

Post #5

ulmwind

19 Feb 2017, 11:44

In your quote there is explanation, that DHCP-server migrates in network, changing its own IP. You can try to do it, of course, but you should insert the rule in the correct chain, see output of

iptables -nvL

and

fw3 print

Better for you is to set WAN not as DHCP-client, but just static IP. Is it possible for your ISP?

(Last edited by ulmwind on 19 Feb 2017, 11:45)

Post #6

randomhuman

19 Feb 2017, 23:20

Good suggestion on static. After lots of frustration and forcing myself to learn a lot more about firewall rules and googling many more similar situations.

Bottom line this dhcp lease is att u-verse issue. So i call my ISP which is not att u-verse exactly and inquire about static ip address. They unfortunately cannot offer a static ip address.

However after searching some more. I found that even though att uverse is dhcp. i can still static assign that ip to my router from the att uverse router.

This is not ideal since if my ip changes I would have to update my router. However everyone seems to be saying its rare it changes on you. people reporting they been getting the same ip for months

So after assignign static ip to my openwrt router. my vpn is stable on the router now. No more diconnects every 5 minutes.

Thanks for the suggestion it worked. Great work putting that helpful vpn guide together as well. i needed that last year but at the time did not find such an article.

(Last edited by randomhuman on 19 Feb 2017, 23:26)

The discussion might have continued from here.

Page 1 of 1