OpenVPN server issue

novastream · July 6, 2023, 12:49pm

Hi,

I’ve just setup a OpenVPN server on my RUTX08 but having some trouble getting it stable.

Issue
I can successfully connect and access the router but after 1-2 minutes I get timeouts then everything is working again for 1-2 minutes.

Specification
RUTX08 side: 100/100 mbit
Client side: 100/100 mbit
OpenVPN client version: 2.5.9 (have tried the latest as well)

Server settings
Enable: On
TUN/TAP: TUN
Protocol: UDP
Port: 1194
LZO: None
Authentication: TLS
Encryption: AES-256-GCM 256
TLS Cipher: All
Client to client: On
Keep alive: 10 120
Virtual network IP address: 192.168.15.0
Virtual network netmask: 255.255.255.0
Push option: route 192.168.1.0 255.255.255.0
Allow duplicate certificates: Off
Authentication algorithm: SHA1
Additional HMAC authentication: None
Use PKCS #12 format: Off

Certificate authority, Server certificate, Server key, Diffie Hellman parameters are all set.

Client settings
client
dev tun_c_ovpn
proto udp
remote my.domain.com 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca ca.crt
cert Client1.crt
key Client1.key

Log from client

2023-07-06 14:07:34 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-07-06 14:07:34 OpenVPN 2.5.9 [git:v2.5.9/ea4ce681d9008f27] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 15 2023
2023-07-06 14:07:34 Windows version 10.0 (Windows 10 or greater) 64bit
2023-07-06 14:07:34 library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
2023-07-06 14:07:34 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25346
2023-07-06 14:07:34 Need hold release from management interface, waiting...
2023-07-06 14:07:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25346
2023-07-06 14:07:35 MANAGEMENT: CMD 'state on'
2023-07-06 14:07:35 MANAGEMENT: CMD 'log on all'
2023-07-06 14:07:35 MANAGEMENT: CMD 'echo on all'
2023-07-06 14:07:35 MANAGEMENT: CMD 'bytecount 5'
2023-07-06 14:07:35 MANAGEMENT: CMD 'state'
2023-07-06 14:07:35 MANAGEMENT: CMD 'hold off'
2023-07-06 14:07:35 MANAGEMENT: CMD 'hold release'
2023-07-06 14:07:35 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-07-06 14:07:35 MANAGEMENT: >STATE:1688645255,RESOLVE,,,,,,
2023-07-06 14:07:35 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-07-06 14:07:35 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-07-06 14:07:35 UDP link local: (not bound)
2023-07-06 14:07:35 UDP link remote: [AF_INET]111.222.333.444:1194
2023-07-06 14:07:35 MANAGEMENT: >STATE:1688645255,WAIT,,,,,,
2023-07-06 14:07:35 MANAGEMENT: >STATE:1688645255,AUTH,,,,,,
2023-07-06 14:07:35 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=66e6823e 26cd96c6
2023-07-06 14:07:35 VERIFY OK: depth=1, CN=SomeName
2023-07-06 14:07:35 VERIFY OK: depth=0, CN=server
2023-07-06 14:07:35 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
2023-07-06 14:07:35 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
2023-07-06 14:07:35 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-07-06 14:07:35 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-07-06 14:07:35 [server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
2023-07-06 14:07:35 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.15.0 255.255.255.0,topology net30,ping 5,ping-restart 10,ifconfig 192.168.15.6 192.168.15.5,peer-id 0,cipher AES-256-GCM'
2023-07-06 14:07:35 OPTIONS IMPORT: timers and/or timeouts modified
2023-07-06 14:07:35 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-06 14:07:35 OPTIONS IMPORT: route options modified
2023-07-06 14:07:35 OPTIONS IMPORT: peer-id set
2023-07-06 14:07:35 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-07-06 14:07:35 OPTIONS IMPORT: data channel crypto options modified
2023-07-06 14:07:35 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-07-06 14:07:35 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:07:35 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:07:35 interactive service msg_channel=632
2023-07-06 14:07:35 open_tun
2023-07-06 14:07:35 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-07-06 14:07:35 TAP-Windows Driver Version 9.24 
2023-07-06 14:07:35 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.15.6/255.255.255.252 on interface {449F2E70-6B46-4F46-9819-68A5D4C6BC7F} [DHCP-serv: 192.168.15.5, lease-time: 31536000]
2023-07-06 14:07:35 Successful ARP Flush on interface [11] {449F2E70-6B46-4F46-9819-68A5D4C6BC7F}
2023-07-06 14:07:35 MANAGEMENT: >STATE:1688645255,ASSIGN_IP,,192.168.15.6,,,,
2023-07-06 14:07:35 IPv4 MTU set to 1500 on interface 11 using service
2023-07-06 14:07:40 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
2023-07-06 14:07:40 MANAGEMENT: >STATE:1688645260,ADD_ROUTES,,,,,,
2023-07-06 14:07:40 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.15.5
2023-07-06 14:07:40 Route addition via service succeeded
2023-07-06 14:07:40 C:\Windows\system32\route.exe ADD 192.168.15.0 MASK 255.255.255.0 192.168.15.5
2023-07-06 14:07:40 Route addition via service succeeded
2023-07-06 14:07:40 Initialization Sequence Completed
2023-07-06 14:07:40 MANAGEMENT: >STATE:1688645260,CONNECTED,SUCCESS,192.168.15.6,111.222.333.444,1194,,
2023-07-06 14:07:57 [server] Inactivity timeout (--ping-restart), restarting
2023-07-06 14:07:57 SIGUSR1[soft,ping-restart] received, process restarting
2023-07-06 14:07:57 MANAGEMENT: >STATE:1688645277,RECONNECTING,ping-restart,,,,,
2023-07-06 14:07:57 Restart pause, 5 second(s)
2023-07-06 14:08:02 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-07-06 14:08:02 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-07-06 14:08:02 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-07-06 14:08:02 UDP link local: (not bound)
2023-07-06 14:08:02 UDP link remote: [AF_INET]111.222.333.444:1194
2023-07-06 14:08:02 MANAGEMENT: >STATE:1688645282,WAIT,,,,,,
2023-07-06 14:08:02 MANAGEMENT: >STATE:1688645282,AUTH,,,,,,
2023-07-06 14:08:02 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=55070a18 6ee0291f
2023-07-06 14:08:02 VERIFY OK: depth=1, CN=SomeName
2023-07-06 14:08:02 VERIFY OK: depth=0, CN=server
2023-07-06 14:08:02 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
2023-07-06 14:08:02 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
2023-07-06 14:08:02 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-07-06 14:08:02 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-07-06 14:08:02 [server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
2023-07-06 14:08:02 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.15.0 255.255.255.0,topology net30,ping 5,ping-restart 10,ifconfig 192.168.15.6 192.168.15.5,peer-id 0,cipher AES-256-GCM'
2023-07-06 14:08:02 OPTIONS IMPORT: timers and/or timeouts modified
2023-07-06 14:08:02 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-06 14:08:02 OPTIONS IMPORT: route options modified
2023-07-06 14:08:02 OPTIONS IMPORT: peer-id set
2023-07-06 14:08:02 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-07-06 14:08:02 OPTIONS IMPORT: data channel crypto options modified
2023-07-06 14:08:02 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-07-06 14:08:02 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:08:02 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:08:02 Preserving previous TUN/TAP instance: OpenVPN TAP-Windows6
2023-07-06 14:08:02 Initialization Sequence Completed
2023-07-06 14:08:02 MANAGEMENT: >STATE:1688645282,CONNECTED,SUCCESS,192.168.15.6,111.222.333.444,1194,,
2023-07-06 14:08:21 [server] Inactivity timeout (--ping-restart), restarting
2023-07-06 14:08:21 SIGUSR1[soft,ping-restart] received, process restarting
2023-07-06 14:08:21 MANAGEMENT: >STATE:1688645301,RECONNECTING,ping-restart,,,,,
2023-07-06 14:08:21 Restart pause, 5 second(s)
2023-07-06 14:08:26 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-07-06 14:08:26 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-07-06 14:08:26 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-07-06 14:08:26 UDP link local: (not bound)
2023-07-06 14:08:26 UDP link remote: [AF_INET]111.222.333.444:1194
2023-07-06 14:08:26 MANAGEMENT: >STATE:1688645306,WAIT,,,,,,
2023-07-06 14:08:26 MANAGEMENT: >STATE:1688645306,AUTH,,,,,,
2023-07-06 14:08:26 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=d1e587d2 b7007ea5
2023-07-06 14:08:26 VERIFY OK: depth=1, CN=SomeName
2023-07-06 14:08:26 VERIFY OK: depth=0, CN=server
2023-07-06 14:08:26 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
2023-07-06 14:08:26 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
2023-07-06 14:08:26 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-07-06 14:08:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-07-06 14:08:26 [server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
2023-07-06 14:08:26 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.15.0 255.255.255.0,topology net30,ping 5,ping-restart 10,ifconfig 192.168.15.6 192.168.15.5,peer-id 0,cipher AES-256-GCM'
2023-07-06 14:08:26 OPTIONS IMPORT: timers and/or timeouts modified
2023-07-06 14:08:26 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-06 14:08:26 OPTIONS IMPORT: route options modified
2023-07-06 14:08:26 OPTIONS IMPORT: peer-id set
2023-07-06 14:08:26 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-07-06 14:08:26 OPTIONS IMPORT: data channel crypto options modified
2023-07-06 14:08:26 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-07-06 14:08:26 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:08:26 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-06 14:08:26 Preserving previous TUN/TAP instance: OpenVPN TAP-Windows6
2023-07-06 14:08:26 Initialization Sequence Completed
2023-07-06 14:08:26 MANAGEMENT: >STATE:1688645306,CONNECTED,SUCCESS,192.168.15.6,111.222.333.444,1194,,
2023-07-06 14:08:30 C:\Windows\system32\route.exe DELETE 192.168.1.0 MASK 255.255.255.0 192.168.15.5
2023-07-06 14:08:30 Route deletion via service succeeded
2023-07-06 14:08:30 C:\Windows\system32\route.exe DELETE 192.168.15.0 MASK 255.255.255.0 192.168.15.5
2023-07-06 14:08:30 Route deletion via service succeeded
2023-07-06 14:08:30 Closing TUN/TAP interface
2023-07-06 14:08:30 TAP: DHCP address released
2023-07-06 14:08:30 SIGTERM[hard,] received, process exiting
2023-07-06 14:08:30 MANAGEMENT: >STATE:1688645310,EXITING,SIGTERM,,,,,

AndzejJ · July 10, 2023, 1:04pm

Hello,

Do you have the latest firmware version installed on your RUTX08?

From the logs, it seems that the connection restarts soon after the VPN establishes a tunnel. Specifically, the logs show that there were no pings and a ping-restart was triggered.

There were some issues where the OpenVPN keep-alive option, which is used to maintain the VPN connection by sending periodic pings, was not working properly in some of the older firmware versions when the OpenVPN server is configured, but this was quickly resolved in the newer firmware. Thus, if you are not running the latest firmware version, I suggest making a backup of your current configuration, then updating with ‘keep settings’ disabled to avoid any potential migration issues, and then configuring OpenVPN again.

You can also try increasing the keep-alive option. This would increase the interval at which the pings are sent, which can help if the network is congested or the device is under heavy load and causing pings to be lost.

Let me know if this helps. If you are indeed not using the latest firmware version and update the device, but the issue persists, it would be great if you could provide new logs.

Kind Regards,