I have a setup with 6 RUT956 devices. One of them is running an OpenVPN server, others are clients connected to it. The server has a stable wired internet connection. Clients are on LTE.
These are the clients connected to the vpn:
Clients ZRR1,ZRR51,ZRR52,ZRR6,ZRR8 are the RUT956 clients, the other two are laptops.
Clients are on firmware RUT9M_R_00.07.05.4, while the server is on RUT9M_R_00.07.06.3
Here is the server’s OpenVPN configuration:
TAP
UDP,
port 1194 (forwarded from a different outside port)
LZO none
Authentication: TLS
Encryption AES-256-GCM 256
TLS cipher: All
Client to client traffic allowed
Keep alive: 10 120
Duplicate certificates not allowed
Authentication algorithm SHA256
HMAC: Authentication only
HMAC key direction 0
PKCS #12 format off
The problem is that some of the clients occasionally lose their vpn connection for multiple days at a time. While this is happening, the server’s vpn logs make it seem like these clients are trying to reconnect every 2 minutes. Currently, client ZRR1 is inaccessible on the network but does appear in the list of active clients. Here is what it looks like on the server:
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: multi_create_instance called
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Re-using SSL/TLS context
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Control Channel MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Mon Nov 18 10:12:54 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:3347, sid=c612814a be1fca99
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 VERIFY OK: depth=1, CN=ovpn_Hranov_CA
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 VERIFY OK: depth=0, CN=ovpn-Hranov-ZRR1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_VER=2.5.3
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_PLAT=linux
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_PROTO=6
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_CIPHERS=AES-256-CBC:AES-256-GCM
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_LZ4=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_LZ4v2=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_LZO=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_COMP_STUB=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_COMP_STUBv2=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 peer info: IV_TCPNL=1
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3347 [ovpn-Hranov-ZRR1] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:3347
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: new connection by client 'ovpn-Hranov-ZRR1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Mon Nov 18 10:12:55 2024 daemon.err openvpn(Hranov)[4133]: MULTI: no dynamic or static remote--ifconfig address is available for ovpn-Hranov-ZRR1/XX.XX.XX.XX:3347
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel: using negotiated cipher 'AES-256-CBC'
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel MTU parms [ L:1601 D:1450 EF:69 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:12:55 2024 daemon.notice openvpn(Hranov)[4133]: SENT CONTROL [ovpn-Hranov-ZRR1]: 'PUSH_REPLY,ping 10,ping-restart 120,peer-id 6,cipher AES-256-CBC' (status=1)
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: multi_create_instance called
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Re-using SSL/TLS context
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Control Channel MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Mon Nov 18 10:15:00 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:3356, sid=a47734b9 65eb282d
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 VERIFY OK: depth=1, CN=ovpn_Hranov_CA
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 VERIFY OK: depth=0, CN=ovpn-Hranov-ZRR1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_VER=2.5.3
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_PLAT=linux
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_PROTO=6
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_CIPHERS=AES-256-CBC:AES-256-GCM
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_LZ4=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_LZ4v2=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_LZO=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_COMP_STUB=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_COMP_STUBv2=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 peer info: IV_TCPNL=1
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3356 [ovpn-Hranov-ZRR1] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:3356
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: new connection by client 'ovpn-Hranov-ZRR1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Mon Nov 18 10:15:01 2024 daemon.err openvpn(Hranov)[4133]: MULTI: no dynamic or static remote--ifconfig address is available for ovpn-Hranov-ZRR1/XX.XX.XX.XX:3356
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel: using negotiated cipher 'AES-256-CBC'
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel MTU parms [ L:1601 D:1450 EF:69 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:15:01 2024 daemon.notice openvpn(Hranov)[4133]: SENT CONTROL [ovpn-Hranov-ZRR1]: 'PUSH_REPLY,ping 10,ping-restart 120,peer-id 3,cipher AES-256-CBC' (status=1)
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: multi_create_instance called
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Re-using SSL/TLS context
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Control Channel MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:3408, sid=140f2b35 5a020d93
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 VERIFY OK: depth=1, CN=ovpn_Hranov_CA
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 VERIFY OK: depth=0, CN=ovpn-Hranov-ZRR1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_VER=2.5.3
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_PLAT=linux
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_PROTO=6
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_CIPHERS=AES-256-CBC:AES-256-GCM
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_LZ4=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_LZ4v2=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_LZO=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_COMP_STUB=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_COMP_STUBv2=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 peer info: IV_TCPNL=1
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: XX.XX.XX.XX:3408 [ovpn-Hranov-ZRR1] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:3408
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: MULTI: new connection by client 'ovpn-Hranov-ZRR1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Mon Nov 18 10:17:07 2024 daemon.err openvpn(Hranov)[4133]: MULTI: no dynamic or static remote--ifconfig address is available for ovpn-Hranov-ZRR1/XX.XX.XX.XX:3408
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel: using negotiated cipher 'AES-256-CBC'
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Data Channel MTU parms [ L:1601 D:1450 EF:69 EB:411 ET:32 EL:3 ]
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 18 10:17:07 2024 daemon.notice openvpn(Hranov)[4133]: SENT CONTROL [ovpn-Hranov-ZRR1]: 'PUSH_REPLY,ping 10,ping-restart 120,peer-id 6,cipher AES-256-CBC' (status=1)
Between November 5th and 15th, client ZRR52 was inaccessible. After finally reconnecting, I found this information in its system logs:
135 2024-11-15 10:24:23 IP Block ip_blockd service is enabled, initialized firewall rules
134 2024-11-15 10:24:20 Switch Events Port speed for port CPU/WiFi changed to 1000 baseT
133 2024-11-15 10:24:20 Switch Events Port link state of port CPU/WiFi changed to UP
132 2024-11-15 10:24:20 Switch Events Port speed for port LAN1 changed to 100 baseT
131 2024-11-15 10:24:20 Switch Events Port link state of port LAN1 changed to UP
130 2024-11-15 10:23:02 Startup Device startup completed
129 2024-11-15 10:22:57 Network Operator Connected to Telekom SK Telekom SK operator (internal modem)
128 2024-11-15 10:22:57 Network Type Joined LTE network (internal modem)
127 2024-11-15 10:22:57 Mobile Data Mobile data connected (internal modem)
126 2024-11-06 12:29:50 SMS SMS received from: +Telekom.sk (internal modem)
125 2024-11-05 01:15:57 Network Operator Connected to Telekom SK Telekom SK operator (internal modem)
124 2024-11-05 01:15:57 Network Type Joined LTE network (internal modem)
123 2024-11-05 01:15:57 Mobile Data Mobile data connected (internal modem)
122 2024-11-05 01:15:42 Mobile Data Mobile data disconnected (internal modem)
It seems like there is some kind of an issue pertaining to brief losses of LTE connectivity but I’m not sure. There are other entries similar to this when the connection wasn’t lost.
LAN interfaces of all devices are set to 10.22.91.xx/24. When I say that client is inaccessible, what I mean is that I cannot connect to the web interface from within the vpn network on its local address and pinging the device also doesn’t work.
Can anyone help me figure out what is going on?