OpenVPN disconnects when session expires

[freeshka]

I have OpenVPN client configured on my router RT-AC68U with 380.65 Firmware.
From time to time when I go to VPN page in router config, I see error "Authentification failed" and the following lines in log:

Feb 16 00:34:47 openvpn[5177]: VERIFY OK: depth=1, CN=OpenVPN CA
Feb 16 00:34:47 openvpn[5177]: VERIFY OK: nsCertType=SERVER
Feb 16 00:34:47 openvpn[5177]: VERIFY OK: depth=0, CN=OpenVPN Server
Feb 16 00:34:48 openvpn[5177]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 16 00:34:48 openvpn[5177]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 16 00:34:48 openvpn[5177]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 16 00:34:48 openvpn[5177]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 16 00:34:48 openvpn[5177]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 16 00:34:48 openvpn[5177]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 16 00:34:48 openvpn[5177]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Feb 16 00:34:48 openvpn[5177]: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
Feb 16 00:34:48 openvpn[5177]: SIGTERM received, sending exit notification to peer
Feb 16 00:34:49 openvpn[5177]: vpnrouting.sh tun11 1500 1542 XXX.XX.X.X 255.255.255.240 init
Feb 16 00:34:49 openvpn-routing: Configuring policy rules for client 1
Feb 16 00:34:49 openvpn-routing: Flushing client routing table
Feb 16 00:34:49 openvpn-routing: Completed routing policy configuration for client 1
Feb 16 00:34:49 openvpn[5177]: /usr/sbin/ip route del XXX.XXX.X.X/24 metric 101
Feb 16 00:34:49 openvpn[5177]: /usr/sbin/ip route del XX.XXX.XXX.XX/32
Feb 16 00:34:49 openvpn[5177]: Closing TUN/TAP interface
Feb 16 00:34:49 openvpn[5177]: /usr/sbin/ip addr del dev tun11 XXX.XX.X.X/28
Feb 16 00:34:49 openvpn[5177]: SIGTERM[soft,exit-with-notification] received, process exiting

How can I fix it to make my VPN connection permanent?

 

[freeshka]

Please, could anyone here provide a solution for this issue?

 

[RMerlin]

Please post your config so people can review it. This is most likely a configuration problem since it works fine for others.

 

[octopus]

It''s impossible to read it.
Post output of:

cat /etc/openvpn/client1/config.ovpn

 

[freeshka]

It''s impossible to read it.
Post output of:

cat /etc/openvpn/client1/config.ovpn

# Automatically generated configuration
daemon
client
dev tun11
proto udp
remote xxx.xxx.xxx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
compress
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
tls-auth static.key 1
ca ca.crt
cert client.crt
key client.key
auth-user-pass up
status-version 2
status status 10

# Custom Configuration
setenv FORWARD_COMPATIBLE 1
port xxxx
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
setenv PUSH_PEER_INFO
inactive 0

 

[freeshka]

In general it works fine, but after some period of time VPN disconnects and unable to reconnect, so I need to turn it on manually

 

[octopus]

At first glance, I can see you don't specified any AUTH.
Set auth SHA1 if you use it.
Then I would remove most of the stuff in custom configuration.

 

[freeshka]

# Automatically generated configuration
daemon
client
dev tun11
proto udp
remote xxx.xxxx.xx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
compress
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth SHA1
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
tls-auth static.key 1
ca ca.crt
cert client.crt
key client.key
auth-user-pass up
status-version 2
status status 10

# Custom Configuration

At first glance, I can see you don't specified any AUTH.
Set auth SHA1 if you use it.
Then I would remove most of the stuff in custom configuration.

It is able to connect, but to verify that it can reconnect I need some time, from day to two.

 

[octopus]

You probably need this in custom config:

port xxxx (use it here only if you not have port in gui)
ns-cert-type server
reneg-sec 604800

And you missing:

cipher AES-256-CBC

Adjust to match what you use

 

[freeshka]

You probably need this in custom config:

port xxxx (use it here only if you not have port in gui)
ns-cert-type server
reneg-sec 604800

I've put the last 2 lines to custom config, port is configured on GUI

 

[freeshka]

After more that 24 hours up, VPN connection broke, the following is in system log:

Mar  3 23:57:21 openvpn[11254]: TLS: soft reset sec=602790 bytes=67127393/67108864 pkts=117805/0
Mar  3 23:57:21 openvpn[11254]: VERIFY OK: depth=1, CN=OpenVPN CA
Mar  3 23:57:21 openvpn[11254]: VERIFY OK: nsCertType=SERVER
Mar  3 23:57:21 openvpn[11254]: VERIFY OK: depth=0, CN=OpenVPN Server
Mar  3 23:57:21 openvpn[11254]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar  3 23:57:21 openvpn[11254]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mar  3 23:57:21 openvpn[11254]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar  3 23:57:21 openvpn[11254]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar  3 23:57:21 openvpn[11254]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mar  3 23:57:21 openvpn[11254]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar  3 23:57:21 openvpn[11254]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar  3 23:57:21 openvpn[11254]: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
Mar  3 23:57:21 openvpn[11254]: SIGTERM received, sending exit notification to peer
Mar  3 23:57:22 openvpn[11254]: vpnrouting.sh tun11 1500 1542 XXX.XX.X.XX 255.255.255.240 init
Mar  3 23:57:22 openvpn-routing: Configuring policy rules for client 1
Mar  3 23:57:22 openvpn-routing: Flushing client routing table
Mar  3 23:57:22 openvpn-routing: Completed routing policy configuration for client 1
Mar  3 23:57:22 openvpn[11254]: /usr/sbin/ip route del XXX.XXX.X.X/24 metric 101
Mar  3 23:57:23 openvpn[11254]: /usr/sbin/ip route del XX.XXX.XXX.XX/32
Mar  3 23:57:23 openvpn[11254]: Closing TUN/TAP interface
Mar  3 23:57:23 openvpn[11254]: /usr/sbin/ip addr del dev tun11 XXX.XX.X.XX/28
Mar  3 23:57:23 openvpn[11254]: SIGTERM[soft,exit-with-notification] received, process exiting

 

[freeshka]

Any ideas? Could anyone help me, please?

 

[Martineau]

Any ideas? Could anyone help me, please?

If my understanding is correct, you have no control over when the following message

AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate

is generated by the VPN provider, i.e. the VPN connection has been forcibly terminated by the server.

So presumably you simply need to restart the VPN Client on receipt of the message? - if so then you should set up a VPN message monitoring script to restart the VPN Client.

 

[freeshka]

If my understanding is correct, you have no control over when the following message

AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate

is generated by the VPN provider, i.e. the VPN connection has been forcibly terminated by the server.

So presumably you simply need to restart the VPN Client on receipt of the message? - if so then you should set up a VPN message monitoring script to restart the VPN Client.

I think, yes - your solution is what I need.

Could you please help me with the script?

 

[Martineau]

I think, yes - your solution is what I need.

Could you please help me with the script?

Probably, but there is more than one script required.

I'm assuming you are familiar with scripts in general (if not see the Wiki https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts) and how to use/create openvpn-events.

So create the two openvpn-event scripts:

e.g. for VPN Client 1

/jffs/scripts/vpnclient1-up

#!/bin/sh

logger -st "($(basename $0))" $$ "User Processing '"$script_type"' ("$dev") via" $ifconfig_local "args = ["$@"]"

VPN_ID=${dev:4:1}

MYROUTER=$(nvram get computer_name)
if [ -d "/tmp/mnt/"$MYROUTER ];then
   MOUNT="/tmp/mnt/"$MYROUTER
else
   MOUNT="/tmp"
fi
TRACKFILE="${MOUNT}/vpnclient$VPN_ID"
KILLFILE=$TRACKFILE"-kill"

logger -st "($(basename $0))" $$ "VPN Syslog Event Monitor Requested....."
# Ensure VPN monitor process can start!
rm $KILLFILE
/jffs/scripts/VPN_SyslogMonitor.sh $VPN_ID &

logger -st "($(basename $0))" $$ "User Processing Complete."

exit 0

/jffs/scripts/vpnclient1-route-pre-down

#!/bin/sh

# Kill the VPN Syslog Event Monitor

VPN_ID=${dev:4:1}

MYROUTER=$(nvram get computer_name)
if [ -d "/tmp/mnt/"$MYROUTER ];then
   MOUNT="/tmp/mnt/"$MYROUTER
else
   MOUNT="/tmp"
fi
TRACKFILE="${MOUNT}/vpnclient$VPN_ID"
KILLFILE=$TRACKFILE"-kill"

#logger -st "($(basename $0))" $$ "***DEBUG VPN Syslog Event Monitor:" "$(ps | grep -i "VPN_SyslogMonitor" | grep -v "grep")"
#for ITEM in $(ps | grep -i "VPN_SyslogMonitor" | grep -v "grep" | awk '{ print $1 }')
# do
#  kill -9 $ITEM
#  logger -st "($(basename $0))" $$ "***DEBUG VPN Syslog Event Monitor terminating PID="$ITEM "rc="$?
# done

# Since the code above never seems to work?...
touch $KILLFILE

logger -st "($(basename $0))" $$ "VPN Syslog Event Monitor self-destruct requested."

Now define the messages to be monitored in the monitoring script.
In my case, I monitor for two messages $VPN0001 and $VPN0002

For the first message, effectively I have a cron job that sends a request down the tun1x interface to extract the end-point ISP address that is written to Syslog. If the I/P returned is '???' on two consecutive attempts then I restart the appropriate VPN Client.
The second message is simply logged to a file.

/jffs/scripts/VPN_SyslogMonitor.sh

#!/bin/sh

# Simple VPN Syslog event monitor

Say(){
   /usr/bin/logger -st "($(basename $0))" $$ $@
}

Say "VPN Syslog Event Monitor starting....."

VPN_ID=$1

MYROUTER=$(nvram get computer_name)
if [ -d "/tmp/mnt/"$MYROUTER ];then
   MOUNT="/tmp/mnt/"$MYROUTER
else
   MOUNT="/tmp"
fi
TRACKFILE="${MOUNT}/vpnclient$VPN_ID"
KILLFILE=$TRACKFILE"-kill"

# Feb 17 23:00:06 RT-AC68U user.warn (VPN_Client_Switch.sh): 12924 Client 1 connected via 10.200.195.10 (VPN WAN I/P ???) (NewYork)
VPN0001="(VPN WAN I/P"
VPN0001_CNT=0
VPN0002="TLS: tls_process: killed expiring key"
VPN0002_CNT=0

# Track the event
tail -F /tmp/syslog.log | while read SYSLOG
 do

  case "$SYSLOG" in
   *$VPN0001*)  # Feb 17 23:00:06 RT-AC68U user.warn (VPN_Client_Switch.sh): 12924 Client 1 connected via 10.200.195.10 (VPN WAN I/P ???) (NewYork)
    echo $$"-"`date` "VPN0001" $SYSLOG >> $TRACKFILE
    # If we have two consecutive matches then restart the appropriate VPN Client
    if [ -z "$(echo $SYSLOG | grep "???")" ];then
       VPN0001_CNT=0
    else
       VPN0001_CNT=$((1+$VPN0001_CNT))
     if [ $VPN0001_CNT -eq 2 ];then
      VPN_ID=$(echo $SYSLOG |  grep -oE "Client\s[1-5]\sconnected" | cut -d" " -f2)
      Say "VPN Client" $VPN_ID "recovery initiated....."
      if [ -f "jffs/scripts/VPN_ClientSwitch.sh" ];then
         /jffs/scripts/VPN_ClientSwitch.sh $VPN_ID "restart"
      else
         service restart_vpnclient$VPN_ID
      fi
      echo $$"-"`date` "VPN0001 VPN Client" $VPN_ID "recovery initiated....." >> $TRACKFILE
      Say "VPN Syslog Event Monitor exiting....."
      exit         # openvpn-event Client 'DOWN' should kill this script? -but doesn't?
                   # openvpn-event Client 'UP'   will restart this
     fi
    fi
    ;;
   *$VPN0002*)
    echo $$"-"`date` "VPN0002" $SYSLOG >> $TRACKFILE
    ;;
   *)
    #echo $SYSLOG        # Debug
    # Check for external kill switch
    if [ -f $KILLFILE ];then
     Say "VPN Syslog Event Monitor external termination trigger....."
     rm $KILLFILE        # openvpn-event Client 'UP'   will also ensure this is done!
     exit
    fi
    ;;
  esac
 done

exit

In your case, when you see the 'Your session has expired, please reauthenticate' message then I'd wait 3 secs then issue the 'service restart_vpnclientX' command.

Think you can manage to modify the VPN_SyslogMonitor.sh script by yourself?