OpenVPN does not start after router restart

[przemekwawa]

Hi,
For many releases I have problem with OpenVPN server that does not start properly after router restart. If I set it to disabled-> save settings-> enabled-> save settings, everything is fine in just a moment
After restart it is in state "starting" with information like in screenshot. It stays so without end (week for sure

After last upgrade, I made hard reset, everything was reconfigured manually and still same problem. I have same situation on 3 routers - all RT-AC68U.

In logs I found only this:
"
Jun 17 20:11:14 ovpn-server1[12679]: event_wait : Interrupted system call (code=4)
Jun 17 20:11:15 ovpn-server1[12679]: Closing TUN/TAP interface
Jun 17 20:11:15 ovpn-server1[12679]: /sbin/ifconfig tun21 0.0.0.0
Jun 17 20:11:15 lldpd[313]: removal request for address of 10.8.0.1%12, but no knowledge of it
Jun 17 20:11:15 ovpn-server1[12679]: updown.sh tun21 1500 1621 10.8.0.1 255.255.255.0 init
Jun 17 20:11:20 ovpn-server1[12679]: SIGTERM[hard,] received, process exiting
"


And after manual restart of open vpn (disable/enable/save)
"
Jun 17 20:22:39 ovpn-server1[7305]: OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 25 2020
Jun 17 20:22:39 ovpn-server1[7305]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.08
Jun 17 20:22:39 ovpn-server1[7306]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Jun 17 20:22:39 ovpn-server1[7306]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 17 20:22:42 ovpn-server1[7306]: Diffie-Hellman initialized with 2048 bit key
Jun 17 20:22:42 ovpn-server1[7306]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 17 20:22:42 ovpn-server1[7306]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 17 20:22:42 ovpn-server1[7306]: TUN/TAP device tun21 opened
Jun 17 20:22:42 ovpn-server1[7306]: TUN/TAP TX queue length set to 1000
Jun 17 20:22:42 ovpn-server1[7306]: /sbin/ifconfig tun21 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Jun 17 20:22:42 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Jun 17 20:22:42 lldpd[313]: removal request for address of 10.8.0.1%12, but no knowledge of it
Jun 17 20:22:42 ovpn-server1[7306]: updown.sh tun21 1500 1621 10.8.0.1 255.255.255.0 init
Jun 17 20:22:42 ovpn-server1[7306]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jun 17 20:22:42 ovpn-server1[7306]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jun 17 20:22:42 ovpn-server1[7306]: setsockopt(IPV6_V6ONLY=0)
Jun 17 20:22:42 ovpn-server1[7306]: UDPv6 link local (bound): [AF_INET6][undef]:80
Jun 17 20:22:42 ovpn-server1[7306]: UDPv6 link remote: [AF_UNSPEC]
Jun 17 20:22:42 lldpd[313]: removal request for address of 10.8.0.1%12, but no knowledge of it
Jun 17 20:22:42 ovpn-server1[7306]: MULTI: multi_init called, r=256 v=256
Jun 17 20:22:42 ovpn-server1[7306]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jun 17 20:22:42 ovpn-server1[7306]: Initialization Sequence Completed
"
Any ideas?

 

[jc_ratchet]

Hello, I have a similar problem, i think... with RT-AC86U instead. Each time the router gets rebooted, the vpn is unreachable, forcing that I export the ovpn conf file onto my client devices again and again.. is that way it should work?
I have the 386.1_2 version

 

[jc_ratchet]

Hello, I have a similar problem, i think... with RT-AC86U instead. Each time the router gets rebooted, the vpn is unreachable, forcing that I export the ovpn conf file onto my client devices again and again.. is that way it should work?
I have the 386.1_2 version

After closer check it seems my client actually just requires me to input the password again with each router reboot... but still, is that the way it should work?

 

[eibgrad]

After closer check it seems my client actually just requires me to input the password again with each router reboot... but still, is that the way it should work?

Actually this is normal. When you configure the OpenVPN server for use w/ username/password, it adds the following to the generated OpenVPN client config file.

auth-user-pass

This is what tells the OpenVPN client to prompt you for the password. If you would prefer to NOT be prompted, you could instead store the username/password in a file (username and password on separate lines) and modify the above directive to point to that file.

auth-user-pass /<path-to-file>/filename

Of course, this raises security concerns, and why the OpenVPN server does NOT offer this option by default.

Even if it didn't raise security concerns, the router wouldn't have a clue where you intended or wanted to store the username/password on the OpenVPN client anyway (OpenVPN doesn't allow it to be stored directly in the config file!). So YOU have to tell it.

 

[jc_ratchet]

Hello, back with an update.. yesterday i “was able” to replicate the same error as op .. the ”please wait a few minutes to let the server to setup completed before vpn clients establish the connection”
- aside from the spelling, the server isn t working until next restart of the router or of the openvpn server..

Any suggestions?

 

[eibgrad]

Yeah, the spelling and grammar errors are kind of funny, but why the server gets stuck like this, I don't know.

One thing about the OP's config that concerns me is that the OpenVPN servers seems to be defaulting to IPv6, and I don't know if that could be causing an issue.

Jun 17 20:22:42 ovpn-server1[7306]: Could not determine IPv4/IPv6 protocol. Using AF_INET6

AFAIK, the OpenVPN server w/ Merlin only supports IPv4. It might be worth adding the following to the custom config field to see if it makes a difference.

proto udp4

or

proto tcp4

… as applicable.

 

[RMerlin]

Hello, back with an update.. yesterday i “was able” to replicate the same error as op .. the ”please wait a few minutes to let the server to setup completed before vpn clients establish the connection”

I spent a lot of time trying to reproduce it, on different routers, and never succeeded in doing so.

What's in your system log regarding OpenVPN? How much space is left in your JFFS partition (check on the Tools -> System Info page)?

Also, post the result of these two commands:

nvram get vpn_server1_state
nvram get vpn_server1_errno

 

[RMerlin]

One thing about the OP's config that concerns me is that the OpenVPN servers seems to be defaulting to IPv6, and I don't know if that could be causing an issue.

It's just the socket type. Since 2.4.0, OpenVPN uses a socket type that can handle both IPv4 and IPv6.

 

[eibgrad]

It's just the socket type. Since 2.4.0, OpenVPN uses a socket type that can handle both IPv4 and IPv6.

Understood, but the way the message is written, it certainly leads you to believe it's only going to listen on IPv6. Otherwise, I don't understand why it even bothers to mention it. Seems pointless.

 

[CaptainSTX]

ASUSWRT-Merlin RT-AC86U 386.1_2 Fri Feb 12 22:48:22 UTC 2021
TheMan@RT-AC1900P-C3F0:/tmp/home/root# nvram get vpn_server1_state
-1
TheMan@RT-AC1900P-C3F0:/tmp/home/root# nvram get vpn_server1_errno
8

Using an AC86 router running 386.1.2. Memory statistics shown below.

If I open VPN server 1 I normally see the spinning wheel but if I check by connecting from outside the Server is functioning. I can stop the spinning wheel by clicking apply.

Since everything works I consider it a minor irritation.

 

[RMerlin]

State -1 = error
Error 8 = Connection error. Which is odd because AFAIK, this error should only occur when a client tries to connect, not when a server is starting.

Do you also use a VPN Client on the router?

 

[CaptainSTX]

Do you also use a VPN Client on the router?

Yes I have open VPN clients running on 1 & 3. Both clients are correctly functioning. Settings in place on other VPN clients but not active or enabled.

 

[RMerlin]

Yes I have open VPN clients running on 1 & 3. Both clients are correctly functioning. Settings in place on other VPN clients but not active or enabled.

Try disabling the VPN Clients so they don't start at WAN time, then rebooting, and see if the server still reports any error.

 

[CaptainSTX]

Try disabling the VPN Clients so they don't start at WAN time, then rebooting, and see if the server still reports any error.

OK. I will give that a try on Friday and see if it makes any difference.

 

[CaptainSTX]

Try disabling the VPN Clients so they don't start at WAN time, then rebooting, and see if the server still reports any error.

I tested and can't determine what causes the spinning wheel to appear. Restarting or or logging in or out of the router doesn't seem to be a factor. Also turning VPN clients on or off didn't seem to cause the wheel to spin.

Installed 386.2 beta yesterday afternoon and after rebooting the router VPN server 1 was running no spinning wheel. This morning when I logged into the router the spinning wheel was there.

As I said previously the server functions even while the wheel is spinning and clicking apply at the bottom of the page stops the spinning wheel.

 

[RMerlin]

Something is causing the nvram that report the server state to contain values that are generally associated with a client. I have no idea what that could be, I can't find anything wrong in the code itself.