OpenVPN Inactivity timeout (--ping-restart), restarting

[madfusker]

version 380.65_4

OpenVPN looks to be restarting over and over every 5 minutes or so and I cannot seem to fix it. I have found many thread with many attempts to fix it, but no solutions. I do have Policy Rules enabled. I run PIA with AES-256CBC however somewhere along the way it starting doing this and falling back to 64bit. Does anyone have any solutions to this problem?

Apr 25 20:40:05 openvpn[1046]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Apr 25 20:40:05 openvpn[1046]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Apr 25 20:43:07 openvpn[1024]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 25 20:43:07 openvpn[1024]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 25 20:43:07 openvpn[1024]: TUN/TAP device tun21 opened
Apr 25 20:43:07 openvpn[1024]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 25 20:43:07 openvpn[1024]: /usr/sbin/ip link set dev tun21 up mtu 1500
Apr 25 20:43:07 openvpn[1024]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 25 20:43:07 openvpn[1024]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 25 20:43:07 openvpn[1024]: setsockopt(IPV6_V6ONLY=0)
Apr 25 20:43:07 openvpn[1024]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 25 20:43:07 openvpn[1024]: UDPv6 link remote: [AF_UNSPEC]
Apr 25 20:44:07 openvpn[1024]: Inactivity timeout (--ping-restart), restarting
Apr 25 20:44:07 openvpn[1024]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 25 20:44:07 openvpn[1024]: SIGUSR1[soft,ping-restart] received, process restarting

TUN
UDP
us-chicago.privateinternetaccess.com port 1198
TLS Disabled
Auth digest Default
Accept DNS Strict
LZO Adaptive

persist-key
persist-tun
tls-client
remote-cert-tls server
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218

 

[Ugabuga]

This seemed to resolve a similar issue with me

in vpn settings, dropdown menu,
TLS Renegotiation Time 0

and in custom configuration

keepalive 10 120
reneg-sec 0

changes tls from requesting handshake from default every hour
hope this helps

 

[madfusker]

I put those settings in and still get this every 3-5 minutes. Set for AES-256-CBC, but no matter what I also get the cipher warning:

Apr 28 23:18:17 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 28 23:18:17 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 28 23:18:17 openvpn[1031]: TUN/TAP device tun21 opened
Apr 28 23:18:17 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 28 23:18:17 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
Apr 28 23:18:17 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 28 23:18:17 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 28 23:18:17 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
Apr 28 23:18:17 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 28 23:18:17 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
Apr 28 23:19:17 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
Apr 28 23:19:17 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 28 23:19:17 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting
Apr 28 23:24:17 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 28 23:24:17 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 28 23:24:17 openvpn[1031]: TUN/TAP device tun21 opened
Apr 28 23:24:17 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 28 23:24:17 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
Apr 28 23:24:17 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 28 23:24:17 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 28 23:24:17 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
Apr 28 23:24:17 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 28 23:24:17 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
Apr 28 23:25:17 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
Apr 28 23:25:17 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 28 23:25:17 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting

 

[madfusker]

I've searched around and it seems unique to Merlin firmware. Looks like a bug.

 

[john9527]

With PIA, the cipher is determined by a combination of the port and cert. Make sure the port is really set to 1198 and you have the correct cert loaded for AES-256-CBC support.

Also, make sure that Cipher Negotiation is set to Disabled in the gui.

 

[madfusker]

Port is actually 1197 for AES-256-CBC according to the link below, and I do have the 4096 cert.

https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-

Still no luck though, even after changing the Cipher Negotiation to Disabled.

Apr 29 15:30:50 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 29 15:30:50 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 29 15:30:50 openvpn[1031]: TUN/TAP device tun21 opened
Apr 29 15:30:50 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 29 15:30:50 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
Apr 29 15:30:50 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 29 15:30:50 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 29 15:30:50 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
Apr 29 15:30:50 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 29 15:30:50 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
Apr 29 15:31:50 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
Apr 29 15:31:50 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
Apr 29 15:31:50 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting

See screenshot settings in attached files.

 

[RMerlin]

Add this to your custom settings:

ncp-disable

 

[madfusker]

Still get the constant restarting, even with ncp-disable.

 

[RMerlin]

Still get the constant restarting, even with ncp-disable.

Something is wrong with your configuration then, the log indicates you are trying to use BF-CBC instead of AES-256-CBC.

 

[madfusker]

I'm not really sure what else to try. I posted screen shots up above of the exact configuration that is in the GUI section of the OpenVPN.

Is there a way to manually dump the config to a terminal and check it there against the GUI?

 

[Jack Yaz]

Try changing TLS control security to Bi_directional

Try adding this into the custom config:

tls-client
remote-cert-tls server
persist-key
persist-tun
disable-occ
reneg-sec 0

 

[madfusker]

Alright, I tried those settings, each one individually, and both together, still same results. My configuration is still the same as the GUI screenshots posted above.

It would be nice to know if anyone running PIA can produce the same errors as well? The internet is still usable with these restarts happening, but just seems funky it does this and fills the logs.

May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.10 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.101 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.102 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.106 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.104 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.105 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.183 to 0.0.0.0 through WAN
May 1 19:45:27 openvpn-routing: Adding route for 192.168.1.0/24 to 0.0.0.0 through VPN client 1
May 1 19:45:28 openvpn-routing: Adding route for 192.168.1.1 to 0.0.0.0 through WAN
May 1 19:45:28 openvpn-routing: Tunnel re-established, restoring WAN access to clients
May 1 19:45:28 openvpn-routing: Completed routing policy configuration for client 1
May 1 19:45:28 openvpn[11322]: Initialization Sequence Completed
May 1 19:46:09 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
May 1 19:46:09 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 19:46:09 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting
May 1 19:51:09 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 19:51:09 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 19:51:09 openvpn[1031]: TUN/TAP device tun21 opened
May 1 19:51:09 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 1 19:51:09 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
May 1 19:51:09 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 19:51:09 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
May 1 19:51:09 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
May 1 19:51:09 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
May 1 19:51:09 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
May 1 19:52:09 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
May 1 19:52:09 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 19:52:09 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting
May 1 19:57:09 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 19:57:09 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 19:57:09 openvpn[1031]: TUN/TAP device tun21 opened
May 1 19:57:09 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 1 19:57:09 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
May 1 19:57:09 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 19:57:09 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
May 1 19:57:09 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
May 1 19:57:09 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
May 1 19:57:09 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
May 1 19:58:10 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
May 1 19:58:10 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 19:58:10 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting
May 1 20:03:10 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 20:03:10 openvpn[1031]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
May 1 20:03:10 openvpn[1031]: TUN/TAP device tun21 opened
May 1 20:03:10 openvpn[1031]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 1 20:03:10 openvpn[1031]: /usr/sbin/ip link set dev tun21 up mtu 1500
May 1 20:03:10 openvpn[1031]: /usr/sbin/ip addr add dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 20:03:10 openvpn[1031]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
May 1 20:03:10 openvpn[1031]: setsockopt(IPV6_V6ONLY=0)
May 1 20:03:10 openvpn[1031]: UDPv6 link local (bound): [AF_INET6][undef]:1194
May 1 20:03:10 openvpn[1031]: UDPv6 link remote: [AF_UNSPEC]
May 1 20:04:10 openvpn[1031]: Inactivity timeout (--ping-restart), restarting
May 1 20:04:10 openvpn[1031]: /usr/sbin/ip addr del dev tun21 local 10.8.0.1 peer 10.8.0.2
May 1 20:04:10 openvpn[1031]: SIGUSR1[soft,ping-restart] received, process restarting​

When I use log level 4, I can see it seems to connect AES-256, so I am not sure why it gives those warning messages.

Apr 30 14:49:29 openvpn[22128]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Apr 30 14:49:29 openvpn[22128]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=7e798188a5d369504860df2dc0a25e9b, name=7e798188a5d369504860df2dc0a25e9b
Apr 30 14:49:31 openvpn[22128]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Apr 30 14:49:31 openvpn[22128]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Apr 30 14:49:31 openvpn[22128]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Apr 30 14:49:31 openvpn[22128]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Apr 30 14:49:31 openvpn[22128]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr 30 14:49:31 openvpn[22128]: [7e798188a5d369504860df2dc0a25e9b] Peer Connection Initiated with [AF_INET]108.61.228.90:1197
Apr 30 14:49:32 openvpn[22128]: SENT CONTROL [7e798188a5d369504860df2dc0a25e9b]: 'PUSH_REQUEST' (status=1)
Apr 30 14:49:32 openvpn[22128]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.55.10.1,topology net30,ifconfig 10.55.10.6 10.55.10.5,peer-id 0,auth-token'
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: compression parms modified
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: route options modified
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: peer-id set
Apr 30 14:49:32 openvpn[22128]: OPTIONS IMPORT: adjusting link_mtu to 1625
Apr 30 14:49:32 openvpn[22128]: Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:406 ET:0 EL:3 ]
Apr 30 14:49:32 openvpn[22128]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 14:49:32 openvpn[22128]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 14:49:32 openvpn[22128]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 30 14:49:32 openvpn[22128]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 30 14:49:32 openvpn[22128]: TUN/TAP device tun11 opened​

 

[RMerlin]

Apr 30 14:49:31 openvpn[22128]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

Make sure you connect to the right port, and that you did add the option to fully disable NCP like I mentionned. This indicates that the remote end is the one trying to push BF-CBC on you.

 

[Jack Yaz]

I use PIA to London with the settings I provided and works flawlessly. Try London and see if that's more stable? Also, did you get their 4096 cert and input that?

 

[GPMAZ]

You might try adding the following to your configuration:

dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218

Also, you could ask your question in this thread:

https://www.snbforums.com/threads/h...r-pia-and-other-vpn-providers-380-65_4.30851/

Lots of good info there. The dhcp-option entries solved my timeout problems. It seems the problem was related to the use of Policy Rules. To see if that's your problem you might try disabling the Policy Rules for awhile and see if the problem persists.

 

[roger]

I have a similar issue, however mine is after my modem (bridged ISP supplied modem) disconnects (can be once every few hours, to once every few weeks, usually for just a minute or so), when that happens I get the --ping-restart, followed by an AUTH_FAILED, I presume as the connection is not yet active again.

Here's the log for when it happened a little while ago.

May 3 10:29:37 openvpn[31210]: [5eb47bee7277a7d5cf2c964d2e261471] Inactivity timeout (--ping-restart), restarting
May 3 10:29:37 openvpn[31210]: SIGUSR1[soft,ping-restart] received, process restarting
May 3 10:29:42 openvpn[31210]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 10:29:42 openvpn[31210]: TCP/UDP: Preserving recently used remote address: [AF_INET]168.1.112.XXX:1198
May 3 10:29:42 openvpn[31210]: UDP link local: (not bound)
May 3 10:29:42 openvpn[31210]: UDP link remote: [AF_INET]168.1.112.XXX:1198
May 3 10:30:13 openvpn[31210]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
May 3 10:30:13 openvpn[31210]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
May 3 10:30:13 openvpn[31210]: [5eb47bee7277a7d5cf2c964d2e261471] Peer Connection Initiated with [AF_INET]168.1.112.XXX:1198
May 3 10:30:19 openvpn[31210]: AUTH: Received control message: AUTH_FAILED
May 3 10:30:19 openvpn[31210]: vpnrouting.sh tun11 1500 1622 10.43.10.6 10.43.10.5 init
May 3 10:30:19 openvpn-routing: Configuring policy rules for client 1
May 3 10:30:19 openvpn-routing: Removing rule 10101 from routing policy
May 3 10:30:19 openvpn-routing: Tunnel down - VPN client access blocked
May 3 10:30:19 openvpn-routing: Adding route for 192.168.1.6 to 0.0.0.0 through VPN client 1
May 3 10:30:19 openvpn-routing: Completed routing policy configuration for client 1
May 3 10:30:19 openvpn[31210]: ERROR: Linux route delete command failed: external program exited with error status: 2
May 3 10:30:19 openvpn[31210]: ERROR: Linux route delete command failed: external program exited with error status: 2
May 3 10:30:19 openvpn[31210]: ERROR: Linux route delete command failed: external program exited with error status: 2
May 3 10:30:19 openvpn[31210]: /usr/sbin/ip addr del dev tun11 local 10.43.10.6 peer 10.43.10.5
May 3 10:30:19 openvpn[31210]: updown.sh tun11 1500 1622 10.43.10.6 10.43.10.5 init
May 3 10:30:20 rc_service: service 24095:notify_rc updateresolv
May 3 10:30:20 openvpn[31210]: SIGTERM[soft,auth-failure] received, process exiting

I have to manually restart the VPN Client then all is good again. I don;t recall this happening on the previous Merlin FW. I have now upgraded to the latest beta and am still having the issue.

My config is as shown below in the screen shots.

Can anyone offer any advice?

 

[roger]

Well after searching around I added the following to my config "keepalive 10 300 ", and it seems to have worked when I tested disconnecting the modem and reconnecting it, which simulates the short outages that I typically experience.

Hopefully that helps anyone else who has the same problem.

 

[madfusker]

You might try adding the following to your configuration:

dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218

Also, you could ask your question in this thread:

https://www.snbforums.com/threads/h...r-pia-and-other-vpn-providers-380-65_4.30851/

Lots of good info there. The dhcp-option entries solved my timeout problems. It seems the problem was related to the use of Policy Rules. To see if that's your problem you might try disabling the Policy Rules for awhile and see if the problem persists.

REALLY great info, and I had never seen that link above, thanks!!

PIA made some changes in the last week or two and those error messages have all gone away now. I suspect it was server side as I have no other way to explain it. My settings are the same.

Thanks for everyone's input.

 

[Den]

I had the same issue and looked solution for it. I just add keepalive 10 60 to the client config and don't touch other devices with the same config. keep stability connection