OpenVPN keeps on turning itself off

[Ralph Sieber]

Hi,

I have added NordVPN to my RT-AC68U (386.12_6) OpenVPN with this tutorial:

AsusWRT Merlin setup with NordVPN

Fortunately, you can use NordVPN with your Asus router. These instructions will help you set up an OpenVPN connection with NordVPN on your ASUS router flashed with AsusWRT-Merlin firmware. The inst...

support.nordvpn.com

I am using VPN director for selective tunneling. It is working, but it turns itself off for some reason after a while (under the tab VPN Client>Service state) and it doesn't start after reboot.
NordVPN support has no idea.
Anyone else experiencing this and knows a fix?

 

[ColinTaylor]

Set "Automatic start at boot time" to Yes.

When the problem occurs again look at System Log - General Log for messages indicating the reason.

EDIT: You can also set "Connection Retry attempts" to 0 if your ISP connection is unreliable.

 

[dev_null]

I found (at some point) that the vpn watchdog included with Asus/Merlin wasn't particularly effective. Somewhere I found a simpler one that works better for me (below). I have a command in several of the scripts to kill the in-built one if it reactivates.

#!/bin/sh
# logger -t OVPN Running PID $(pidof vpnserver1)
if [ -z $(pidof vpnserver1) ]
then
   service start_vpnserver1
   logger -t OVPN openvpn server restarted @ $(date)
fi

 

[ColinTaylor]

I found (at some point) that the vpn watchdog included with Asus/Merlin wasn't particularly effective. Somewhere I found a simpler one that works better for me (below). I have a command in several of the scripts to kill the in-built one if it reactivates.

#!/bin/sh
# logger -t OVPN Running PID $(pidof vpnserver1)
if [ -z $(pidof vpnserver1) ]
then
   service start_vpnserver1
   logger -t OVPN openvpn server restarted @ $(date)
fi

This script is the same as the one built into the firmware which runs every two minutes. So I don't know what it is you're killing.

# cru l | grep vpn-watchdog
*/2 * * * * /etc/openvpn/server1/vpn-watchdog1.sh #CheckVPNServer1#

# cat /etc/openvpn/server1/vpn-watchdog1.sh
#!/bin/sh
if [ -z "$(pidof vpnserver1)" ]
then
   service restart_vpnserver1
fi

 

[dev_null]

This script is the same as the one built into the firmware which runs every two minutes. So I don't know what it is you're killing.

# cru l | grep vpn-watchdog
*/2 * * * * /etc/openvpn/server1/vpn-watchdog1.sh #CheckVPNServer1#

# cat /etc/openvpn/server1/vpn-watchdog1.sh
#!/bin/sh
if [ -z "$(pidof vpnserver1)" ]
then
   service restart_vpnserver1
fi

Interesting. I have a different version that launches with OVPN. Good to know; maybe something left from some previous scripting.

 

[AurelM]

I found (at some point) that the vpn watchdog included with Asus/Merlin wasn't particularly effective. Somewhere I found a simpler one that works better for me (below). I have a command in several of the scripts to kill the in-built one if it reactivates.

#!/bin/sh
# logger -t OVPN Running PID $(pidof vpnserver1)
if [ -z $(pidof vpnserver1) ]
then
   service start_vpnserver1
   logger -t OVPN openvpn server restarted @ $(date)
fi

This is a watchdog for the OpenVPN Server. You're using the OpenVPN Client to connect to NordVPN. So you need to add a watchdog for every OpenVPN Client you want to restart automatically.

---

I'm using the OpenVPN Server watchdog template already implemented on the router to check the OpenVPN Client 1:

• the /jffs/scripts/ovpnclient1_watchdog script file to check the status of the OpenVPN Client 1 and restart it if it's stopped:

#!/bin/sh

if [ -z "$(pidof vpnclient1)" ]
then
   service restart_vpnclient1
fi

• the /jffs/scripts/services-start script file to add a cron entry that runs the above script file every minute:

#!/bin/sh

LOG_TAG="Services start script"

#Add cron entry for vpnclient1 watchdog
if [ -z "$(cru l | grep CheckOpenVPNClient1)" ]
then
   cru a CheckOpenVPNClient1 "* * * * * /jffs/scripts/ovpnclient1_watchdog"
   logger -t "$LOG_TAG" -p 2 "Added OpenVPN Client 1 watchdog to cron utility."
fi

​

​

 

[Ripshod]

You're running the Merlin firmware so you could just install and set up VPNMON-R3

 

[Viktor Jaep]

This is a watchdog for the OpenVPN Server. You're using the OpenVPN Client to connect to NordVPN. So you need to add a watchdog for every OpenVPN Client you want to restart automatically.

---

• the /jffs/scripts/services-start script file to add a cron entry that runs the above script file every minute:

I had tried this method early on, but this also sets you up for failure... the fact that only 1 IP address/hostname is configured in your VPN slot creates a single point of failure. When I had used this method, my VPN connection would at times have trouble starting, creating this endless loop of the VPN client trying to restart... this was due to certain issues, like:

1. The VPN provider would bring their server down for maintenance, or just shut it off completely
2. The VPN client may have had a connection to the server, but no traffic was able to flow over it, causing an internet outage
3. The latency on the connection would at time be so high, that I'd get kicked off, and things would either not reconnect or be dog slow.

You're running the Merlin firmware so you could just install and set up VPNMON-R3

That's one of the reasons I built VPNMON-R3... it gives you the ability to pick from multiple VPN server endpoints, or automatedly have it create this list for you on the fly based on country/city location. It also performs multiple checks every 60 seconds to determine if the connection is viable, and if not, it drops the connection and makes another attempt with a different server. This script has provided me with near 100% VPN connection uptime (primarily with Nord, but also AirVPN as of late), over these last 2+ years. Give it a shot, and let me know if I can be of any help...

 

[Ralph Sieber]

That's one of the reasons I built VPNMON-R3... it gives you the ability to pick from multiple VPN server endpoints, or automatedly have it create this list for you on the fly based on country/city location. It also performs multiple checks every 60 seconds to determine if the connection is viable, and if not, it drops the connection and makes another attempt with a different server. This script has provided me with near 100% VPN connection uptime (primarily with Nord, but also AirVPN as of late), over these last 2+ years. Give it a shot, and let me know if I can be of any help...

Thank you! I think that is what I am looking for. Odd that keeping the VPN alive doesn't come with Merlin.
I used Astrill before and their applet, I believe it did that.
Gonna give it a try after I find a drive to install the dependencies.

 

[ColinTaylor]

Odd that keeping the VPN alive doesn't come with Merlin.

It does. That's what the "Connection Retry attempts" option does. Additionally the "Custom Configuration" box contains options imported from the NordVPN profile like ping and ping-restart.

 

[Ralph Sieber]

It does. That's what the "Connection Retry attempts" option does. Additionally the "Custom Configuration" box contains options imported from the NordVPN profile like ping and ping-restart.

Neither "Automatic start at boot time" nor "Connection Retry attempts = 0" seems to be working for me.
The custom config is taken from the tutorial in the OP.
On the smartphone app it also gets stuck at connecting and won't reset and retry. You can't choose there to tunnel all connections except your home WiFi there either.
Not sure if I should cancel my NordVPN subscription because of the lack of no-brainer functions.
Astrill was just working without hassles.

 

[ColinTaylor]

Neither "Automatic start at boot time" nor "Connection Retry attempts = 0" seems to be working for me.
The custom config is taken from the tutorial in the OP.
On the smartphone app it also gets stuck at connecting and won't reset and retry. You can't choose there to tunnel all connections except your home WiFi there either.
Not sure if I should cancel my NordVPN subscription because of the lack of no-brainer functions.
Astrill was just working without hassles.

As I said in my first post, look in the router's system log. It will tell you the reason for the problem.

The Merlin instructions on NordVPN's website are for an ancient version of the firmware. In step 10 do not change the WAN DNS settings. Leave them as your ISP's servers.

I don't know what smartphone app you're talking about. But if you mean the NordVPN app and you are having problems with it connecting over a 4G/5G network then that suggests the problem is with NordVPN and nothing to do with your router.

 

[ColinTaylor]

The custom config is taken from the tutorial in the OP.

Don't use those settings. Leave the settings that are automatically populated in that box when you initially import the NordVPN profile. e.g.

resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
verify-x509-name CN=fr759.nordvpn.com
remote-cert-tls server
pull
fast-io
cipher AES-256-CBC

 

[Viktor Jaep]

This is the custom config I use for NordVPN:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

 

[Ralph Sieber]

As I said in my first post, look in the router's system log. It will tell you the reason for the problem.

The Merlin instructions on NordVPN's website are for an ancient version of the firmware. In step 10 do not change the WAN DNS settings. Leave them as your ISP's servers.

I don't know what smartphone app you're talking about. But if you mean the NordVPN app and you are having problems with it connecting over a 4G/5G network then that suggests the problem is with NordVPN and nothing to do with your router.

This seem to be it. Unfortunately it doesn't help me.

Apr  1 10:48:23 rc_service: httpd 280:notify_rc restart_vpnclient1
Apr  1 10:48:23 ovpn-client1[14426]: event_wait : Interrupted system call (fd=-1,code=4)
Apr  1 10:48:23 ovpn-client1[14426]: SIGTERM received, sending exit notification to peer
Apr  1 10:48:24 ovpn-client1[14426]: ovpn-route-pre-down tun11 1500 0 10.8.2.10 255.255.255.0 init
Apr  1 10:48:24 ovpn-client1[14426]: Closing TUN/TAP interface
Apr  1 10:48:24 ovpn-client1[14426]: /usr/sbin/ip addr del dev tun11 10.8.2.10/24

 

[ColinTaylor]

This seem to be it. Unfortunately it doesn't help me.

Apr  1 10:48:23 rc_service: httpd 280:notify_rc restart_vpnclient1
Apr  1 10:48:23 ovpn-client1[14426]: event_wait : Interrupted system call (fd=-1,code=4)
Apr  1 10:48:23 ovpn-client1[14426]: SIGTERM received, sending exit notification to peer
Apr  1 10:48:24 ovpn-client1[14426]: ovpn-route-pre-down tun11 1500 0 10.8.2.10 255.255.255.0 init
Apr  1 10:48:24 ovpn-client1[14426]: Closing TUN/TAP interface
Apr  1 10:48:24 ovpn-client1[14426]: /usr/sbin/ip addr del dev tun11 10.8.2.10/24

There should be more ovpn messages following those. I suggest you post a screenshot of all of your OpenVPN Client Settings page.

 

[Ralph Sieber]

Here it is

 

[ColinTaylor]

Here it is

It's too small to read. Split it into two parts.

 

[Ralph Sieber]

It's too small to read. Split it into two parts.

https://imgur.com/a/gKKQzTg

 

[ColinTaylor]

Thanks. Change "Username / Password Auth. Only" to No.