OVPN connection loss after TLS re-key

[Andaman]

Hi, new user here. I wanted to ask if anyone can give me some guidance on a problem:

I set up an ASUS AC-68U with Merlin software for full-time VPN connection, using NordVPN. It basically works, but the problem is an intermittent loss of connectivity, always coincident with one of the cipher renegotiations that occurs every 60 minutes. It happens maybe once every day or two.

Log file below. At 09:45 I lose connection. I was streaming TV and noted loss of connection at that time. At 09:55 the inactivity timeout kicks in and restores the connection. I'll also attach screen shots of my OVPN client config. Appreciate any tips. Thanks!

 Jul 10 09:45:25 openvpn[14026]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
 Jul 10 09:45:25 openvpn[14026]: VERIFY KU OK
 Jul 10 09:45:25 openvpn[14026]: Validating certificate extended key usage
 Jul 10 09:45:25 openvpn[14026]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 Jul 10 09:45:25 openvpn[14026]: VERIFY EKU OK
 Jul 10 09:45:25 openvpn[14026]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
 Jul 10 09:45:28 openvpn[14026]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
 Jul 10 09:45:28 openvpn[14026]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
 Jul 10 09:45:28 openvpn[14026]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
 Jul 10 09:55:18 openvpn[14026]: [us415.nordvpn.com] Inactivity timeout (--ping-restart), restarting
 Jul 10 09:55:18 openvpn[14026]: SIGUSR1[soft,ping-restart] received, process restarting
 Jul 10 09:55:18 openvpn[14026]: Restart pause, 5 second(s)
 Jul 10 09:55:23 openvpn[14026]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
 Jul 10 09:55:23 openvpn[14026]: TCP/UDP: Preserving recently used remote address: [AF_INET]23.108.32.9:1194
 Jul 10 09:55:23 openvpn[14026]: Socket Buffers: R=[122880->245760] S=[122880->245760]
 Jul 10 09:55:23 openvpn[14026]: UDP link local: (not bound)
 Jul 10 09:55:23 openvpn[14026]: UDP link remote: [AF_INET]23.108.32.9:1194
 Jul 10 09:55:24 openvpn[14026]: TLS: Initial packet from [AF_INET]23.108.32.9:1194, sid=42a75906 c7db0840
 Jul 10 09:55:24 openvpn[14026]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
 Jul 10 09:55:24 openvpn[14026]: VERIFY KU OK
 Jul 10 09:55:24 openvpn[14026]: Validating certificate extended key usage
 Jul 10 09:55:24 openvpn[14026]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 Jul 10 09:55:24 openvpn[14026]: VERIFY EKU OK
 Jul 10 09:55:24 openvpn[14026]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us415.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
 Jul 10 09:55:25 openvpn[14026]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
 Jul 10 09:55:25 openvpn[14026]: [us415.nordvpn.com] Peer Connection Initiated with [AF_INET]23.108.32.9:1194
 Jul 10 09:55:26 openvpn[14026]: SENT CONTROL [us415.nordvpn.com]: 'PUSH_REQUEST' (status=1)
 Jul 10 09:55:26 openvpn[14026]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.11 255.255.255.0,peer-id 3,cipher AES-256-GCM'
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: timers and/or timeouts modified
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
 Jul 10 09:55:26 openvpn[14026]: Socket Buffers: R=[245760->245760] S=[245760->245760]
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --ifconfig/up options modified
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: route options modified
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: route-related options modified
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: peer-id set
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: adjusting link_mtu to 1657
 Jul 10 09:55:26 openvpn[14026]: OPTIONS IMPORT: data channel crypto options modified
 Jul 10 09:55:26 openvpn[14026]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
 Jul 10 09:55:26 openvpn[14026]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
 Jul 10 09:55:26 openvpn[14026]: Preserving previous TUN/TAP instance: tun15
 Jul 10 09:55:26 openvpn[14026]: Initialization Sequence Completed

also attaching images of the client config

 

[john9527]

I set up an ASUS AC-68U with Merlin software for full-time VPN connection, using NordVPN. It basically works, but the problem is an intermittent loss of connectivity, always coincident with one of the cipher renegotiations that occurs every 60 minutes. It happens maybe once every day or two.

I've been working offline with one of my fork users ( @cowst ) that is experiencing the same problem, at about the same frequency. I've been running on a NordVPN account trying to recreate it, but haven't been able to hit it during the periods I was able test.

I did spend some time looking at the NordVPN .ovpn file config, and in addition to being one of the only providers whose servers are OpenVPN 2.4.x, they are also using an usual setup on the renegotiation. They are disabling the client initiated renegotiation, relying strictly on the server. They also set a relatively long ping interval at 60 sec.

There are a couple of things I think you can try....

Change the 'TLS renegotiation time' from 0 to 3540 (this will make the client do the renegotiation 1 minute before the the server side default). You could even try a bit shorter time as a test.

Add the following to the custom config section to increase the ping frequency
pull-filter ignore "ping 60"
push "ping 15"

 

[anthill]

I am having what sounds like the same problem. After an authentication failure, the router won't try to reconnect, ever (it seems). I would post the log entry but CloudFlare won't let me.

 

[Andaman]

I've been working offline with one of my fork users ( @cowst ) that is experiencing the same problem, at about the same frequency. I've been running on a NordVPN account trying to recreate it, but haven't been able to hit it during the periods I was able test.

I did spend some time looking at the NordVPN .ovpn file config, and in addition to being one of the only providers whose servers are OpenVPN 2.4.x, they are also using an usual setup on the renegotiation. They are disabling the client initiated renegotiation, relying strictly on the server. They also set a relatively long ping interval at 60 sec.

There are a couple of things I think you can try....

Change the 'TLS renegotiation time' from 0 to 3540 (this will make the client do the renegotiation 1 minute before the the server side default). You could even try a bit shorter time as a test.

Add the following to the custom config section to increase the ping frequency
pull-filter ignore "ping 60"
push "ping 15"

Thanks... really good info! I will try the trick you suggested to have the client preempt the server-initiated reneg, and see if this has an effect.

 

[anthill]

Suggestions haven't worked for me. After making the changes yesterday I came home to no service on VPNed clients, and the status page showing the VPN is connected with

Statistics
TUN/TAP read bytes    17,640    TUN/TAP write bytes    0
TCP/UDP read bytes    0    TCP/UDP write bytes    210
Auth read bytes    0    pre-compress bytes    0
post-compress bytes    0    pre-decompress bytes    0

Log shows 3 hours VPN uptime, 4 hours downtime (constant TLS failures), 12 hours uptime, then 4 hours downtime (until I manually toggled the VPN off then on). Most recent log entries:

Jul 11 18:05:37 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 11 18:05:37 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
Jul 11 18:05:37 openvpn[8259]: UDP link local: (not bound)
Jul 11 18:05:37 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
Jul 11 18:06:38 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 11 18:06:38 openvpn[8259]: TLS Error: TLS handshake failed
Jul 11 18:06:38 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting
Jul 11 18:11:38 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 11 18:11:38 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
Jul 11 18:11:38 openvpn[8259]: UDP link local: (not bound)
Jul 11 18:11:38 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
Jul 11 18:12:38 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 11 18:12:38 openvpn[8259]: TLS Error: TLS handshake failed
Jul 11 18:12:38 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting
Jul 11 18:17:38 openvpn[8259]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 11 18:17:39 openvpn[8259]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.212.77:1194
Jul 11 18:17:39 openvpn[8259]: UDP link local: (not bound)
Jul 11 18:17:39 openvpn[8259]: UDP link remote: [AF_INET]184.75.212.77:1194
Jul 11 18:18:39 openvpn[8259]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 11 18:18:39 openvpn[8259]: TLS Error: TLS handshake failed
Jul 11 18:18:39 openvpn[8259]: SIGUSR1[soft,tls-error] received, process restarting

 

[john9527]

Suggestions haven't worked for me. After making the changes yesterday I came home to no service on VPNed clients, and the status page showing the VPN is connected with

You have a completely different problem and symptom....suggest opening a separate thread to see if anyone has ideas.

 

[Brenneke]

I am also on Nord and am quite sure I was having same issue - Nord looked at my logs and instructed me to add a few lines on the custom config for the OVPN client settings - has been good ever since. Please forgive me if I have misunderstood and if this is not relevant....have limited knowledge with this!

Here is how my custom config looks now:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
auth-retry nointeract

 

[Andaman]

I've been working offline with one of my fork users ( @cowst ) that is experiencing the same problem, at about the same frequency. I've been running on a NordVPN account trying to recreate it, but haven't been able to hit it during the periods I was able test.

I did spend some time looking at the NordVPN .ovpn file config, and in addition to being one of the only providers whose servers are OpenVPN 2.4.x, they are also using an usual setup on the renegotiation. They are disabling the client initiated renegotiation, relying strictly on the server. They also set a relatively long ping interval at 60 sec.

There are a couple of things I think you can try....

Change the 'TLS renegotiation time' from 0 to 3540 (this will make the client do the renegotiation 1 minute before the the server side default). You could even try a bit shorter time as a test.

Add the following to the custom config section to increase the ping frequency
pull-filter ignore "ping 60"
push "ping 15"

John, I tried the reduced renegotiation time on client side. Good news is this does preempt the server-initiated re-key and I ran about 24 hours with the client initiating re-keys - every 50 minutes. But just when I was starting to feel optimistic, the problem occurred again. With one of the re-keys, I lost connectivity and had an inactivity time-out.

Appreciate your help. If you have any other ideas on ways I might be able to suppress the re-key process entirely or anything else I might try, let me know. If I come up with any solution I'll post it.

 

[Andaman]

I am also on Nord and am quite sure I was having same issue - Nord looked at my logs and instructed me to add a few lines on the custom config for the OVPN client settings - has been good ever since. Please forgive me if I have misunderstood and if this is not relevant....have limited knowledge with this!

Here is how my custom config looks now:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
auth-retry nointeract

Thanks. I have the same config except for the auth-retry nointeract directive. I'm not sure this would affect the problem I'm having, but I'll try adding it and see!

 

[john9527]

Thanks. I have the same config except for the auth-retry nointeract directive. I'm not sure this would affect the problem I'm having, but I'll try adding it and see!

The 'auth-rety nointeract' is a good thing to try that I hadn't thought of......

But, from your last posted data, I tried to ping and tracert to the ip address of the vpn server you were trying to connect to and got no response. I can ping the NordVPN server I am using to test. So it looks like that server may have just gone down (or had a routing problem) and since NordVPN uses ip addresses instead of fqdn in their setup, it that happens you are in trouble. I'd also try a different server.

 

[Andaman]

The 'auth-rety nointeract' is a good thing to try that I hadn't thought of......

But, from your last posted data, I tried to ping and tracert to the ip address of the vpn server you were trying to connect to and got no response. I can ping the NordVPN server I am using to test. So it looks like that server may have just gone down (or had a routing problem) and since NordVPN uses ip addresses instead of fqdn in their setup, it that happens you are in trouble. I'd also try a different server.

I am actually trying a different NordVPN server now. Also, I am experimenting to see if this problem occurs when using TCP. Will post results.

 

[Andaman]

Using TCP did not help. I got another loss of connection and inactivity timeout on a cipher renegotiation, just after a couple of hours. I'm kind of at a loss regarding what to try next.

 

[Brenneke]

Have you tried contacting Nord via chat? They have router specialists (not always there) that may be able to help.
https://v2.zopim.com/widget/popout.html?key=oxKZnmXv4KZ1uFO78i56rMEovdYXH2jm

 

[Andaman]

Have you tried contacting Nord via chat? They have router specialists (not always there) that may be able to help.
https://v2.zopim.com/widget/popout.html?key=oxKZnmXv4KZ1uFO78i56rMEovdYXH2jm

I have not yet contacted Nord but I will give that a try. Will post if I get a solution. Thanks.

 

[cowst]

If it helps, and if I remember correctly, this issue started when @john9527 (and perhaps merlin) updated openvpn client to 2.4.
Release 23 was working fine I think.

 

[cowst]

Asked nordvpn.

"Thank you for your letter.

We currently do not have any additional information regarding this issue, although our system administrators have told they're going to look into this as soon as possible.

Let us know if there's anything else we can assist you with."

Meh.

If it helps, and if I remember correctly, this issue started when @john9527 (and perhaps merlin) updated openvpn client to 2.4.
Release 23 was working fine I think.

 

[Andaman]

I got a reply from NordVPN which was a little more encouraging. They said they were going to investigate the problem with a Merlin router they have in their lab. It has been 3 days and I haven't heard anything further from them. Will post if I learn anything.

 

[cowst]

Oh yes please!

I got a reply from NordVPN which was a little more encouraging. They said they were going to investigate the problem with a Merlin router they have in their lab. It has been 3 days and I haven't heard anything further from them. Will post if I learn anything.

 

[Brenneke]

Letter? What is a letter? Did you chat with one of their router specialists online on the interweb?

 

[Andaman]

Been a couple of weeks and I have not heard anything back from NordVPN.