Reconnect openvpn every hour AC68U

[yased]

Hi.

Openvpn reconnect every hour on router. Why it happens?

 

[octopus]

Hi.
Openvpn reconnect every hour on router. Why it happens?

It is impossible to say with so little information

 

[yased]

I can't insert the log. Forum is blocked me, when I insert log in message.

 

[octopus]

I can't insert the log. Forum is blocked me, when I insert log in message.

You can use pastebin to post logs and put link here.

 

[yased]

Router - AC68U, firmware - 380.65

 

[octopus]

Router - AC68U, firmware - 380.65

I can't see anything strange there. Post your server configs.

 

[yased]

Router restart openvpn every hour. Client can't work near 2 minutes, while server down and up. It's normal?

Spoiler: Server cfg

daemon
topology subnet
server 192.168.0.0 255.255.255.0
proto udp
port *
dev tun21
cipher BF-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10

Doh. it's "keepalive 15 60" do this?

 

[octopus]

Are you config by comandline? new 380.65 use openvpn 2.40 that introduce alot new configurations and functions.
If this is configs from earlier bulds try to config by GUI. I can see alot of new configs options missing.
https://www.snbforums.com/threads/release-asuswrt-merlin-380-65-is-now-available.37295/

 

[yased]

Yes, it's commandline config.

 

[octopus]

You missing:
Auth Digest
I would change VPN subnet/mask to default.
Chirper Negotiation missing
I would use aes-128-cbc ist optimized to that.

Make sure your time is working. (NTP)

 

[yased]

I changed the openvpn settings with your recommendations. Server still rebooted each hour.

ps which auth digest are you recommend?

 

[octopus]

I changed the openvpn settings with your recommendations. Server still rebooted each hour.
ps which auth digest are you recommend?

I'm using ecdca-with-SHA1 but SHA1 will sute your needs. If router reboot every hour there must be any other problems.
What you show in log I can't se any prblem relaying to that.

 

[yased]

It's full morning log. Every hour router stop and start openvpn.
http://pastebin.com/DCsN1XV8

 

[octopus]

It's full morning log. Every hour router stop and start openvpn.
http://pastebin.com/DCsN1XV8

Sorry I can't see anything in log cusing reboot.
Maby someone else have any suggestion.

EDIT: If you have IPV6 on try to turn it off and test

 

[cybrnook]

It's normal, here is mine for example:

https://openvpn.net/archive/openvpn-users/2007-07/msg00104.html

 

[RMerlin]

Key rotation defaults to every hour. It's a security measure, it's normal in the default configuration. Your wifi does the same thing in WPA2, renegotiating the key every hour.

 

[cybrnook]

Yep, that's what I was showing above. Rotating the key every hour cuts down on someones ability to "crack" your key. By the time they do, you are already issued a new key and the compromised one would be invalid at the point. (Guess I should have explained more than just the link)

 

[john9527]

Sorry, but key rotation is not what he is seeing. udhcpc is restarting both the firewall and the vpnserver, so something on the WAN side is changing. Does your ISP have a short lease interval?