RT-AC68U 386.2_6 packet loss on OpenVPN failed connection

[automaton]

I have an RT-AC68U with a wired Windows box running PingPlotter (although I've confirmed this with a wired Linux box running ping directly as well).

Basically at random times nefarious connections are attempted to my OpenVPN server running on the RT-AC68U. The log looks like this:

Jul 23 09:51:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS: Initial packet from [AF_INET6]::ffff:167.248.133.23:14872, sid=4d658221 07fcfd52
Jul 23 09:52:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS: Initial packet from [AF_INET6]::ffff:167.248.133.39:38677, sid=dd4262e7 c698de87
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 TLS Error: TLS handshake failed
Jul 23 09:52:53 ovpn-server1[2559]: 167.248.133.23:14872 SIGUSR1[soft,tls-error] received, client-instance restarting
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 TLS Error: TLS handshake failed
Jul 23 09:53:08 ovpn-server1[2559]: 167.248.133.39:38677 SIGUSR1[soft,tls-error] received, client-instance restarting

When that happens I get 100% packet loss for ~20 seconds across the board (google.com, akamai.com, twitter.com, pingplotter.com, pingman.com etc.).
This also causes unwanted behaviour in video conferencing and anything else that is not buffered.

Is there any solution to this problem other than off-loading the OpenVPN server to a box behind the router?

Thank you for your time.

 

[ColinTaylor]

I can't think why restarting the VPN server would have an impact on your LAN clients. Maybe it makes changes with the routing tables when it restarts.

If you change your VPN server to use a non-standard port you will stop most, if not all of the bogus connection attempts.

 

[automaton]

I can't think why restarting the VPN server would have an impact on your LAN clients. Maybe it makes changes with the routing tables when it restarts.

If you change your VPN server to use a non-standard port you will stop most, if not all of the bogus connection attempts.

That is one option, I can consider it. I've left it on the standard port so far to avoid issues while travelling. Usually 'weird' ports are blocked, but the common ones for VPN are left open for people to do work.

I'd also like to note that when I connect with my own clients to the VPN this issue doesn't occur. It only occurs when the nefarious ones attempt, and fail, to connect.