VPN Unable to Reconnect

[Zim]

On stock firmware I had NordVPN configured and working "perfectly" on the router. The connection was stable, no random disconnects etc.

I decided to experiment with the Merlin 386.3 firmware so I could have router level AdBlock etc. While I'm liking it, I need help sorting out a VPN issue.

On Merlin, I am using the same VPN servers, same connection files and settings as I was using on the stock firmware, but on Merlin I can not keep a consistent connection to the VPN servers. All 5 connections drop randomly and then fail to reconnect automatically giving me this error: "Error connecting - Authentication failed." Oddly enough, if I wait a few minutes and retry them manually they all connect (eventually).

I checked out this thread with similar issue: Error Connecting, but I know my ISP is not the problem, since all things being the same, the issue did not happen on the stock firmware. In that thread, Merlin mentioned, "Just disable auth tokens, not caching". If this is the solution how and where do I do this?

Please help!

Below is an output of the sys log:
Aug 3 11:30:00 ovpn-client4[9339]: [xxxxxx.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Aug 3 11:30:00 ovpn-client4[9339]: SIGUSR1[soft,ping-restart] received, process restarting
Aug 3 11:30:00 ovpn-client4[9339]: Restart pause, 5 second(s)
Aug 3 11:30:05 ovpn-client4[9339]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 3 11:30:05 ovpn-client4[9339]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 3 11:30:05 ovpn-client4[9339]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 3 11:30:05 ovpn-client4[9339]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xxx.xx:1194
Aug 3 11:30:05 ovpn-client4[9339]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Aug 3 11:30:05 ovpn-client4[9339]: UDP link local: (not bound)
Aug 3 11:30:05 ovpn-client4[9339]: UDP link remote: [AF_INET]xx.xx.xxx.xx:1194
Aug 3 11:30:05 ovpn-client4[9339]: TLS: Initial packet from [AF_INET]xx.xx.xxx.xx:1194, sid=661f72ec 4c69e2b9
Aug 3 11:30:05 ovpn-client4[9339]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root
Aug 3 11:30:05 ovpn-client4[9339]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN
Aug 3 11:30:05 ovpn-client4[9339]: VERIFY KU OK
Aug 3 11:30:05 ovpn-client4[9339]: Validating certificate extended key usage
Aug 3 11:30:05 ovpn-client4[9339]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 3 11:30:05 ovpn-client4[9339]: VERIFY EKU OK
Aug 3 11:30:05 ovpn-client4[9339]: VERIFY OK: depth=0, CN=xxxxxx.nordvpn.com
Aug 3 11:30:07 ovpn-client4[9339]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1618', remote='link-mtu 1634'
Aug 3 11:30:07 ovpn-client4[9339]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Aug 3 11:30:07 ovpn-client4[9339]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Aug 3 11:30:07 ovpn-client4[9339]: [xxxxxx.nordvpn.com] Peer Connection Initiated with [AF_INET]xx.xx.xxx.xx:1194
Aug 3 11:30:08 ovpn-client4[9339]: SENT CONTROL [xxxxxx.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Aug 3 11:30:08 ovpn-client4[9339]: AUTH: Received control message: AUTH_FAILED
Aug 3 11:30:08 ovpn-client4[9339]: ovpn-route-pre-down tun14 1500 1654 10.8.1.5 255.255.255.0 init
Aug 3 11:30:08 custom_script: Running openvpn-event
Aug 3 11:30:08 ovpn-client4[9339]: Closing TUN/TAP interface
Aug 3 11:30:08 ovpn-client4[9339]: /usr/sbin/ip addr del dev tun14 10.8.1.5/24
Aug 3 11:30:08 ovpn-client4[9339]: ovpn-down 4 client tun14 1500 1654 10.8.1.5 255.255.255.0 init
Aug 3 11:30:08 ovpn-client4[9339]: SIGTERM[soft,auth-failure] received, process exiting


Here is what I have in the custom configuration:
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

 

[RMerlin]

Aug 3 11:30:08 ovpn-client4[9339]: AUTH: Received control message: AUTH_FAILED

Check your username and password.

I use NordVPN for my development testing, have no issue with it.

 

[Zim]

Check your username and password.

I use NordVPN for my development testing, have no issue with it.

Thanks for the suggestion, Merlin.

I copy pasted the username and password initially so I was ruling that out, also becuase the VPN connects, it just fails to reconnect when it disconnects. I have, however, copy-pasted the credentials again to be sure.

Will report back with the findings. (fingers crossed)

 

[Zim]

Alright, no luck. VPN still randomly disconnects. It doesn't appear to be username and password.

I found this reading another thread. I have two VPN tunnels sharing the same local IP. Could this be causing the disconnects?

How do I make sure that each VPN tunnel has a unique local IP Address?

 

[RMerlin]

How do I make sure that each VPN tunnel has a unique local IP Address?

Nothing you can do about this, the IP range is determined by the server. If they offer different types of servers (like UDP, TCP, etc...) you could try them to see if they use a different IP range, but otherwise, you simply can't connect both at the same time.

 

[RMerlin]

If the failure isn't about connecting but about RE-connecting, then one thing to make sure you don't establish multiple connections to the same server (NordVPN allows only one per server). Also, import the ovpn file downloaded from their site, this is how I have my own test router configured, and it can maintain its connection for multiple days.

 

[Zim]

If the failure isn't about connecting but about RE-connecting, then one thing to make sure you don't establish multiple connections to the same server (NordVPN allows only one per server). Also, import the ovpn file downloaded from their site, this is how I have my own test router configured, and it can maintain its connection for multiple days.

Really appreciate you taking the time to help with this.

The issue is actually two folds:

- when I reboot the router not all connections connect on startup, despite "Automatic start at boot time" being set to "Yes". I've found that the first connection (VPN1) almost ALWAYS connects and the other 4 fail with message: "Error connecting - Authentication failed."​

​

- once I manually start all the connections, ALL 5 connections work, but within 24 hours at least one (random) connection will drop and I get the "Error connecting - Authentication failed." message. After a few retries, the connection works again....but the cycle continues.​

​

I am establishing one connection to one server, so 5 connections = 5 different servers.
The ovpn file is downloaded from NordVPN site.

As I mentioned earlier, on the stock firmware when I use the same ovpn files and connect to the same servers the connection does not drop. I've had 4 simultaneous connections for nearly a week.

NordVPN has 6 simultaneous connection limit, so running 5 connections should not be an issue. Is there a limit to how many simultaneous connections the router can handle? I'm currently using AX11000 and on the stock firmware, I noticed there is a limit of 4 simultaneous connections.

 

[RMerlin]

NordVPN has 6 simultaneous connection limit, so running 5 connections should not be an issue. Is there a limit to how many simultaneous connections the router can handle? I'm currently using AX11000 and on the stock firmware, I noticed there is a limit of 4 simultaneous connections.

They allow up to 6 connections, but only one per server. Also, there's a good chance you might have conflicting routes there as I doubt that each of them use a different subnet.

 

[Jack Yaz]

They allow up to 6 connections, but only one per server. Also, there's a good chance you might have conflicting routes there as I doubt that each of them use a different subnet.

i seem to get by with 2 connections to the same server, albeit 1 TCP and 1UDP.
i did see some auth failures just now after updating to 386.3, but a service restart cleared it up. I've seen this before as well, and in those cases changing to a different server helps.

 

[RMerlin]

i seem to get by with 2 connections to the same server, albeit 1 TCP and 1UDP.

Maybe the protocol makes a difference, or they allow a slight overlap in case your previous connection hadn`t fully timed out yet. I remember looking into it last year as one of my customers (a women shelter who needed to be able to anonymize Internet traffic for their protection) needed a VPN solution. NordVPN`s documentation said that only one connection per server was allowed, so I had to configure different servers on all the PCs that I secured for them.

 

[AndreiV]

Before you pull your hair out, your issue may be Nord themselves.

I use Nord on a Windows 10 desktop , yesterday I was suddenly logged out and was required to log in again.

This failed constantly with the same error message you have. I also noticed that rather than the usual login via the Nord App , I was taken to a webpage that was having issues loading and ran through CloudFlare. It took me over an hour to finaly get the page to accept my details.


Edit to add : I have also been inundated with spammy popup messages from Nord within the app with various horror messages about securing Messaging and referring friends amongst other things.

If they continue this spam on a paid app my contract will not be renewed.

 

[kernol]

NordVPN working without ever disconnecting for me - two VPNClients each directed to a different region - unique local IP addresses and unique public IP addresses for each tunnel. Also have Win10 NordVPN App connecting to same region as one of the router VPNClients - but also has unique local and unique public IP's.

My ISP fibre connection is rock solid - and so far not ever had any random disconnects.
If I did - that would certainly impact VPN connections. Could that be OP's problem?

 

[Zim]

Thank you all for your input.

I've had my router running for the past 37 hours and monitoring the logs and VPN connections - happy to report that there hasn't been a single disconnect in any of the 5 VPN connections. Despite two connections with the same local IP, the VPN connectivity seems solid.

I just rebooted the router and all 5 connections restarted (by themself) without any hiccup. There are still two connections with the same local IP, but all seems to be working well.

For anyone else running into this issue or trying to troubleshoot this, I honestly didn't change any particular settings. The only thing different is that the devices routed through VPN now have their static IP defined under the LAN > DHCP Server tab.