AR300M Bug?

Hi.
I have an AR300M and have testing 3.104 firmware loaded, using USB tethering.
I have VPN, DNS (over TLS), Kill-Switch all enabled.

The VPN often fails to connect at first boot (or reboot) but works fine if I then login to the Web Interface and click “abort” then “connect”.

Any thoughts or ideas on what the problem is?
Thanks!

Log:

Wed May 27 08:20:10 2020 daemon.notice procd: /etc/rc.d/S99startvpn: well
Wed May 27 08:20:10 2020 daemon.notice procd: /etc/rc.d/S99startvpn: Warning: Section @zone[1] (wan) cannot resolve device of network ‘wan6’
Wed May 27 08:20:10 2020 daemon.notice procd: /etc/rc.d/S99startvpn: Warning: Section @zone[1] (wan) cannot resolve device of network ‘modem_1_1’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Clearing IPv4 filter table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Clearing IPv4 nat table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Clearing IPv4 mangle table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Populating IPv4 filter table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-DHCP-Renew’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-Ping’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-IGMP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-IPSec-ESP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-ISAKMP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘guestzone_DHCP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘guestzone_DNS’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘safe_mode_lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘safe_mode_guest’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Forward ‘lan’ → ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Forward ‘guestzone’ → ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘wan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘guestzone’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Populating IPv4 nat table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘wan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘guestzone’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Populating IPv4 mangle table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘wan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘guestzone’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Clearing IPv6 filter table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Clearing IPv6 mangle table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Populating IPv6 filter table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-DHCPv6’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-MLD’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-ICMPv6-Input’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-ICMPv6-Forward’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-IPSec-ESP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘Allow-ISAKMP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘guestzone_DHCP’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘guestzone_DNS’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘safe_mode_lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Rule ‘safe_mode_guest’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Forward ‘lan’ → ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Forward ‘guestzone’ → ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘wan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘guestzone’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Populating IPv6 mangle table
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘lan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘wan’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘guestzone’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Zone ‘ovpn’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Set tcp_ecn to off
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Set tcp_syncookies to on
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Set tcp_window_scaling to on
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Running script ‘/etc/firewall.user’
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: iptables: No chain/target/match by that name.
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: iptables: No chain/target/match by that name.
Wed May 27 08:20:12 2020 daemon.notice procd: /etc/rc.d/S99startvpn: ipset v6.34: The set with the given name does not exist
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: iptables v1.6.2: can’t initialize iptables table raw': Table does not exist (do you need to insmod?) Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: Perhaps iptables or your kernel needs to be upgraded. Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: iptables v1.6.2: can't initialize iptables table raw’: Table does not exist (do you need to insmod?)
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: Perhaps iptables or your kernel needs to be upgraded.
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: ! Failed with exit code 3
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Running script ‘/usr/bin/glfw.sh’
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Running script ‘/var/etc/gls2s.include’
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: ! Skipping due to path error: No such file or directory
Wed May 27 08:20:13 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Running script ‘/usr/sbin/glqos.sh’
Wed May 27 08:20:14 2020 daemon.notice procd: /etc/rc.d/S99startvpn: * Running script ‘/var/etc/mwan3.include’
Wed May 27 08:20:15 2020 daemon.notice openvpn[3970]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 27 08:20:15 2020 daemon.notice openvpn[3970]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Wed May 27 08:20:15 2020 daemon.warn openvpn[4007]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Wed May 27 08:20:15 2020 daemon.warn openvpn[4007]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: UDP link local: (not bound)
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: TLS: Initial packet from [AF_INET]xx.xxx.xxx.xx:1194, sid=xxxxxxx xxxxxxx
Wed May 27 08:20:15 2020 daemon.warn openvpn[4007]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Wed May 27 08:20:15 2020 daemon.info procd: - init complete -
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: VERIFY OK:
Wed May 27 08:20:15 2020 daemon.notice openvpn[4007]: VERIFY OK:
Wed May 27 08:20:16 2020 daemon.notice openvpn[4007]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed May 27 08:20:16 2020 daemon.notice openvpn[4007]: [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Wed May 27 08:20:17 2020 daemon.notice openvpn[4007]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
Wed May 27 08:20:22 2020 daemon.notice openvpn[4007]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
Wed May 27 08:20:23 2020 kern.notice kernel: [ 85.933928] random: crng init done
Wed May 27 08:20:23 2020 kern.notice kernel: [ 85.937462] random: 6 urandom warning(s) missed due to ratelimiting
Wed May 27 08:20:25 2020 daemon.notice openvpn[4007]: AUTH: Received control message: AUTH_FAILED
Wed May 27 08:20:25 2020 daemon.notice openvpn[4007]: SIGTERM[soft,auth-failure] received, process exiting

In VPN section of Web UI: “VPN client failed to connect. This may be because of wrong configuration, unsupported parameters or terminated by the server. Please choose another VPN profile or abort the connection.”

Auth failed generally means your username or password is wrong.

Are you saying that when you reconnect with the same username and password it is OK?

Yes - it works fine if I abort then connect.

OK. I saw the problem here. Seems that is is a start script racing problem.

Great!
Am I correct in assuming this has been added to the “to do” list of fixes?

There is no iptables raw table in the router. Does your VPN configuration need to add special rules to the raw table?

I confess to not really understanding your question but am pretty sure the answer is “no”. This is a bog-standard commercial server and the files looks standard to me.

Doing further investigation myself, necessitating around 20 reboots, I think I have found the problem -
It seems that the connection fails if I have encrypted DNS enabled (either Cloudfare over TLS or DNSCrypt). It also seemed to be related to your scripts adding this line to the OVPN file:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I am doing further testing but it appears that some servers ALWAYS fail to connect at boot, others are a bit hit and miss.
For your info., the servers I am trying are all UDP.

So,seeing I appear to be the only one with this problem, I decided to do a clean (re)install of V3.104 and thankfully, this seems to have cured the problem (for now).

From memory, I don’t think this is the first time this has happened to me, so somehow the firmware is corrupting after a period of time (or if, like me, you fiddle with the settings a lot).

Glad it is working. Pls report back if you have further problems.

I have done further testing - if I disable either DNS over TLS or DNSCrypt, then the VPN will not reconnect on reboot (even if I “abort” and “connect” again).

I believe I have found the problem - “use DNS advertised by peers” under the tethering interface in LUCI (Network > Interface > Tethering > advanced) is unchecked. Checking this option and rebooting seems to solve the problem. YES, it was me that unchecked this option in the first place, as I believe the Stubby instructions advise this, at least it does on the WAN interface (uci set network.wan.peerdns=‘0’).

Seems fixing a DNS server will solve the problem.