OpenVPN client's tunnel freezes due to inactivity

Dear Sirs,
with using actual (3.215) and previous (3.212) versions of firmware (clear upgrade with no extra packages) for the device GL-AR750S-EXT Slate I’ve faced with next issue:

if no traffic goes into the OpenVPN tunnel (AR750S as client) for some time, the tunnel freezes (no traffic flow, but indicates as active in the web interface; in the same time tunnel hourly tunnel renew process successfully processing by openvpn daemon) and became not usable before the following Disconnect/Connect. The issue does not happen if any amount of data (e.q. ICMP ping) continuously passes the tunnel.

No errors in System Log
Mon Dec 19 06:00:05 2022 daemon.err gl_monitor[4109]: sh: 30000: unknown operand
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=179017/-1 pkts=2423/0
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=183785/-1 pkts=2435/0
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=216516/-1 pkts=2514/0
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=181889/-1 pkts=2425/0
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

As far as I remember, there was no such issue in 3.203 & 3.211 versions of the firmware.

Could you, please, let me know,

  1. how can I fix it,
  2. will this issue be fixed in the next version of the firmware update,
  3. if I need to provide some extra data for investigation.

Thank you in advance!

This should not be a common issue in 3.215.

Does your ovpn has keepalive?

It should has line like these

ping
ping-restart 
keepalive

You can post the content of your ovpn?

@alzhao I’m using public ovpn servers as a client.
Do I need to provide a config file from GL router (which one?) or any exapmle of .ovpn client’s file?

How did you configure the ovpn client?
Not uploading a ovpn file to the router?