OpenVPN client's tunnel freezes due to inactivity

online · December 18, 2022, 2:52pm

Dear Sirs,
with using actual (3.215) and previous (3.212) versions of firmware (clear upgrade with no extra packages) for the device GL-AR750S-EXT Slate I’ve faced with next issue:

if no traffic goes into the OpenVPN tunnel (AR750S as client) for some time, the tunnel freezes (no traffic flow, but indicates as active in the web interface; in the same time tunnel hourly tunnel renew process successfully processing by openvpn daemon) and became not usable before the following Disconnect/Connect. The issue does not happen if any amount of data (e.q. ICMP ping) continuously passes the tunnel.

No errors in System Log

Mon Dec 19 06:00:05 2022 daemon.err gl_monitor[4109]: sh: 30000: unknown operand
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=179017/-1 pkts=2423/0
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 06:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=183785/-1 pkts=2435/0
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 07:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=216516/-1 pkts=2514/0
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 08:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: TLS: soft reset sec=3600/3600 bytes=181889/-1 pkts=2425/0
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=2, C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: VERIFY OK: depth=0, CN=*.opengw.net
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 19 09:43:34 2022 daemon.notice openvpn[4934]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

As far as I remember, there was no such issue in 3.203 & 3.211 versions of the firmware.

Could you, please, let me know,

how can I fix it,
will this issue be fixed in the next version of the firmware update,
if I need to provide some extra data for investigation.

Thank you in advance!

alzhao · December 20, 2022, 8:12am

This should not be a common issue in 3.215.

Does your ovpn has keepalive?

It should has line like these

ping
ping-restart 
keepalive

You can post the content of your ovpn?

online · December 20, 2022, 2:01pm

@alzhao I’m using public ovpn servers as a client.
Do I need to provide a config file from GL router (which one?) or any exapmle of .ovpn client’s file?

alzhao · December 20, 2022, 2:09pm

How did you configure the ovpn client?
Not uploading a ovpn file to the router?

online · March 18, 2023, 8:41pm

I just uploading public shared .ovpn files. For example,

vpngate

dev tun
proto tcp
remote 61.82.154.36 1495
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
(ca)
-----BEGIN CERTIFICATE-----
… random $h1t…
-----END CERTIFICATE-----

(/ca)
(cert)
-----BEGIN CERTIFICATE-----
… random $h1t…
-----END CERTIFICATE-----

(/cert)
(key)
-----BEGIN RSA PRIVATE KEY-----
… random $h1t…
-----END RSA PRIVATE KEY-----

(/key)
daemon

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2

Inserting ping/ping-restart/keepalive lines into .ovpn file resulted failed connection with following error:

Options error: Unrecognized option or missing or extra parameter(s)

alzhao · March 20, 2023, 7:55am

How did you insert?

It should be like

keepalive 10 50