I can confirm the same problem with NordVPN, too: connection loss after a while (yellow warning sign in Windows). Router fw is v2.261.
The error message (router GUI) says:
/usr/sbin/ip route del 0.0.0.0/1 /usr/sbin/ip route del 128.0.0.0/1 Closing TUN/TAP interface /usr/sbin/ip addr del dev tun0 10.7.7.114/24 SIGTERM[soft,auth-failure] received, process exiting
It helps to toggle the hardware switch on the router twice (if it was set to VPN beforehand, of course). But would be a charm, if the VPN connection could be restored automatically in case of loss.
And yes, all NordVPN config files already have the reneg-sec =0 setting by default.
I have done a lot of testing on this and have made various changes to the ovpn file. So far I only had one disconnect in 48 hours (but all the VPN servers went down then, so I assume it is safe to ignore that instance).
I am not sure whether this works or if it does, which line does the job - feel free to test yourselves and report back!
keepalive 10 60 # different way of doing the two lines below #ping 15 #ping-restart 0
pull-filter ignore “auth-token” # supposed to stop disconnecting after 8 hours (PIA problem)
auth-retry interact # client will requery for an --auth-user-pass before attempting a reconnection.
auth-nocache # previously caused problems. Don’t cache -auth-user-pass username/passwords in virtual memory.
Hope this helps - you are welcome to try and test and report back.
Glitch
I re-added this line for security purposes, as before (with the old Openvpn?) it caused problems (mainly with PIA, IIRC). However, I don’t believe this has any effect on the current problem being discussed in this thread.
Also, I just read from another forum member that the NordVPN team advise to try: auth-retry nointeract (so worth trying this and what I am currently testing: auth-retry interact).
what is your feedback now regarding NordVPN? Can you manage to get a stable connection for more than a day without going back to the router GUI and finding the VPN in the “not started” state?
Im not using NordVPN (Getflix) but using the settings offered by Glitch I now get an extended period of connection. Not a full 24 hours but most of the day it will stay up. So there maybe some more setting changes needed but its a step in the right direction…thanks to Glitch!
Hi @caste381 I had over a day without having to manually reconnect, but the connection still dropped a few times with the difference being that it connected again without me having to manually do it.
Agree @skycatcher it’s a big improvement with Glitch’s changes. Are you NordVPN or Getflix? I’ve used both services but I’m currently using Nord.
An issue I’m having, and I’m not sure if it’s just my office, but when I connect to a server that is not too near e.g France when I’m in UK, it disconnects after just a few minutes and reconnects again then drops connection again.
Not sure which line is causing the issue. I’m going to play around to see.
Zimo - I’m with Getflix but are experiencing the same as yourself…the further away the vpn server the the more volatile the connection. Using a UK server gives the longest connection but like you it is doing the reconnection for you now where before it was just failing!
Does anyone know where I can access the ovpn log? (I know the logread command but think that may just be generally for the router rather than specifically for VPN).
Hi guys, could someone please repost the “definitive” settings that people are using? It’s hard to follow the thread. I’m also using NordVPN.
In the meantime, I came up with a restart script that has kept me up for days now, based on scraps of bash recovered from startup scripts. I know other people have posted scripts before but this might help someone. I have tested it a fair bit and have verified it a) keeps the connection up (restarts it) and b) at no point allows non-VPN traffic through IF that’s how you’ve set things up.
I run the following every 5 mins as a cronjob:
#!/bin/sh
# Should openvpn already be in operation? If not, nothing to do, exit.
enabled=$(uci get glconfig.openvpn.enable)
vpn_client=$(uci get network.VPN_client) # removed when startvpn stopped explicitly
if [ "$enabled" != "1" ] || [ "$vpn_client" != "interface" ]; then
exit 0
fi
# First hop should be to the internal VPN gateway (10.8.8.1) if VPN up.
# If we're going through VPN then all is well, do nothing.
first_hop=$(traceroute 8.8.8.8 2>&1 | head -2 | tail -1 | awk '{print $2}')
if [ "$first_hop" == "10.8.8.1" ]; then
logger -t VPN_restart VPN is fine.
exit 0
fi
killall openvpn 2>/dev/null
ovpn=$(uci get glconfig.openvpn.ovpn)
/usr/sbin/openvpn "$ovpn" &
(sleep 1; /etc/init.d/network reload) &
logger -t VPN_restart VPN was down and had to be restarted.
I’m happy to give more detail, but I get the impression that a proper fix has been found for the ovpn file.
Reporting back - seems the changes I suggested improve things a lot. I still get “outages” (yellow triangle in WIndows) but it now (eventually) reconnects itself (however, not after 60 seconds which “keepalive 10 60” seems to suggest it should).
@ merlot: I tried my own recconect script without much success but your efforts gave me renewed impetus (script further down).
I tried to dissect your script. I have very limited ability, so please bear with me if I am talking nonsense. I struggled with the first part because of too many negatives ("!"and "||").How about just doing this and letting the script run through?:
if [ "$enabled" = "1" ] && [ "$vpn_client" = "interface" ]; then
Regarding the traceroute part: Am I right thinking the “head” and “tail” part cut the first and last part of the IP address to two digits and one digit repsectively?
Also, I don’t think this would work with other providers, as the NAT address (?) 10.8.8.1xx seems particular to Nord.
The last three lines seem to do the same as:
/etc/init.d/startvpn start
Finally, my script, which seems to work and can be run every two minutes (or five, if you prefer). I would welcome your comments:
if ! ping -I tun0 -c5 -w5 8.8.8.8; then
killall openvpn # 2>/dev/null (took this out because I don't understand it)
ovpn=$(uci get glconfig.openvpn.ovpn)
/usr/sbin/openvpn "$ovpn" &
(sleep 1; /etc/init.d/network reload)
fi
Glitch
PS. I give up trying to format my posts as the forum software has a mind of it’s own and is hopeless! Twenty attempts and I still can’t get a new paragraph (<p>) or two line breaks (<br><br>)!!!
if [ “$enabled” = “1” ] && [ “$vpn_client” = “interface” ]; then
is to basically detect if startvpn was supposed to be run and in fact was run. If not exit. I don’t want to try to fix a broken service/VPN connection that was actually never started. It’s a defensive approach. I’m getting these “uci” settings from the startup scripts.
is to capture the first IP address on the route out to “8.8.8.8”, which will be on the second line of the output. Unless I get the expected IP, something is wrong. (head takes top two lines of output, tail takes the bottom line of those two. awk plucks out the IP.)
Your point about 10.8.8.1xx emails belonging to NordVPN sounds like a good point. Must have lulled myself into the notion that it was some kind of internal address. If this is the case, you would need to change it and this is a flaw in the script.
One of the reasons I used traceroute instead of your ping line was because I wanted to avoid a reference to tun0 (in case it came up tun1 or something) but this is not nearly as bad as hardcoding an external IP! So yours might be better.
Of course (potential change of IP aside) mine at least has the benefit of working well. No downtime now since the change. As in, my connection can be seen in the logs to drop, but it’s always restored correctly.
One weird thing though: even though the script runs in 1/2 seconds from a command line. It can take 2.5mins through cron, which is very odd. (The traceroute is running all the time.) I also need to adopt the correct VPN settings so that daily restarts are not needed either.
>>>> It can take 2.5mins through cron, which is very odd
I think this is the same problem as the Keepalive 10 60 delay. My theory is that the remote server goes down and takes this time to come back up - with my new ovpn settings, it once took over 5 minutes to reconnect.
Well after eventually getting something that was workable with thanks to you guys my router died last night! So that’s away back to Amazon! Trying to decide what to do next wrt my VPN solution.