Unstable connection with router RT-AC68U

[chbni 3]

Hello all,

 

just registered here and bought a full year VPN-package. Unfortunately I ran into severe problems using AirVPN with my router, an ASUS RT-AC68 U (with the latest firmware :3.0.0.4.378_4585):

I can (usually) connect without any problem using one of the generated files for a router. I write "usually" because every fourth time or so, I get an error message indicating an routing/IP error. But even if I do not and connection works flawlessly, some time between an hour or two days later, I can no longer connect to the Internet.

Just some minuted ago, the connection dropped and I plugged the following off the router's logfiles:

 

Jun 10 19:11:02 openvpn[1880]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 10 19:11:02 openvpn[1880]: UDPv4 link local: [undef]
Jun 10 19:11:02 openvpn[1880]: UDPv4 link remote: [AF_INET]104.254.90.250:443
Jun 10 19:12:02 openvpn[1880]: [uNDEF] Inactivity timeout (--ping-restart), restarting
Jun 10 19:12:02 openvpn[1880]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 10 19:12:02 openvpn[1880]: Restart pause, 2 second(s)
Jun 10 19:12:04 openvpn[1880]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 10 19:12:04 openvpn[1880]: UDPv4 link local: [undef]
Jun 10 19:12:04 openvpn[1880]: UDPv4 link remote: [AF_INET]104.254.90.250:443
Jun 10 19:13:04 openvpn[1880]: [uNDEF] Inactivity timeout (--ping-restart), restarting
Jun 10 19:13:04 openvpn[1880]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 10 19:13:04 openvpn[1880]: Restart pause, 2 second(s)
Jun 10 19:13:06 openvpn[1880]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 10 19:13:06 openvpn[1880]: UDPv4 link local: [undef]
Jun 10 19:13:06 openvpn[1880]: UDPv4 link remote: [AF_INET]104.254.90.250:443

 

This goes on and on forever, until I manually kill the connection and reset it. Then everything works fine ... for a couple of hours or up to two days. Here is another one, from a connection established yesterday:

 

Jun 10 17:49:21 openvpn[3670]: TLS: tls_process: killed expiring key
Jun 10 17:49:28 openvpn[3670]: TLS: soft reset sec=0 bytes=48147/0 pkts=701/0
Jun 10 17:49:29 openvpn[3670]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Jun 10 17:49:29 openvpn[3670]: Validating certificate key usage
Jun 10 17:49:29 openvpn[3670]: ++ Certificate has key usage  00a0, expects 00a0
Jun 10 17:49:29 openvpn[3670]: VERIFY KU OK
Jun 10 17:49:29 openvpn[3670]: Validating certificate extended key usage
Jun 10 17:49:29 openvpn[3670]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 10 17:49:29 openvpn[3670]: VERIFY EKU OK
Jun 10 17:49:29 openvpn[3670]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Jun 10 17:49:34 openvpn[3670]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 10 17:49:34 openvpn[3670]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 10 17:49:34 openvpn[3670]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 10 17:49:34 openvpn[3670]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 10 17:49:34 openvpn[3670]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Jun 10 17:59:59 ntp: start NTP update
Jun 10 18:46:13 openvpn[3670]: [server] Inactivity timeout (--ping-restart), restarting
Jun 10 18:46:13 openvpn[3670]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 10 18:46:13 openvpn[3670]: Restart pause, 2 second(s)
Jun 10 18:46:15 openvpn[3670]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 10 18:46:15 openvpn[3670]: UDPv4 link local: [undef]
Jun 10 18:46:15 openvpn[3670]: UDPv4 link remote: [AF_INET]104.254.90.194:443
Jun 10 18:47:15 openvpn[3670]: [uNDEF] Inactivity timeout (--ping-restart), restarting
Jun 10 18:47:15 openvpn[3670]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 10 18:47:15 openvpn[3670]: Restart pause, 2 second(s)
Jun 10 18:47:17 openvpn[3670]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 10 18:47:17 openvpn[3670]: UDPv4 link local: [undef]
Jun 10 18:47:17 openvpn[3670]: UDPv4 link remote: [AF_INET]104.254.90.194:443

 

I have no clue what is going on here and appreciate any help.

 

Thank you very much.

[go558a83nk 364]

looks like your internet connection is dying at those times.  do you really mean "I can no longer connect to the internet" or do you mean you can no longer connect to AirVPN?  when you're getting the problems with openvpn does internet work fine outside the VPN?

[flat4 79]

is your asus open-wrt, tomato, ore merlin?

[chbni 3]

Hello and thank you for your replies.

 

looks like your internet connection is dying at those times.  do you really mean "I can no longer connect to the internet" or do you mean you can no longer connect to AirVPN?  when you're getting the problems with openvpn does internet work fine outside the VPN?

 

Sorry, silly me. Or course I can still connect, only not via the VPN connection my router shows me as still active. What I meant was that I can no longer connect through the VPN connection. As soon as I manually close the connection to AirVPN, I can access the Internet immediately. I do not get why the connection is not reset or restarted after it has died due to inactivity. Instead it just sits there and blocks all connections.

 

 

is your asus open-wrt, tomato, ore merlin?

 

It is neither. I am still using the ASUS router "OS". All I did was install the latest ASUS updates shortly after they became available.

[go558a83nk 364]

I would encourage you to switch to the latest Merlin firmware.  However, when you do it you MUST do a factory reset of the router coming from the stock firmware.

 

http://www.snbforums.com/forums/asuswrt-merlin.42/

 

latest is 378.54_2

[flat4 79]

I would encourage you to switch to the latest Merlin firmware.  However, when you do it you MUST do a factory reset of the router coming from the stock firmware.

 

http://www.snbforums.com/forums/asuswrt-merlin.42/

 

latest is 378.54_2

I agree i think you would get better results.

[chbni 3]

May I ask you why Merlin and not open-wrt or tomato? I only had a brief look at open-wrt one and it seemed to have quite advanced features. As you know, I did not install it, so I am absolutely open to any firmware. Just curious on why you would chose Merlin over the other alternatives.

 

Thank you again.

[flat4 79]

Merlin is Asus open firmware so no issues in bricking your router. You can use DD-WRT if you like , i have it on my N66U but i chose to use a pfSense firewall and so now its only an AP and it does well.

 

Its really your choice.

[dj77 6]

I use ddwrt on my ac68u no Problem and stable

 

 

Gesendet von iPhone mit Tapatalk

[go558a83nk 364]

Merlin firmware modifies the stock asus firmware.  So, benefit to that is that you're getting a firmware that's made specifically for your hardware.  I'm not sure but I think the NAT acceleration capability is only available with asus or merlin asus firmware.  You'll also get other asus firmware things like the trendmicro protections.  The late versions of merlin firmware have policy routing mode for the openvpn client so you can control which LAN clients go through the VPN tunnel.

[chbni 3]

Hello all,

 

Installed Merlin after doing a factory reset and till now it runs smoothly. Obviously I now have a lot more options to tweak the VPN connection. I like that. It's like the candy store of router options...

 

Anything special I should turn on to increase security?

 

I also tried to use policy routing for VPN but that did not work. I wanted to route everything through VPN except a couple of connections to some websites. So I first added

192.168.0.0/24     0.0.0.0/0     VPN

to redirect everything through VPN but after that airvpn shows me as not connected and my WAN IP, as well as whatismyipaddress.com/

 

Tried it the other way round and only added 192.168.0.0/24 or my computer's LAN IP and the IP of airvpn but for the same effect: Not connected. Weird.

[go558a83nk 364]

Hello all,

 

Installed Merlin after doing a factory reset and till now it runs smoothly. Obviously I now have a lot more options to tweak the VPN connection. I like that. It's like the candy store of router options...

 

Anything special I should turn on to increase security?

 

I also tried to use policy routing for VPN but that did not work. I wanted to route everything through VPN except a couple of connections to some websites. So I first added

192.168.0.0/24     0.0.0.0/0     VPN

to redirect everything through VPN but after that airvpn shows me as not connected and my WAN IP, as well as whatismyipaddress.com/

 

Tried it the other way round and only added 192.168.0.0/24 or my computer's LAN IP and the IP of airvpn but for the same effect: Not connected. Weird.

 

 

sorry for the late reply.  my internet was out yesterday after a storm.

 

1) you say you installed merlin after a factory reset.  The factory reset needs to happen *after* you do the firmware upgrade.

 

2) if you added your computer's LAN IP for all destinations through VPN then I would say your VPN isn't connecting.  please check out the system log.

 

first things first - do a factory reset *after* firmware upgrade. 

[chbni 3]

Hello,

 

no need to apologize, the moderator approved my post just yesterday, so you could not have answered earlier anyway. ;-)

 

I did a factory reset before and another one after flashing the router, to be on the safe side. So everything should be fine.

 

 

VPN is connecting according to the log files. If I change VPN from policy routing to "redirect all" whatsmyipaddress shows the VPN address, so it is not an issue with the VPN.

There must be something wrong with the routing policy. But I cannot figure out what that might be. My local network is 192.168.25.xx so that's fine. And you cannot argue with 0.0.0.0, I'd say. It seems as if there is no "catchall" redirecting everything through the VPN. But that certainly cannot be true, can it?

 

 

 

BUT...

Just minutes ago the error from my first post had returned.

 

I booted my PC, could browse the Internet for some minutes and then all of a sudden I get timeouts from all websites I visited. Pings are not returning as well. Approximately ten minutes later, connection is back. Logfiles confirm what I had already expected. For approximately ten minutes I get the familiar block of

 

Jun 16 18:48:34 openvpn[14583]: [uNDEF] Inactivity timeout (--ping-restart), restarting
Jun 16 18:48:34 openvpn[14583]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 16 18:48:34 openvpn[14583]: Restart pause, 2 second(s)
Jun 16 18:48:36 openvpn[14583]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 18:48:36 openvpn[14583]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 16 18:48:36 openvpn[14583]: UDPv4 link local: [undef]
Jun 16 18:48:36 openvpn[14583]: UDPv4 link remote: [AF_INET]199.21.149.44:443
Jun 16 18:49:36 openvpn[14583]: [uNDEF] Inactivity timeout (--ping-restart), restarting
Jun 16 18:49:36 openvpn[14583]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 16 18:49:36 openvpn[14583]: Restart pause, 2 second(s)

 

...until finally...

 

Jun 16 18:51:42 openvpn[14583]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 18:51:42 openvpn[14583]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jun 16 18:51:42 openvpn[14583]: UDPv4 link local: [undef]
Jun 16 18:51:42 openvpn[14583]: UDPv4 link remote: [AF_INET]199.19.94.61:443
Jun 16 18:51:50 openvpn[14583]: TLS: Initial packet from [AF_INET]199.19.94.61:443, sid=090dbda7 e45958e7
Jun 16 18:51:50 openvpn[14583]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Jun 16 18:51:50 openvpn[14583]: Validating certificate key usage
Jun 16 18:51:50 openvpn[14583]: ++ Certificate has key usage  00a0, expects 00a0
Jun 16 18:51:50 openvpn[14583]: VERIFY KU OK
Jun 16 18:51:50 openvpn[14583]: Validating certificate extended key usage
Jun 16 18:51:50 openvpn[14583]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 16 18:51:50 openvpn[14583]: VERIFY EKU OK

 

... and so on: VPN reconnects.

 

Why is it taking so long for an inactive VPN connection to reset and reconnect?

 

Any ideas?

 

Thank you, as always.

[go558a83nk 364]

for the stability of the connection perhaps try other ports/protocols.

 

regarding the policy routing, I see the problem.  if your subnet is 192.168.25.xx, then to catch all LAN clients you need to use 192.168.25.0/24 as a policy routing rule.

[chbni 3]

VPN routing is working now. I did not change anything, so maybe I was too impatient last time.

 

As for the connection, no problems occured since Tuesday. I chose the recommended protocol and port, so I guess it should work best with the current selection. If it pops up again, I might try another configuration though.

 

 

Thank you very much for your help, could not have done it without your precious suggestions.