Jump to content
Not connected, Your IP: 35.175.191.72

Recommended Posts

Hi there,

 
I often find that my iPhone has disconnected from AirVPN during the day. Looking at the dashboard, it appears that it's failing reauthentication because of the 3 connection limit. However this occurs even when my phone is the only of my devices connected to AirVPN.
 
This typically happens when handing over from a mobile data connection to wifi, but also happens periodically when just using mobile data -- I guess when I temporarily lose connectivity or fall back to 3G.
 
I've seen that other people have reported the same problem. AirVPN support suggested that I use TCP, rather than UDP, to aid detection of disconnections -- but I'm doing this already, to no avail.
 
In my OpenVPN client I have the following settings:
  • Seamless tunnel: on.
  • Connect via: any network.
  • Reconnect on wakeup: on.
  • Protocol: adaptive.
  • Compression: full.
  • Connection timeout: none.
  • Network state detection: active.
  • Force AES-CBC ciphersuites: on.
  • Google DNS failback: on.
  • Layer 2 reachability: on.
 
By design, the OpenVPN client doesn't attempt a reconnection after it's informed of an auth failure, which is what the AirVPN network sends if you exceed the maximum number of connections. I've suggested that it might be useful for AirVPN to have a 1-2min grace period on the max connection cut-off, which should fix this problem. Has anyone found a work-round in the meantime?
 
Many thanks,
Stuart.

Share this post


Link to post

You should try TCP mode. With TCP the server can know faster that the connection has been terminated.

In UDP it has to rely on the explicit-exit-notify directive which is not always reliable, since the iOS can put

the OpenVPN client to sleep before it was able to send the termination message.

 

If you handover WiFi to 3G and back very soon, you will end up with multiple sessions opened.

 

Another grace period is technically impossible. This will mean that the 3 connection limit will be impossible

to enforce, since during your suggested 1-2min timeframe you suggest that more than 3 sessions should be

allowed to connect. Then there is a little problem, the server should be forced to disconnect clients, and this

will be quite impossible for it to determine which sessions to disconnect. The 3 sessions limit is therefore

the only possible way to avoid such situation.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Also disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.

Share this post


Link to post

Many thanks for all the helpful suggestions -- and sorry for the delay in replying. I'm already using TCP mode, as I mentioned. However @zhang888: I'm slightly confused as to why the grace period wouldn't be possible -- let me explain...

 

At the moment, my device is presumably making several connections in a row, as it tries to cope with the handover from wifi to GSM. As its IP address changes unexpectedly, it has to establish a new connection each time, without being able to disconnect the old VPN connection. 

 

The problem is that the handover from GSM to wifi typically seems to create more than 3 connection attempts, so I get a fatal 'auth failed' error and my phone drops back into non-VPN mode without me knowing. Despite this, when I log into my account as soon as I notice this, I see see no current connections -- so I guess after a short delay the stale connections drop out due to inactivity (which can be more reliably identified with TCP, as you say).

 

My suggestion was to allow >3 simultaneous connections from an account for a grace period of, say, a minute (or however long it takes for stale connections to be dropped). After that time, the stale connections would hopefully drop out (no longer responding at that location), and only the latest connection would survive. If more than 3 connections were ongoing at that point, then all but the latest three could be dropped.

 

I apologise if I'm missing something obvious! I can't be the only person experiencing this though, and it's a pain (or, for some people, a risk) to find that a phone falls back to non-VPN without the user knowing. This happens several times a day for me -- it would be great to find a way to solve this!

 

Stuart.

Share this post


Link to post

Many thanks for all the helpful suggestions -- and sorry for the delay in replying. I'm already using TCP mode, as I mentioned. However @zhang888: I'm slightly confused as to why the grace period wouldn't be possible -- let me explain...

 

At the moment, my device is presumably making several connections in a row, as it tries to cope with the handover from wifi to GSM. As its IP address changes unexpectedly, it has to establish a new connection each time, without being able to disconnect the old VPN connection. 

 

The problem is that the handover from GSM to wifi typically seems to create more than 3 connection attempts, so I get a fatal 'auth failed' error and my phone drops back into non-VPN mode without me knowing. Despite this, when I log into my account as soon as I notice this, I see see no current connections -- so I guess after a short delay the stale connections drop out due to inactivity (which can be more reliably identified with TCP, as you say).

 

My suggestion was to allow >3 simultaneous connections from an account for a grace period of, say, a minute (or however long it takes for stale connections to be dropped). After that time, the stale connections would hopefully drop out (no longer responding at that location), and only the latest connection would survive. If more than 3 connections were ongoing at that point, then all but the latest three could be dropped.

 

I apologise if I'm missing something obvious! I can't be the only person experiencing this though, and it's a pain (or, for some people, a risk) to find that a phone falls back to non-VPN without the user knowing. This happens several times a day for me -- it would be great to find a way to solve this!

 

Stuart.

i wonder if it would help if you set up your device so that the vpn is connected when your device starts up. here is a link explaining the steps http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...