1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

openvpn session expiration - looking for a reconnect script to keep me (almost) always connected

Discussion in 'Tomato Firmware' started by Dr.Romantic, Apr 3, 2013.

  1. Dr.Romantic

    Dr.Romantic Serious Server Member

    Hello
    I'm not a linux expert but I can try and manage.

    I have an asus RT-N16 with shibby tomato AIO 108 which I'm using to connect to a comercial VPN service.
    I've been always connected by PTPP but lately moved to OpenVPN.

    I've noticed after setting it up and connecting that my session will auto terminate after exactly 24 hours from my first connection with openvpn log saying something like session expired please reauthorize and then I lose connection and my router revert to my ISP ip and end the connection without retrying to reauthorize.
    this leaved me not knowing when I'm connected to which and I tend now after about 20 hours to start checking the remote ip to see if i'm connected to which.

    for the session expiration part, I looking around and found that this is related to my account being user-locked and I was suggested to auto-login profile.

    If I might not be able to get my profile switched to auto-login one what are my options?

    is there a ways to set the openvpn client to reconnect after going down.
    something like a script related to "updown.sh for tun" (I'm not quite confident if what I'm saying is technically right) so when tun is down it will redial again.

    I don't know if this is a fault with openvpn configuration but I think it is logic to have such a setting in vpn client configuration (i.e auto reconnect after disconnection) such as the convenience of having the "connect on wan" option

    thanks for your help

     
  2. bmupton

    bmupton Serious Server Member

    Try adding something like:
    Code:
    keepalive 10 60
    to the 'Custom Configuration' box on the advanced tab for the VPN client.
     
  3. Dr.Romantic

    Dr.Romantic Serious Server Member

    Thanks for your reply

    I had that already:

    setenv FORWARD_COMPATIBLE 1
    ns-cert-type server
    reneg-sec 604800
    sndbuf 100000
    rcvbuf 100000
    comp-lzo no
    keepalive 10 120
    float
    verb 3
    setenv PUSH_PEER_INFO


    so I thought it is something else

    but even it seems for me a long wait time.

    I used to have the PTPP settings in my "wan section" and usually It will instantly look for my network DHCP server for ip and once it have it it wil then dial the PTPP server and if disconnected it will go into a loop (many times if couldn't go though to the server) till it get and IP from the PTPP

    this behavior is not happening in the vpn tunneling section (in both PTPP and OpenVPN client settings)
    I would need once disconnected to log in the router and click "start" to start the server again.
     
  4. rhester72

    rhester72 Network Guru Member

    This is clearly a problem on the other end (where they are deliberately slamming the connection down). In the meantime, why not just set up the scheduler to restart the OpenVPN service once every 24 hours?
     
  5. bmupton

    bmupton Serious Server Member

    There is also the "reconnection" option on the advanced tab of the VPN client as well...I thought that it would keep automatically trying to reconnect forever if that's set to -1.

    My VPN has been connected for 6 days (at the moment) and prior to this connection I made it almost two weeks before a configuration change required a restart of the router... This is using Shibby Big-VPN build 107, so it should work as well for you. I think rhester72 is correct, and your provider is closing the connection.
     
  6. Dr.Romantic

    Dr.Romantic Serious Server Member

    concerning the 24hours disconnection for server-locked and user-locked profiles:

    I've asked openvpn suport directly and they said that this is hard configured in the openvpn service by default and that is how it is normally supposed to work to the contrary to the auto-login profile.
    so to be honest about the service provider. they are only running the default configurations that came from openvpn

    rhester72: thanks for your help. could you please tell me how to do that. meaning to set a script in scheduled script section of tomato to run connect script at (first openvpn connection time)+24 hours

    bmupton: thanks :) the reconnection option was already set to -1. what I got out of this is that this settings only work for initial connection (i.e first time openvpn client is started) but once connected first time it is then not applied. this is what I can understand from the behavior that I'm getting unless this setting is not working as it should be in shibby's FW
     
  7. rhester72

    rhester72 Network Guru Member

    Administration/Scheduler/Custom X (pick one), set Enabled, set time to whatever you like (obviously early morning when you don't mind the connection being disrupted), check Everyday, command is "/sbin/service vpnclient1 restart" (If you have more than one client defined and you happen to be using client 2 for this, change "vpnclient1" to "vpnclient2".)

    Rodney
     
  8. roadkill

    roadkill Super Moderator Staff Member Member

    from my experience there is actually no need for a script a simple keepalive 10 120 will reinitialize the vpn session if it has expired
    I have this configured like this in many places without issues, but you could restart the vpnclient every 4 hours via the scheduler or so if you want to be sure.
     
  9. Dr.Romantic

    Dr.Romantic Serious Server Member

    thanks rhester72
    the command works well. I guess this is the best solution. I've put only "service vpnclient2 restart" and it worked.

    roadkill: I think this is true with servers that uses the open-source openvpn and not the commercial version. in the open-source community they told me they know nothing of such a term "auto-login profile" and it is probably implemented in "openvpn connect" service.

    I didn't know there were such a division.
     
  10. Dr.Romantic

    Dr.Romantic Serious Server Member

    I get this messages in log:

    Apr 7 10:00:07 asus user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Apr 7 10:00:07 asus user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 4 2013
    Apr 7 10:00:07 asus daemon.warn openvpn[1690]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: LZO compression initialized
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Apr 7 10:00:07 asus daemon.notice openvpn[1690]: Socket Buffers: R=[87380->200000] S=[16384->200000]
    Apr 7 10:00:08 asus daemon.info dnsmasq[1196]: exiting on receipt of SIGTERM
    Apr 7 10:00:08 asus user.debug init[1]: 182: pptp peerdns disabled
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: started, version UNKNOWN cachesize 1500
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack Tomato-helper auth
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: asynchronous logging enabled, queue limit is 5 messages
    Apr 7 10:00:08 asus daemon.info dnsmasq-dhcp[1699]: DHCP, IP range 192.168.1.200 -- 192.168.1.250, lease time 1d
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: reading /etc/resolv.dnsmasq
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: using nameserver 192.168.2.1#53
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: read /etc/hosts - 2 addresses
    Apr 7 10:00:08 asus daemon.info dnsmasq[1699]: read /etc/dnsmasq/hosts/hosts - 4 addresses
    Apr 7 10:00:08 asus daemon.info dnsmasq-dhcp[1699]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Apr 7 10:00:18 asus daemon.notice openvpn[1690]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 7 10:00:18 asus daemon.notice openvpn[1703]: Attempting to establish TCP connection with [AF_INET]95.154.211.36:443 [nonblock]
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: TCP connection established with [AF_INET]X5.XX4.XX1.XXX:443
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: TCPv4_CLIENT link local: [undef]
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: TCPv4_CLIENT link remote: [AF_INET]X5.XX4.XX1.XXX:443
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: TLS: Initial packet from [AF_INET]X5.XX4.XX1.XXX:443, sid=94e8f1c3 252e004d
    Apr 7 10:00:19 asus daemon.warn openvpn[1703]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: VERIFY OK: depth=1, CN=OpenVPN CA
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: VERIFY OK: nsCertType=SERVER
    Apr 7 10:00:19 asus daemon.notice openvpn[1703]: VERIFY OK: depth=0, CN=OpenVPN Server
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Apr 7 10:00:20 asus daemon.notice openvpn[1703]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]X5.XX4.XX1.XXX:443
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 5,ping-restart 40,socket-flags TCP_NODELAY,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 10.8.0.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,register-dns,auth-token SESS_ID,comp-lzo yes,ifconfig 10.8.0.192 255.255.255.0'
    Apr 7 10:00:22 asus daemon.warn openvpn[1703]: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: explicit-exit-notify (2.3.0)
    Apr 7 10:00:22 asus daemon.warn openvpn[1703]: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.0)
    Apr 7 10:00:22 asus daemon.warn openvpn[1703]: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.0)
    Apr 7 10:00:22 asus daemon.warn openvpn[1703]: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.0)
    Apr 7 10:00:22 asus daemon.warn openvpn[1703]: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.3.0)
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: LZO parms modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: --socket-flags option modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: route options modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: route-related options modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: TUN/TAP device tun11 opened
    Apr 7 10:00:22 asus daemon.notice openvpn[1703]: TUN/TAP TX queue length set to 100
    Apr 7 10:00:22 asus daemon.info dnsmasq[1699]: exiting on receipt of SIGTERM
    Apr 7 10:00:22 asus user.debug init[1]: 182: pptp peerdns disabled
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: started, version UNKNOWN cachesize 1500
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack Tomato-helper auth
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: asynchronous logging enabled, queue limit is 5 messages
    Apr 7 10:00:23 asus daemon.info dnsmasq-dhcp[1742]: DHCP, IP range 192.168.1.200 -- 192.168.1.250, lease time 1d
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: reading /etc/resolv.dnsmasq
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: using nameserver 208.67.220.220#53
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: using nameserver 208.67.222.222#53
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: read /etc/hosts - 2 addresses
    Apr 7 10:00:23 asus daemon.info dnsmasq[1742]: read /etc/dnsmasq/hosts/hosts - 4 addresses
    Apr 7 10:00:23 asus daemon.info dnsmasq-dhcp[1742]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Apr 7 10:00:28 asus daemon.notice openvpn[1703]: /sbin/route add -net X5.XX4.XX1.XXX netmask 255.255.255.255 gw 192.168.2.1
    Apr 7 10:00:28 asus daemon.notice openvpn[1703]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
    Apr 7 10:00:28 asus daemon.notice openvpn[1703]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
    Apr 7 10:00:28 asus daemon.notice openvpn[1703]: Initialization Sequence Completed


    I can see that lease time is forced to one day but is the "Unrecognized option or missing parameter(s)" are the cause of drop and disconnect after one day as the tomato openvpn client didn't recognize what the parameters are and how to release/renew with server DHCP?
     
  11. Dr.Romantic

    Dr.Romantic Serious Server Member

    and is the 1day lease time set by my router or the remote server. as I was told by the service provider that they have increased the session time from one day but when i tested it again yesterday i got disconnected (session expired) again after 1day


    thanks
     
  12. koitsu

    koitsu Network Guru Member

    This line:

    Code:
    Apr 7 10:00:08 asus daemon.info dnsmasq-dhcp[1699]: DHCP, IP range 192.168.1.200 -- 192.168.1.250, lease time 1d
    
    Refers to dnsmasq's DHCP server capability -- in English, it means you've configured, for your LAN, dnsmasq to act as DHCP server and will offer IP addresses within the range of 192.168.1.200 to 192.168.1.250, with a DHCP lease time of 1 day.

    This is not the same thing as dnsmasq's DHCP client capability, which is what's used when getting an IP address from your ISP -- and that's assuming under Basic -> Network you're using the WAN/Internet connection type of DHCP (vs. PPPoE, etc.).

    Furthermore, that has nothing to do with OpenVPN.

    These lines you put in red from OpenVPN are in clear English: your OpenVPN server (on the remote end) is passing parameters/config options which your OpenVPN client does not understand/cannot parse/will not honour. Fix/adjust your OpenVPN server. I will repeat myself: the OpenVPN server is pushing options/settings to your OpenVPN client which the client does not honour. Example.

    Try using Google to search for "OpenVPN drop connection" and take a look at how many reports there are. I imagine a very large number of these issues are caused by people's ISPs or connections to their ISPs having issues, or the complete unreliability of the Internet (I am not exaggerating).

    I strongly recommend you start talking to the OpenVPN folks on the OpenVPN forum about the problem you're having. Your issue is with OpenVPN at this point, not Tomato/TomatoUSB. They're responsible for the software.
     

Share This Page