Anyone having recent OpenVPN problems?

[bigredfish]

For some reason I can’t connect to any of my OpenVPN servers over the past week or so.

I use the OpenVPN client on Win11 and have used it for years. Have server setup on 6 different remote routers to access NVRs on those networks. No change on the remote networks and it’s ALL of them

Problem is local to me. As if some software (windows or Bitdefender?) may have updated and messed something g up.

Router and firewall logs here show initial outbound connect (not blocked) as does the OpenVPN client, but it won’t truly connect as if no response from remote server.

I think my client isn’t sending the full command or responding to the handshake.

Only message in client log is “server poll timeout”

Just thought it worth asking if anyone else has seen this recently?

 

[97JeepXJ]

I am able to connect to my router using the app on my iPhone but I don’t have it installed on my laptop so I can’t say about Windows

 

[wittaj]

I just tried mine and could connect to every system I help with.

Only thing I can think of is a windows update changed your network from public to private (or vice versa). I forget which way it does but Windows updates tend to change that with no warning.

 

[bigredfish]

That’s my thought, I turned off everything I can think of in Bitdefender and my firewall shows a good initial outbound connect but obviously the handshake is dying as if my laptop isn’t getting the handshake response.

I don’t have those on my phone, remote routers/NVRs I maintain/help on but don’t usually use phone to do it.

I could go Nextdoor and try their network to verify but I think it’s on my machine

 

[97JeepXJ]

I just have it as backup, WireGaurd is my primary way in now. It (OpenVPN) should probably be setup on my laptop too though

 

[wittaj]

Well I did have that issue last week and I couldn't connect - the elderly neighbor accidently unplugged the router, but for you to have all 6 do that is statistically impossible lol

 

[bigredfish]

I just have it as backup, WireGaurd is my primary way in now. It (OpenVPN) should probably be setup on my laptop too though

yeah I use Wireguard for accessing my home network and it works great. Faster than OpenVPN, but the routers I'm connecting to remote are older Asus with just OpenVPN as an option

 

[d5775927]

Try to connect from other device on your home network, to know if this is a network issue or device specific issue.
You can do that by using you smartphone as a client or doing live boot for Linux on your PC (but installing app on your smartphone is much faster).
I also moved to Wiregaurad a while ago (a few years) and don't use windows.

 

[Sybertiger]

Check the PRIVATE vs PUBLIC settings on your network card. I seem to recall mine changed on it's own after an update or modem swapout of something along those lines.

 

[looney2ns]

Do you use the Asus DDNS service for your URL?
Maybe it's down.
Try using the direct IP address to connect.

 

[bigredfish]

Direct IP.

So I drove down there today to 3 of the routers. All were effectively locked up, reboot and confirmed all good.

Pouring through the logs now, have to get by the other two this coming week

Aug 7 19:29:01 kernel: lowmem_reserve[]: 0 0 0
Aug 7 19:29:01 kernel: Normal: 85*4kB (UEMR) 19*8kB (EMR) 2*16kB (M) 1*32kB (R) 1*64kB (R) 1*128kB (R) 1*256kB (R) 1*512kB (R) 1*1024kB (R) 1*2048kB (R) 0*4096kB = 4588kB
Aug 7 19:29:01 kernel: 568 total pagecache pages
Aug 7 19:29:01 kernel: 32768 pages of RAM
Aug 7 19:29:01 kernel: 1366 free pages
Aug 7 19:29:01 kernel: 2356 reserved pages
Aug 7 19:29:01 kernel: 2699 slab pages
Aug 7 19:29:01 kernel: 732 pages shared
Aug 7 19:29:01 kernel: 0 pages swap cached
Aug 7 19:29:02 kernel: Out of memory: Kill process 3973 (vpnserver1) score 370 or sacrifice child
Aug 7 19:29:02 kernel: Killed process 3973 (vpnserver1) total-vm:93504kB, anon-rss:46240kB, file-rss:0kB
Aug 11 00:58:41 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:43 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:45 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:47 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:49 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:51 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping
Aug 11 00:58:53 kernel: FIXMEsif_forward_mgmt_to_app: Event length more than expected..dropping

 

[bigredfish]

So of the 3

1- literally ran out of memory and froze
1- was under obvious constant DOS attack
1- My buddy blocked it on his firewall (small business) and didnt know enough to know he had or how to unblock it (basically blocked port 1194)

Of the other 2, I just talked to one guy, he rebooted his router and all came back to life. So I'll need to look at his logs, and the other guy I talked though how to port forward his Netgear router and I still can't hit it. I suspect his IP changed.
To @looney2ns point, I should set those two up with DDNS. Both of those are residential but have had the same IP for years. I suppose with the lightning storms we've been having the past 2-3 weeks, worst I've see, some servers got rebooted and issued new IP's to customers.

So it looks like 5 different events all within a week-10 days of each other. Because I rarely have the need to log in with VPN (most use P2P for camera access) and just happened to last week with @jmcu working with me on the one HOA location. Just dumb luck i started trying the others and discovered them dead.

 

[d5775927]

So of the 3

1- literally ran out of memory and froze
1- was under obvious constant DOS attack
1- My buddy blocked it on his firewall (small business) and didnt know enough to know he had or how to unblock it (basically blocked port 1194)

Of the other 2, I just talked to one guy, he rebooted his router and all came back to life. So I'll need to look at his logs, and the other guy I talked though how to port forward his Netgear router and I still can't hit it. I suspect his IP changed.
To @looney2ns point, I should set those two up with DDNS. Both of those are residential but have had the same IP for years. I suppose with the lightning storms we've been having the past 2-3 weeks, worst I've see, some servers got rebooted and issued new IP's to customers.

So it looks like 5 different events all within a week-10 days of each other. Because I rarely have the need to log in with VPN (most use P2P for camera access) and just happened to last week with @jmcu working with me on the one HOA location. Just dumb luck i started trying the others and discovered them dead.

Maybe do a team viewer session with him.
Will save you driving there.

 

[bigredfish]

Maybe do a team viewer session with him.
Will save you driving there.

Yeahbut then I’d miss out on his smoked ribs and a few glasses of bourbon

 

[bp2008]

Yikes. With so many failure modes, it is amazing anything ever works. I recently (within the last 1-2 years) had a bunch of trouble with intermittent OpenVPN connections. One remote location which used to work just fine just suddenly stopped being able to pass traffic through its OpenVPN tunnel, and even rebooting the remote router wouldn't fix it anymore. I never figured out what was wrong there and ended up installing an old low-end netgate (pfsense) router there with a wireguard client that works.

The only other location where I was running an OpenVPN tunnel was 1000 miles away so hardware replacement was not a practical option, but luckily I had backdoor access via windows machines so I was able to tweak OpenVPN settings. The only thing which helped was changing the MTU-related settings. I ended up with link-mtu 1300 and mssfix 1250 which helped drastically but I didn't get to 100% stability before the opportunity arose to change ISPs there (only cellular internet is available there), and the old Asus router with FreshTomato firmware I was previously using as a VPN client had to be repurposed to be a wifi client bridge. Due to firmware bugs, that made it impossible for that device to have a gateway assigned so I couldn't use its VPN client anymore. So now I just don't have VPN access to that location anymore, but all the PCs at that site have their own outgoing tunnels via zerotier and similar services, and I have wifi smart plugs for rebooting those PCs, so all is fine.

 

[bigredfish]

Yeah I’m finding WireGuard to be superior in so many ways. I think it’s an option on newer Asus and Netgear models.

It’s native on my home firewall appliance and just works. Highly recommend it if your router supports it

 

[bigredfish]

So both of the Asus routers are under direct attack. I was in both this morning and they’re dead again. (The VPN service)

Poured through the logs and both show being hit on the vpn service massively until the service runs out of memory and dies. Router stays up working but vpn service needs manually restarted.

Same European IPs on both.

I’ll have to see what I can do to get the router to refuse the requests altogether ?

 

[Sybertiger]

So both of the Asus routers are under direct attack. I was in both this morning and they’re dead again. (The VPN service)

Poured through the logs and both show being hit on the vpn service massively until the service runs out of memory and dies. Router stays up working but vpn service needs manually restarted.

Same European IPs on both.

I’ll have to see what I can do to get the router to refuse the requests altogether ?

The Ukrainians are onto you.

 

[bigredfish]

More likely I’ve pissed off the Israelis

 

[d5775927]

More likely I’ve pissed off the Israelis

Who would have guessed you too are in the Epstein files.