Skip to content

FTTN x2 + Sonic VPN - Static IP?

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
5 posts Page 1 of 1
Post a reply

FTTN x2 + Sonic VPN - Static IP?

by ckoufos » Fri Apr 14, 2017 4:52 pm
So I had Sonic FTTN x2 through UVerse setup a couple months ago. I've also setup a whole house VPN through Sonic's OpenVPN, which when connected works great (it even increases my d/l speed by 15 Mbps). Now the issue I'm running into is having a steady IP for access through SSH, media streaming, etc.

Previously I had been using No-IP for dynamic DNS, which works great through UVerse, but not so much through the VPN. It seems as though the IP address through the VPN changes too frequently for No-IP to be updated. I've also noticed that my internet is temporarily disconnected everytime the IP address changes, every 15-20 min or so.

I know a static IP isn't an option with the FTTN x2, is this something that could be setup through the VPN?

Would an option be to register a domain name through Sonic and attach that to my Sonic VPN?

Is there something else I may be missing?

I appreciate any information or suggestions.
by sonic guest » Sat Apr 15, 2017 12:10 pm
The problem you're running into is Sonic's VPN is changing your IP not FTTN. I don't Sonic has static IPs for their VPN users. Your FTTN IP is tied to your RG's MAC address, and probably won't change unless it gets replaced.

It's an interesting dilemma: use FTTN by itself and get a somewhat static IP or use Sonic VPN for privacy but very dynamic IP. You may want try freedns.afraid.org. I prefer FreeDNS over No-IP because they allow for many more options (standard wget, cURL, and direct brower requests using HTTPS URLs) to change an IP that are friendly to both UNIX- and Windows-based computers, and I don't need to use a custom client. I don't think they have any policies for too frequent IP changes either even though I try to be nice and update once/hour.
by drew.phillips » Sat Apr 15, 2017 4:17 pm
ckoufos wrote:Previously I had been using No-IP for dynamic DNS, which works great through UVerse, but not so much through the VPN. It seems as though the IP address through the VPN changes too frequently for No-IP to be updated. I've also noticed that my internet is temporarily disconnected everytime the IP address changes, every 15-20 min or so.
Without the VPN active is your connection stable? My router (Lede 17 with OpenVPN) had the same IP bound for over 3 weeks before the VPN maintenance Friday night. I also have a separate computer on another ISP that's had the same IP for over 2 weeks since I re-connected it.

I'd suggest looking at the router logs and see if there are any useful messages around when the VPN changes IP. This pretty much indicates that you might be losing your VPN connection. As long as you're connected, we won't change the IP. But if the software is dropping the connection or (perhaps a setting) is cycling it frequently, that would explain the changes.

Also, the Dynamic DNS lag might just mean you need to set the TTL much lower so if you do have frequent IP changes, the DNS will also not stay cached with stale entries. For DynDNS, a low TTL like 60 seconds to 600 seconds is good depending on your needs.
Drew Phillips
Programmer / System Operations, Sonic.net
by ckoufos » Mon Apr 17, 2017 11:07 am
sonic guest wrote:It's an interesting dilemma: use FTTN by itself and get a somewhat static IP or use Sonic VPN for privacy but very dynamic IP. You may want try freedns.afraid.org. I prefer FreeDNS over No-IP because they allow for many more options (standard wget, cURL, and direct brower requests using HTTPS URLs) to change an IP that are friendly to both UNIX- and Windows-based computers, and I don't need to use a custom client. I don't think they have any policies for too frequent IP changes either even though I try to be nice and update once/hour.
I hadn't heard of FreeDNS but I will definitely check it out. Although my current router firmware (Xwrt-Vortex) only allows down to a once per day update, so that wouldn't quite be frequent enough to keep up with the 8-9 minute updates I'm seeing.
drew.phillips wrote:Without the VPN active is your connection stable? My router (Lede 17 with OpenVPN) had the same IP bound for over 3 weeks before the VPN maintenance Friday night. I also have a separate computer on another ISP that's had the same IP for over 2 weeks since I re-connected it.
My connection without the VPN is stable for the most part, although I've found that when I run certain services (such as torrents) AT&T is throttling my service almost down to almost nothing (from 49 down / 6 up to 2-4 down / less than 0.5 up). Which is one of the reasons I'd like to encrypt through their hardware so all they see is the VPN traffic.

So I hadn't actually heard of LEDE before but it looks interesting. After using stock firmware on my R7000 for a couple years I installed Tomato, which didn't take advantage of hardware acceleration so I was getting slower WiFi speeds, I ended up moving to Xwrt-Vortex which has been great. Maybe I'll give LEDE a try next.
drew.phillips wrote:I'd suggest looking at the router logs and see if there are any useful messages around when the VPN changes IP. This pretty much indicates that you might be losing your VPN connection. As long as you're connected, we won't change the IP. But if the software is dropping the connection or (perhaps a setting) is cycling it frequently, that would explain the changes.
Here's an example from my logs showing the initial connection & where it disconnects temporarily before assigning a new IP:

Code: Select all

Apr 14 16:35:11 rc_service: httpd 439:notify_rc start_vpnclient1
Apr 14 16:35:11 kernel: tun: Universal TUN/TAP device driver, 1.6
Apr 14 16:35:11 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Apr 14 16:35:13 openvpn[30905]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017
Apr 14 16:35:13 openvpn[30905]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Apr 14 16:35:13 openvpn[30906]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 14 16:35:13 openvpn[30906]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:13 openvpn[30906]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:13 openvpn[30906]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
Apr 14 16:35:13 openvpn[30906]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Apr 14 16:35:13 openvpn[30906]: UDP link local: (not bound)
Apr 14 16:35:13 openvpn[30906]: UDP link remote: [AF_INET]209.148.113.36:1194
Apr 14 16:35:13 openvpn[30906]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=1ad72b4b 4472a0d3
Apr 14 16:35:13 openvpn[30906]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 14 16:35:14 openvpn[30906]: VERIFY OK: depth=1, CN=OpenVPN CA
Apr 14 16:35:14 openvpn[30906]: VERIFY OK: nsCertType=SERVER
Apr 14 16:35:14 openvpn[30906]: VERIFY OK: depth=0, CN=OpenVPN Server
Apr 14 16:35:14 openvpn[30906]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Apr 14 16:35:14 openvpn[30906]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Apr 14 16:35:15 openvpn[30906]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Apr 14 16:35:15 openvpn[30906]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 184.23.191.1,dhcp-option DNS 208.201.224.33,dhcp-option DNS 208.201.224.11,register-dns,block-ipv6,ifconfig 184.23.191.184 255.255.255.0'
Apr 14 16:35:15 openvpn[30906]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Apr 14 16:35:15 openvpn[30906]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.0)
Apr 14 16:35:15 openvpn[30906]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.0)
Apr 14 16:35:15 openvpn[30906]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.0)
Apr 14 16:35:15 openvpn[30906]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.0)
Apr 14 16:35:15 openvpn[30906]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.0)
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: compression parms modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: route options modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: route-related options modified
Apr 14 16:35:15 openvpn[30906]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 14 16:35:15 openvpn[30906]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:35:15 openvpn[30906]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:15 openvpn[30906]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:35:15 openvpn[30906]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:15 openvpn[30906]: TUN/TAP device tun11 opened
Apr 14 16:35:15 openvpn[30906]: TUN/TAP TX queue length set to 100
Apr 14 16:35:15 openvpn[30906]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 14 16:35:15 openvpn[30906]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 14 16:35:15 openvpn[30906]: /usr/sbin/ip addr add dev tun11 184.23.191.184/24 broadcast 184.23.191.255
Apr 14 16:35:20 openvpn[30906]: /usr/sbin/ip route add 209.148.113.36/32 via 76.235.16.1
Apr 14 16:35:20 openvpn[30906]: /usr/sbin/ip route add 0.0.0.0/1 via 184.23.191.1
Apr 14 16:35:20 openvpn[30906]: /usr/sbin/ip route add 128.0.0.0/1 via 184.23.191.1
Apr 14 16:35:21 openvpn-routing: Skipping, client 1 not in routing policy mode
Apr 14 16:35:21 openvpn[30906]: Initialization Sequence Completed
Apr 14 16:35:31 rc_service: httpd 439:notify_rc restart_vpnclient1
Apr 14 16:35:32 openvpn[30906]: event_wait : Interrupted system call (code=4)
Apr 14 16:35:32 openvpn[30906]: SIGTERM received, sending exit notification to peer
Apr 14 16:35:33 openvpn[30906]: vpnrouting.sh tun11 1500 1558 184.23.191.184 255.255.255.0 init
Apr 14 16:35:33 openvpn-routing: Configuring policy rules for client 1
Apr 14 16:35:33 openvpn-routing: Flushing client routing table
Apr 14 16:35:33 openvpn-routing: Completed routing policy configuration for client 1
Apr 14 16:35:33 openvpn[30906]: /usr/sbin/ip route del 209.148.113.36/32
Apr 14 16:35:33 openvpn[30906]: /usr/sbin/ip route del 0.0.0.0/1
Apr 14 16:35:33 openvpn[30906]: /usr/sbin/ip route del 128.0.0.0/1
Apr 14 16:35:33 openvpn[30906]: Closing TUN/TAP interface
Apr 14 16:35:33 openvpn[30906]: /usr/sbin/ip addr del dev tun11 184.23.191.184/24
Apr 14 16:35:33 openvpn[30906]: SIGTERM[soft,exit-with-notification] received, process exiting
Apr 14 16:35:34 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:35:34 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:35:34 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:35:34 openvpn[30994]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017
Apr 14 16:35:34 openvpn[30994]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Apr 14 16:35:34 openvpn[30995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 14 16:35:34 openvpn[30995]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:34 openvpn[30995]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:35 openvpn[30995]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
Apr 14 16:35:35 openvpn[30995]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Apr 14 16:35:35 openvpn[30995]: UDP link local: (not bound)
Apr 14 16:35:35 openvpn[30995]: UDP link remote: [AF_INET]209.148.113.36:1194
Apr 14 16:35:35 openvpn[30995]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=99730041 a70a41f5
Apr 14 16:35:35 openvpn[30995]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 14 16:35:35 openvpn[30995]: VERIFY OK: depth=1, CN=OpenVPN CA
Apr 14 16:35:35 openvpn[30995]: VERIFY OK: nsCertType=SERVER
Apr 14 16:35:35 openvpn[30995]: VERIFY OK: depth=0, CN=OpenVPN Server
Apr 14 16:35:35 openvpn[30995]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Apr 14 16:35:35 openvpn[30995]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Apr 14 16:35:37 openvpn[30995]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Apr 14 16:35:37 openvpn[30995]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 184.23.191.1,dhcp-option DNS 208.201.224.33,dhcp-option DNS 208.201.224.11,register-dns,block-ipv6,ifconfig 184.23.191.88 255.255.255.0'
Apr 14 16:35:37 openvpn[30995]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Apr 14 16:35:37 openvpn[30995]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.0)
Apr 14 16:35:37 openvpn[30995]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.0)
Apr 14 16:35:37 openvpn[30995]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.0)
Apr 14 16:35:37 openvpn[30995]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.0)
Apr 14 16:35:37 openvpn[30995]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.0)
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: compression parms modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: route options modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: route-related options modified
Apr 14 16:35:37 openvpn[30995]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 14 16:35:37 openvpn[30995]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:35:37 openvpn[30995]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:37 openvpn[30995]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:35:37 openvpn[30995]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:35:37 openvpn[30995]: TUN/TAP device tun11 opened
Apr 14 16:35:37 openvpn[30995]: TUN/TAP TX queue length set to 100
Apr 14 16:35:37 openvpn[30995]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 14 16:35:37 openvpn[30995]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 14 16:35:37 openvpn[30995]: /usr/sbin/ip addr add dev tun11 184.23.191.88/24 broadcast 184.23.191.255
Apr 14 16:35:42 openvpn[30995]: /usr/sbin/ip route add 209.148.113.36/32 via 76.235.16.1
Apr 14 16:35:42 openvpn[30995]: /usr/sbin/ip route add 0.0.0.0/1 via 184.23.191.1
Apr 14 16:35:42 openvpn[30995]: /usr/sbin/ip route add 128.0.0.0/1 via 184.23.191.1
Apr 14 16:35:42 openvpn-routing: Skipping, client 1 not in routing policy mode
Apr 14 16:35:42 openvpn[30995]: Initialization Sequence Completed
Apr 14 16:43:47 miniupnpd[25836]: ioctl(s, SIOCGIFADDR, ...): Cannot assign requested address
Apr 14 16:43:47 miniupnpd[25836]: Failed to get IP for interface vlan2
Apr 14 16:43:47 miniupnpd[25836]: SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 14 16:43:47 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:43:47 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:43:47 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:43:48 rc_service: udhcpc 31012:notify_rc start_firewall
Apr 14 16:43:48 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:43:48 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:43:48 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:43:49 WAN Connection: ISP's DHCP did not function properly.
Apr 14 16:43:49 DualWAN: skip single wan wan_led_control - WANRED off
Apr 14 16:43:49 dnsmasq-dhcp[432]: DHCPDISCOVER(br0) ac:cf:85:6c:0d:5e 
Apr 14 16:43:49 dnsmasq-dhcp[432]: DHCPOFFER(br0) 192.168.1.73 ac:cf:85:6c:0d:5e 
Apr 14 16:43:49 dnsmasq-dhcp[432]: DHCPREQUEST(br0) 192.168.1.73 ac:cf:85:6c:0d:5e 
Apr 14 16:43:49 dnsmasq-dhcp[432]: DHCPACK(br0) 192.168.1.73 ac:cf:85:6c:0d:5e android-3bb156a58298b38d
Apr 14 16:43:49 stop_nat_rules: apply the redirect_rules!
Apr 14 16:43:49 miniupnpd[25836]: shutting down MiniUPnPd
Apr 14 16:43:49 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Apr 14 16:43:49 wan: finish adding multi routes
Apr 14 16:43:49 rc_service: udhcpc 31012:notify_rc stop_vpnclient1
Apr 14 16:43:49 rc_service: waitting "start_firewall" via udhcpc ...
Apr 14 16:43:50 miniupnpd[31071]: HTTP listening on port 55900
Apr 14 16:43:50 miniupnpd[31071]: Listening for NAT-PMP/PCP traffic on port 5351
Apr 14 16:43:51 openvpn[30995]: event_wait : Interrupted system call (code=4)
Apr 14 16:43:51 openvpn[30995]: SIGTERM received, sending exit notification to peer
Apr 14 16:43:51 rc_service: udhcpc 31012:notify_rc stop_upnp
Apr 14 16:43:51 rc_service: waitting "stop_vpnclient1" via udhcpc ...
Apr 14 16:43:52 openvpn[30995]: vpnrouting.sh tun11 1500 1558 184.23.191.88 255.255.255.0 init
Apr 14 16:43:52 openvpn-routing: Configuring policy rules for client 1
Apr 14 16:43:52 openvpn-routing: Flushing client routing table
Apr 14 16:43:52 openvpn-routing: Completed routing policy configuration for client 1
Apr 14 16:43:52 openvpn[30995]: /usr/sbin/ip route del 209.148.113.36/32
Apr 14 16:43:52 openvpn[30995]: ERROR: Linux route delete command failed: external program exited with error status: 2
Apr 14 16:43:52 openvpn[30995]: /usr/sbin/ip route del 0.0.0.0/1
Apr 14 16:43:52 openvpn[30995]: /usr/sbin/ip route del 128.0.0.0/1
Apr 14 16:43:52 openvpn[30995]: Closing TUN/TAP interface
Apr 14 16:43:52 openvpn[30995]: /usr/sbin/ip addr del dev tun11 184.23.191.88/24
Apr 14 16:43:52 openvpn[30995]: SIGTERM[soft,exit-with-notification] received, process exiting
Apr 14 16:43:53 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:43:53 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:43:53 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:43:54 WAN Connection: WAN was restored.
Apr 14 16:43:54 rc_service: udhcpc 31012:notify_rc start_upnp
Apr 14 16:43:54 rc_service: waitting "stop_upnp" via udhcpc ...
Apr 14 16:43:54 miniupnpd[31071]: shutting down MiniUPnPd
Apr 14 16:43:55 ddns update: ez-ipupdate: starting...
Apr 14 16:43:55 miniupnpd[31139]: HTTP listening on port 41905
Apr 14 16:43:55 miniupnpd[31139]: Listening for NAT-PMP/PCP traffic on port 5351
Apr 14 16:43:55 ddns update: connected to dynupdate.no-ip.com (8.23.224.120) on port 80.
Apr 14 16:43:56 ddns update: request successful
Apr 14 16:43:56 ddns update: asusddns_update: 0
Apr 14 16:43:56 ddns: ddns update ok
Apr 14 16:43:56 openvpn-routing: Refreshing policy rules for client 1
Apr 14 16:43:57 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:43:57 openvpn-routing: Refreshing policy rules for client 2
Apr 14 16:43:57 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:43:57 openvpn-routing: Refreshing policy rules for client 3
Apr 14 16:43:57 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:43:57 openvpn-routing: Refreshing policy rules for client 4
Apr 14 16:43:57 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:43:57 openvpn-routing: Refreshing policy rules for client 5
Apr 14 16:43:57 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:43:57 rc_service: udhcpc 31012:notify_rc start_vpnclient1
Apr 14 16:43:57 dhcp client: bound 76.235.16.217 via 76.235.16.1 during 600 seconds.
Apr 14 16:43:59 openvpn[31259]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017
Apr 14 16:43:59 openvpn[31259]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Apr 14 16:43:59 openvpn[31260]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 14 16:43:59 openvpn[31260]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:43:59 openvpn[31260]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:43:59 openvpn[31260]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
Apr 14 16:43:59 openvpn[31260]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Apr 14 16:43:59 openvpn[31260]: UDP link local: (not bound)
Apr 14 16:43:59 openvpn[31260]: UDP link remote: [AF_INET]209.148.113.36:1194
Apr 14 16:43:59 openvpn[31260]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=6507e3d0 d6728e00
Apr 14 16:43:59 openvpn[31260]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 14 16:43:59 openvpn[31260]: VERIFY OK: depth=1, CN=OpenVPN CA
Apr 14 16:43:59 openvpn[31260]: VERIFY OK: nsCertType=SERVER
Apr 14 16:43:59 openvpn[31260]: VERIFY OK: depth=0, CN=OpenVPN Server
Apr 14 16:44:00 openvpn[31260]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Apr 14 16:44:00 openvpn[31260]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Apr 14 16:44:01 openvpn[31260]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Apr 14 16:44:01 openvpn[31260]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 184.23.191.1,dhcp-option DNS 208.201.224.33,dhcp-option DNS 208.201.224.11,register-dns,block-ipv6,ifconfig 184.23.191.136 255.255.255.0'
Apr 14 16:44:01 openvpn[31260]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Apr 14 16:44:01 openvpn[31260]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.0)
Apr 14 16:44:01 openvpn[31260]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.0)
Apr 14 16:44:01 openvpn[31260]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.0)
Apr 14 16:44:01 openvpn[31260]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.0)
Apr 14 16:44:01 openvpn[31260]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.0)
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: compression parms modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: route options modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: route-related options modified
Apr 14 16:44:01 openvpn[31260]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 14 16:44:01 openvpn[31260]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:44:01 openvpn[31260]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:44:01 openvpn[31260]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:44:01 openvpn[31260]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:44:01 openvpn[31260]: TUN/TAP device tun11 opened
Apr 14 16:44:01 openvpn[31260]: TUN/TAP TX queue length set to 100
Apr 14 16:44:01 openvpn[31260]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 14 16:44:01 openvpn[31260]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 14 16:44:01 openvpn[31260]: /usr/sbin/ip addr add dev tun11 184.23.191.136/24 broadcast 184.23.191.255
Apr 14 16:44:06 openvpn[31260]: /usr/sbin/ip route add 209.148.113.36/32 via 76.235.16.1
Apr 14 16:44:06 openvpn[31260]: /usr/sbin/ip route add 0.0.0.0/1 via 184.23.191.1
Apr 14 16:44:06 openvpn[31260]: /usr/sbin/ip route add 128.0.0.0/1 via 184.23.191.1
Apr 14 16:44:06 openvpn-routing: Skipping, client 1 not in routing policy mode
Apr 14 16:44:06 openvpn[31260]: Initialization Sequence Completed
Apr 14 16:53:46 miniupnpd[31139]: ioctl(s, SIOCGIFADDR, ...): Cannot assign requested address
Apr 14 16:53:46 miniupnpd[31139]: Failed to get IP for interface vlan2
Apr 14 16:53:46 miniupnpd[31139]: SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 14 16:53:46 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:53:46 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:53:46 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:53:46 rc_service: udhcpc 31280:notify_rc start_firewall
Apr 14 16:53:46 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:53:46 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:53:46 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:53:47 miniupnpd[31139]: shutting down MiniUPnPd
Apr 14 16:53:48 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Apr 14 16:53:48 wan: finish adding multi routes
Apr 14 16:53:48 rc_service: udhcpc 31280:notify_rc stop_vpnclient1
Apr 14 16:53:48 rc_service: waitting "start_firewall" via udhcpc ...
Apr 14 16:53:48 miniupnpd[31336]: HTTP listening on port 55379
Apr 14 16:53:48 miniupnpd[31336]: Listening for NAT-PMP/PCP traffic on port 5351
Apr 14 16:53:50 openvpn[31260]: event_wait : Interrupted system call (code=4)
Apr 14 16:53:50 openvpn[31260]: SIGTERM received, sending exit notification to peer
Apr 14 16:53:50 rc_service: udhcpc 31280:notify_rc stop_upnp
Apr 14 16:53:50 rc_service: waitting "stop_vpnclient1" via udhcpc ...
Apr 14 16:53:51 openvpn[31260]: vpnrouting.sh tun11 1500 1558 184.23.191.136 255.255.255.0 init
Apr 14 16:53:51 openvpn-routing: Configuring policy rules for client 1
Apr 14 16:53:51 openvpn-routing: Flushing client routing table
Apr 14 16:53:51 openvpn-routing: Completed routing policy configuration for client 1
Apr 14 16:53:51 openvpn[31260]: /usr/sbin/ip route del 209.148.113.36/32
Apr 14 16:53:51 openvpn[31260]: ERROR: Linux route delete command failed: external program exited with error status: 2
Apr 14 16:53:51 openvpn[31260]: /usr/sbin/ip route del 0.0.0.0/1
Apr 14 16:53:51 openvpn[31260]: /usr/sbin/ip route del 128.0.0.0/1
Apr 14 16:53:51 openvpn[31260]: Closing TUN/TAP interface
Apr 14 16:53:51 openvpn[31260]: /usr/sbin/ip addr del dev tun11 184.23.191.136/24
Apr 14 16:53:51 openvpn[31260]: SIGTERM[soft,exit-with-notification] received, process exiting
Apr 14 16:53:52 dnsmasq[432]: read /etc/hosts - 6 addresses
Apr 14 16:53:52 dnsmasq[432]: using nameserver 8.8.8.8#53
Apr 14 16:53:52 dnsmasq[432]: using nameserver 8.8.4.4#53
Apr 14 16:53:53 rc_service: udhcpc 31280:notify_rc start_upnp
Apr 14 16:53:53 rc_service: waitting "stop_upnp" via udhcpc ...
Apr 14 16:53:53 miniupnpd[31336]: shutting down MiniUPnPd
Apr 14 16:53:54 ddns update: ez-ipupdate: starting...
Apr 14 16:53:54 miniupnpd[31402]: HTTP listening on port 48775
Apr 14 16:53:54 miniupnpd[31402]: Listening for NAT-PMP/PCP traffic on port 5351
Apr 14 16:53:54 ddns update: connected to dynupdate.no-ip.com (8.23.224.120) on port 80.
Apr 14 16:53:54 ddns update: request successful
Apr 14 16:53:54 ddns update: asusddns_update: 0
Apr 14 16:53:55 ddns: ddns update ok
Apr 14 16:53:55 openvpn-routing: Refreshing policy rules for client 1
Apr 14 16:53:55 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:53:55 openvpn-routing: Refreshing policy rules for client 2
Apr 14 16:53:55 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:53:55 openvpn-routing: Refreshing policy rules for client 3
Apr 14 16:53:55 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:53:55 openvpn-routing: Refreshing policy rules for client 4
Apr 14 16:53:55 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:53:56 openvpn-routing: Refreshing policy rules for client 5
Apr 14 16:53:56 openvpn-routing: Allow WAN access to all VPN clients
Apr 14 16:53:56 rc_service: udhcpc 31280:notify_rc start_vpnclient1
Apr 14 16:53:56 dhcp client: bound 76.235.16.217 via 76.235.16.1 during 600 seconds.
Apr 14 16:53:57 openvpn[31522]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  3 2017
Apr 14 16:53:57 openvpn[31522]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Apr 14 16:53:57 openvpn[31523]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 14 16:53:58 openvpn[31523]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:53:58 openvpn[31523]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:53:58 openvpn[31523]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
Apr 14 16:53:58 openvpn[31523]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Apr 14 16:53:58 openvpn[31523]: UDP link local: (not bound)
Apr 14 16:53:58 openvpn[31523]: UDP link remote: [AF_INET]209.148.113.36:1194
Apr 14 16:53:58 openvpn[31523]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=d98a5363 7e580a6b
Apr 14 16:53:58 openvpn[31523]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 14 16:53:58 openvpn[31523]: VERIFY OK: depth=1, CN=OpenVPN CA
Apr 14 16:53:58 openvpn[31523]: VERIFY OK: nsCertType=SERVER
Apr 14 16:53:58 openvpn[31523]: VERIFY OK: depth=0, CN=OpenVPN Server
Apr 14 16:53:58 openvpn[31523]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Apr 14 16:53:58 openvpn[31523]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Apr 14 16:53:59 openvpn[31523]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Apr 14 16:53:59 openvpn[31523]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 184.23.191.1,dhcp-option DNS 208.201.224.33,dhcp-option DNS 208.201.224.11,register-dns,block-ipv6,ifconfig 184.23.191.222 255.255.255.0'
Apr 14 16:53:59 openvpn[31523]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
Apr 14 16:53:59 openvpn[31523]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.0)
Apr 14 16:53:59 openvpn[31523]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.0)
Apr 14 16:53:59 openvpn[31523]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.0)
Apr 14 16:53:59 openvpn[31523]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.0)
Apr 14 16:53:59 openvpn[31523]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.0)
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: compression parms modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: route options modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: route-related options modified
Apr 14 16:53:59 openvpn[31523]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 14 16:53:59 openvpn[31523]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:53:59 openvpn[31523]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:53:59 openvpn[31523]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Apr 14 16:53:59 openvpn[31523]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 14 16:53:59 openvpn[31523]: TUN/TAP device tun11 opened
Apr 14 16:53:59 openvpn[31523]: TUN/TAP TX queue length set to 100
Apr 14 16:53:59 openvpn[31523]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 14 16:53:59 openvpn[31523]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 14 16:53:59 openvpn[31523]: /usr/sbin/ip addr add dev tun11 184.23.191.222/24 broadcast 184.23.191.255
Apr 14 16:54:04 openvpn[31523]: /usr/sbin/ip route add 209.148.113.36/32 via 76.235.16.1
Apr 14 16:54:04 openvpn[31523]: /usr/sbin/ip route add 0.0.0.0/1 via 184.23.191.1
Apr 14 16:54:04 openvpn[31523]: /usr/sbin/ip route add 128.0.0.0/1 via 184.23.191.1
Apr 14 16:54:05 openvpn-routing: Skipping, client 1 not in routing policy mode
Apr 14 16:54:05 openvpn[31523]: Initialization Sequence Completed
drew.phillips wrote:Also, the Dynamic DNS lag might just mean you need to set the TTL much lower so if you do have frequent IP changes, the DNS will also not stay cached with stale entries. For DynDNS, a low TTL like 60 seconds to 600 seconds is good depending on your needs.
Does LEDE offer options for DynDNS in seconds rather than days?

Ultimately it seems as though I'm dealing with two problems that may be stemming from settings withing my router vs the VPN itself:

1. My VPN connection isn't staying connected for more than 8-9 minutes before temporarily disconnecting & refreshing the IP address

2. During the 8-9 minutes it's connected, I can't seem to connect to any of my services (SSH, Subsonic, etc) through the VPN-assigned IP while it's active

I think the first problem may be with my VPN settings, here's a couple snapshots:

Image

Image

Image

The second problem may be with the port forwarding settings on my router looking for traffic coming from the WAN vs the VPN. I can't seem to find an obvious solution to this in Xwrt-Vortex, does LEDE offer the option to forward ports from the VPN

I've also considered setting up a pfsense box in-between my UVerse modem & my router to act as the VPN client, which would hopefully make things less confusing on my router. Though I'd rather exhaust my options with the router before spending the money.

Thank you both for your input, and sorry for the long follow-up. I appreciate any additional info you can provide.
by drew.phillips » Mon Apr 17, 2017 11:44 am
Thanks for posting the logs, they do reveal that various actions seem to be resulting in a kill of the VPN connection followed by a reconnect.

You'll see a number of entries like this prior to the tunnel going down:

Code: Select all

rc_service: udhcpc 31012:notify_rc stop_vpnclient1
This is shortly followed by:

Code: Select all

openvpn[30995]: SIGTERM received, sending exit notification to peer
This indicates that a process has sent a term signal to the VPN which kills the connection and it's then re-established.

Some of them look to be due to firewall or other service changes causing the restart. Largely, I see a lot of VPN drops due to DHCP. The lease times are fairly short (5-15 minutes for FTTN I believe) but typically the IP doesn't change, so the fact that the DHCP renews (with no IP change) are causing the VPN to drop is a problem.

Surely you're not the first to have encountered this, so you might be able to find some workarounds based on this info.

LEDE has packages for various Dynamic DNS services and should be flexible with the TTL (as long as the provider also allows low TTL).

If you have port forwards to various services, they also likely need to be double added for the VPN interface as well. In LEDE, when you create an OpenVPN tunnel, you also create a new firewall zone for the VPN which is where you'd add the forwards. There are also ways to allow port forwards to work from your ISP WAN IP while connected to the VPN so you'd have some connections coming in over your normal connection while other LAN traffic for the internet would use the VPN. Either way, the key here is getting the rules set for the VPN interface to handle port forwarding which is likely the missing piece here.

I know I didn't address everything but wanted to touch on the big items. Hopefully they'll lead you down a path to get the connection drops resolved and then you can work on the port forwarding for VPN.
Drew Phillips
Programmer / System Operations, Sonic.net
5 posts Page 1 of 1

Return to “Access”

Who is online

In total there are 141 users online :: 1 registered, 0 hidden and 140 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am
Users browsing this forum: Google [Bot] and 140 guests