by
forest » Thu Oct 29, 2015 3:19 pm
Problem:
I've been test driving this VPN in hopes that using it in a whole-house configuration could bring Sonic's FTTN service up to Sonic's privacy standards. (We don't want AT&T or other agencies looking at our bits, after all.) Sadly, it currently has a deal-breaker flaw:
The server forcibly ends VPN sessions every 24 hours.
This means that the VPN fails at least once every day, bringing all internet traffic to a grinding halt*. For most customers, this leaves the whole house without connectivity until their tech person comes home to deal with it. A few households might have someone with the skill and inclination to program an automatic reconnect script, or always have someone present to continually restart the VPN by hand, but connectivity is still lost for at least a few seconds, and the external IP address is often different once the network is brought back up.
Music streaming, video/audio chats, multiplayer gaming, remote logins, VoIP telephone calls, and many other applications break because of this behavior. This makes it practically useless as a whole-house solution.
For the past six weeks or so, I've tried to work around this problem using every documented openvpn option that looked relevant, including various combinations of ping, auth-retry, persist-tun, persist-key, remap-usr1, and others. None of them helped. The server would still tear down the VPN in 24 hours or less.
Solution:
I learned yesterday that the 24 hour session expiration is not required, but merely part of a default profile on OpenVPN Access Server.
This means Sonic can get rid of it, and fix the problem. The key is apparently the "autologin" profile and/or a very large vpn.server.session_expire value. (I'm not sure whether autologin alone is sufficient or both settings are required.)
Details can be found here.
By default, Access Server implements a 24 hour timeout for the server-locked and user-locked profiles. These are the default profile types used. This means that when a user logs in with her or her credentials, the connection can stay online for a maximum of 24 hours. The autologin profile is an exception since this does not require credentials and can stay online indefinitely. The following configuration parameter allows you to alter this timeout setting to your specifications. You can even 'disable' it by setting a ridiculously high timeout value. You will need to run these commands on the console or through an SSH session on the Access Server:
/usr/local/openvpn_as/scripts/sacli --key vpn.server.session_expire --value 86400 ConfigPut
/usr/local/openvpn_as/scripts/sacli start
This will set the timeout to 86400 seconds (24 hours). Adjust this to your liking. If you set it to something like 1000000000 you can effectively disable it so the session doesn't time out.
Dear Sonic folks, will you please fix this?
If the VPN starts working reliably soon, I'll be able to solve my abysmal speed problem without leaving Sonic, by switching to FTTN.
Special thanks to pmbell for lending me his EdgeRouter for testing!
*(Technically, some people might choose to set up their VPN client to fail open instead of fail closed, but this would be even worse, since it would suddenly and silently expose all internet traffic to snooping.)
