Nighthawk [DD-WRT (Kong)] OpenVPN Client (PIA)

148 posts / 0 new
Last post
apple100
apple100's picture
 

 

DougRoberson said: BTW, right after posting that, I dropped connection... but it had been 2 and a half days, so not a big deal :)

 

Hi, I am using the kong's firmware 25000M. I am also facing the connection dropping problem. I noticed the TX packets dropping problem using ifconfig command under terminal:

 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

 

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:1127035 errors:0 dropped:0 overruns:0 frame:0

          TX packets:602227 errors:0 dropped:59 overruns:0 carrier:0

          collisions:0 txqueuelen:200

          RX bytes:1115865489 (1.0 GiB)  TX bytes:33720639 (32.1 MiB)

 

The default txqueuelen was 100, I got thousands dropped TX packets and the connection dropped finally. When I increased the txqueuelen to 500, there was no dropped TX packets anymore, but this configuration also increased the network latency. The key is setting a proper txqueuelen to balance the dropped packets and network latency. I personally set the txqueuelen to 200 right now, this configuration cannot guarantee to solve the connection dropping problem but improving the stability

 

Neil

MikeB100
MikeB100's picture
Been watching this thread

Been watching this thread waiting for the silver bullet to solve the dropped connection problem with the R7000 and vyprvpn. I am on build 25090M and still have the problem about once per day.

DougRoberson
DougRoberson's picture
I'm still on 24340M - I have

I'm still on 24340M - I have a reset once or twice a month, rarely enough that I am thinking it is my VPN provider who causes those.

kamaaina
kamaaina's picture
Apparently Kong seized the DD

Apparently Kong seized the DD-WRT development some time ago due to work interference and some online community rant by some guy. I am on tomato v124 now and the VPN works fine, but a couple of other things are still beta.

DougRoberson
DougRoberson's picture
That was a prank on Kong's

That was a prank on Kong's part. Everybody bought into it.

slidermike
slidermike's picture
kamaaina,

kamaaina,
any idea what might not be stable or working well in v124 currently?

When I look at the change log it only mentions adds/fixes/enhancements.
Nothing says "still not working" or "stability issues for some".

Thank you

kamaaina
kamaaina's picture
I just saw the outcry reg

I just saw the outcry reg Kongs departure. Looks like his file repository is not up though. Anyway.

@ slidermike: There are a few things that have never fully been completed with the Tomato for ARM. I have been running it since it came out with v118 or so. Bandwidth monitoring and a few other items are not working, QoS is not where non-ARM versions are, etc. Check the Linkssys forum for greater details, there is a whole set of things still in progress.
http://linksysinfo.org/index.php?threads/tomato-for-arm-routers.69719/ and
http://linksysinfo.org/index.php?threads/tomato-shibbys-releases.33858/

That said, for home use, I have been running it since May or so when it came out and been going on every version in between. I had 20 days on 123 before upgrading to 124 noes 48h ago. VPN client works great and that's what I wanted most, the rest is just basic home use LAN traffic. The R7000 has great stamina for VPN traffic, although it still caps at around 45-50 Mbit/s as VPN client.

When I run Viscosity on the Mac I get the full 100+ Mbit/s. But to run the full LAN through the VPN the OpenVPN client on the router is very convenient.

slidermike
slidermike's picture
Thank you for the links

Thank you for the links kamaaina.
Kong's repository is still available.
He renamed his domain.
Look in the dd-wrt Broadcom forum for a sticky mentioning R7000 best practices.
I have the 2nd post in there with the updated URL & other helpful things.

MikeB100
MikeB100's picture
kamaaina said: Apparently

kamaaina said: Apparently Kong seized the DD-WRT development some time ago due to work interference and some online community rant by some guy. I am on tomato v124 now and the VPN works fine, but a couple of other things are still beta.

How long have you been using the tomato firmware?

Have you compared peformance to dd-wrt?

 

It is too bad if Kong stopped working on DD-WRT as his work was much appreciated.

MikeB100
MikeB100's picture
Been watching this thread

Been watching this thread waiting for the silver bullet to solve the dropped connection problem with the R7000 and vyprvpn. I am on build 25090M and still have the problem about once per day.

DougRoberson
DougRoberson's picture
I'm still on 24340M - I have

I'm still on 24340M - I have a reset once or twice a month, rarely enough that I am thinking it is my VPN provider who causes those.

kamaaina
kamaaina's picture
Apparently Kong seized the DD

Apparently Kong seized the DD-WRT development some time ago due to work interference and some online community rant by some guy. I am on tomato v124 now and the VPN works fine, but a couple of other things are still beta.

DougRoberson
DougRoberson's picture
That was a prank on Kong's

That was a prank on Kong's part. Everybody bought into it.

slidermike
slidermike's picture
kamaaina,

kamaaina,
any idea what might not be stable or working well in v124 currently?

When I look at the change log it only mentions adds/fixes/enhancements.
Nothing says "still not working" or "stability issues for some".

Thank you

kamaaina
kamaaina's picture
I just saw the outcry reg

I just saw the outcry reg Kongs departure. Looks like his file repository is not up though. Anyway.

@ slidermike: There are a few things that have never fully been completed with the Tomato for ARM. I have been running it since it came out with v118 or so. Bandwidth monitoring and a few other items are not working, QoS is not where non-ARM versions are, etc. Check the Linkssys forum for greater details, there is a whole set of things still in progress.
http://linksysinfo.org/index.php?threads/tomato-for-arm-routers.69719/ and
http://linksysinfo.org/index.php?threads/tomato-shibbys-releases.33858/

That said, for home use, I have been running it since May or so when it came out and been going on every version in between. I had 20 days on 123 before upgrading to 124 noes 48h ago. VPN client works great and that's what I wanted most, the rest is just basic home use LAN traffic. The R7000 has great stamina for VPN traffic, although it still caps at around 45-50 Mbit/s as VPN client.

When I run Viscosity on the Mac I get the full 100+ Mbit/s. But to run the full LAN through the VPN the OpenVPN client on the router is very convenient.

slidermike
slidermike's picture
Thank you for the links

Thank you for the links kamaaina.
Kong's repository is still available.
He renamed his domain.
Look in the dd-wrt Broadcom forum for a sticky mentioning R7000 best practices.
I have the 2nd post in there with the updated URL & other helpful things.

MikeB100
MikeB100's picture
kamaaina said: Apparently

kamaaina said: Apparently Kong seized the DD-WRT development some time ago due to work interference and some online community rant by some guy. I am on tomato v124 now and the VPN works fine, but a couple of other things are still beta.

How long have you been using the tomato firmware?

Have you compared peformance to dd-wrt?

 

It is too bad if Kong stopped working on DD-WRT as his work was much appreciated.

Jack Sukerman
Jack Sukerman's picture
Hi Guys,

Hi Guys,

I've traced problems with connection drops to a mtu setting problem. This is with ipvanish, it may or may not help you.

The config file produced by dd-wrt is no good. I can reproduce the problem every time, certain ftp transfers will hang at the end. The mtu-disc option is the problem.

Feb 27 11:54:02 Nighthawk daemon.err openvpn[14449]: write UDPv4: Message too large (code=90)
Feb 27 11:54:02 Nighthawk daemon.err openvpn[14449]: write UDPv4: Message too large (code=90)
Feb 27 11:54:03 Nighthawk daemon.err openvpn[14449]: write UDPv4: Message too large (code=90)
Feb 27 11:54:03 Nighthawk daemon.err openvpn[14449]: write UDPv4: Message too large (code=90)
Feb 27 11:54:03 Nighthawk daemon.err openvpn[14449]: write UDPv4: Message too large (code=90)

Here's what I did:

Enable ssh on dd-wrt and login when vpn is running. When vpn is running there will be a /tmp/openvpncl directory with the config in, these files dissapear when you stop the vpn so start it and cp -R /tmp/openvpncl /tmp/vpn and then stop the vpn via dd-wrt.

Now you can ssh back in and cd /tmp/vpn and mess with with files. The file produced by dd-wrt has won't run for me unless I remove various line about management, writepid etc. I also remove mtu-disc and some others until I'm left with this:

Save the ipvanish certificate as "ca.crt" if its not already there, and also have your user and pass on two lines in /tmp/auth.conf

openvpn.conf:

ca ca.crt
verb 3
client
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
dev tun1
proto udp
cipher aes-256-cbc
auth sha256
remote lon-a01.ipvanish.com 443
comp-lzo adaptive
tls-client
fast-io
tun-ipv6
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
tls-remote lon-a01.ipvanish.com
auth-user-pass /tmp/auth.conf
script-security 3

Save that as openvpn.conf and then run up openvpn with:

openvpn --config openvpn.conf --route-up route-up.sh --down-pre route-down.sh

I can now ftp reliably and the vpn is not dropping, also getting 41Mbps throughput (no overclock).

slidermike
slidermike's picture
Jack, which version of Kong

Jack, which version of Kong ddwrt are you using?
He just released a new version of his personal test build yesterday afternoon.
So far all the user reports on the ddwrt forums seem pretty good.
It is 26365M as of yesterday. I think BrainSlayer has one slightly newer released yesterday.

Jack Sukerman
Jack Sukerman's picture
Hi Slider,

Hi Slider,

I'm on 25100, I thought Kong had stopped development. I spoke to soon too, it seems it still starts to fail intermittently. I can't access www.bshomelets.co.uk (one of my sites) when connected to ipvanish. I can see other sites, but can't visit this or ftp certain files with the vpn up.

I'll give the build a try,

Thanks - and btw - all I want is stable VPN, have you tried tomato?

slidermike
slidermike's picture
Kong personal test builds are

Kong personal test builds are available here.
http://www.desipro.de/ddwrt/

There have been a LOT of improvements so do a factory reset & reboot after you flash the router.
In fact, Kong has been recommending a command line reset/reboot since some users using the gui reset aren't getting a complete/proper reset.
telnet to the router then run this to reset & reboot (after flashing the router).
nvram erase && reboot

Jack Sukerman
Jack Sukerman's picture
Thanks again Mike I'll give

Thanks again Mike I'll give Kong ago.

Any reason to use Kong instead of the Brian Slayer? or otherwise?

slidermike
slidermike's picture
Jack,

Jack,
there are a couple of differences between the 2. Nothing major but
#1 Kong tests with his own R7000 while BS does not have an R7000 to test on.
#2 Kong enables command line firmware updating with ddup.
#3 Kong is much more involved on the Broadcom thread over at ddwrt forums.

Jack Sukerman
Jack Sukerman's picture
Now on 26365M, sadly no

Now on 26365M, sadly no change.

Cannot access https://www.bshomelets.co.uk, or ftp certain files.

Grrr..

Feb 27 18:02:09 Nighthawk daemon.err openvpn[4085]: write UDPv4: Message too large (code=90)
Feb 27 18:02:09 Nighthawk daemon.err openvpn[4085]: write UDPv4: Message too large (code=90)
Feb 27 18:02:09 Nighthawk daemon.err openvpn[4085]: write UDPv4: Message too large (code=90)
Feb 27 18:02:12 Nighthawk daemon.notice openvpn[4085]: NOTE: --mute triggered...

And openvpn status:

Clientlog:
20150227 18:01:59 W DEPRECATED OPTION: --tls-remote please update your configuration
20150227 18:01:59 I OpenVPN 2.3.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 26 2015
20150227 18:01:59 I library versions: OpenSSL 1.0.2 22 Jan 2015 LZO 2.09
20150227 18:01:59 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20150227 18:01:59 W WARNING: file '/tmp/auth.conf' is group or others accessible
20150227 18:01:59 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20150227 18:01:59 Socket Buffers: R=[180224->131072] S=[180224->131072]
20150227 18:01:59 I UDPv4 link local: [undef]
20150227 18:01:59 I UDPv4 link remote: [AF_INET]81.171.97.2:443
20150227 18:01:59 TLS: Initial packet from [AF_INET]81.171.97.2:443 sid=93157cfc 4e928345
20150227 18:01:59 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20150227 18:01:59 VERIFY OK: depth=1 /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=IPVanish_CA/emailAddress=support@ipvanish.com
20150227 18:01:59 VERIFY X509NAME OK: /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lon-a01.ipvanish.com/emailAddress=support@ipvanish.com
20150227 18:01:59 VERIFY OK: depth=0 /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=lon-a01.ipvanish.com/emailAddress=support@ipvanish.com
20150227 18:02:00 NOTE: --mute triggered...
20150227 18:02:00 5 variation(s) on previous 3 message(s) suppressed by --mute
20150227 18:02:00 I [lon-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]81.171.97.2:443
20150227 18:02:02 SENT CONTROL [lon-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
20150227 18:02:02 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 bypass-dhcp dhcp-option DNS 198.18.0.1 dhcp-option DNS 198.18.0.2 rcvbuf 262144 explicit-exit-notify 5 route-gateway 172.20.32.1 topology subnet ping 20 ping-restart 40 ifconfig 172.20.35.10 255.255.252.0'
20150227 18:02:02 OPTIONS IMPORT: timers and/or timeouts modified
20150227 18:02:02 NOTE: --mute triggered...
20150227 18:02:02 2 variation(s) on previous 3 message(s) suppressed by --mute
20150227 18:02:02 Socket Buffers: R=[131072->360448] S=[131072->131072]
20150227 18:02:02 OPTIONS IMPORT: --ifconfig/up options modified
20150227 18:02:02 OPTIONS IMPORT: route options modified
20150227 18:02:02 OPTIONS IMPORT: route-related options modified
20150227 18:02:02 NOTE: --mute triggered...
20150227 18:02:02 1 variation(s) on previous 3 message(s) suppressed by --mute
20150227 18:02:02 I TUN/TAP device tun1 opened
20150227 18:02:02 TUN/TAP TX queue length set to 100
20150227 18:02:02 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20150227 18:02:02 I /sbin/ifconfig tun1 172.20.35.10 netmask 255.255.252.0 mtu 1500 broadcast 172.20.35.255
20150227 18:02:02 /sbin/route add -net 81.171.97.2 netmask 255.255.255.255 gw 172.16.15.140
20150227 18:02:02 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.20.32.1
20150227 18:02:02 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.20.32.1
20150227 18:02:02 I Initialization Sequence Completed
20150227 18:02:09 N write UDPv4: Message too large (code=90)
20150227 18:02:09 N write UDPv4: Message too large (code=90)
20150227 18:02:09 N write UDPv4: Message too large (code=90)
20150227 18:02:12 NOTE: --mute triggered...
20150227 18:05:51 614 variation(s) on previous 3 message(s) suppressed by --mute
20150227 18:05:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150227 18:05:51 D MANAGEMENT: CMD 'state'
20150227 18:05:51 MANAGEMENT: Client disconnected
20150227 18:05:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150227 18:05:51 D MANAGEMENT: CMD 'state'
20150227 18:05:51 MANAGEMENT: Client disconnected
20150227 18:05:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150227 18:05:51 D MANAGEMENT: CMD 'state'
20150227 18:05:51 MANAGEMENT: Client disconnected
20150227 18:05:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150227 18:05:51 D MANAGEMENT: CMD 'status 2'
20150227 18:05:51 MANAGEMENT: Client disconnected
20150227 18:05:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150227 18:05:51 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00

ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-256-cbc auth sha256 remote lon-a01.ipvanish.com 443 comp-lzo adaptive tls-client tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA persist-remote-ip keysize 256 tls-remote lon-a01.ipvanish.com auth-user-pass /tmp/auth.conf script-security 3 system

slidermike
slidermike's picture
That is a bummer.

That is a bummer.
The only other two ideas I have to suggest is you open a bug report in the svn page.
http://svn.dd-wrt.com/

Post a new thread on the issue where Kong frequents over on the ddwrt official forums.
http://www.dd-wrt.com/phpBB2/viewforum.php?f=1

Jack Sukerman
Jack Sukerman's picture
Forum looks intimidating, and

Forum looks intimidating, and an enormous amount to read. So I tried Tomato, same problem and really isn't ready compared to dd-wrt. I'll investigate further to get an easily reproducible test case. Just found out about the non volatile directory /jffs, I was losing all my stuff every time I rebooted, I knew I would so had a complicated series of commands in the admin/commands section to create files on boot. There should be a big flag somewhere telling people about it because once you can ssh in, edit/save files view logs and run openvpn at the command line sorting out issue is much easier.

Thanks for the pointers Mike.

jannyw4011
jannyw4011's picture
LimeVPN does everything a

LimeVPN does everything a customer wants to exceed the customer requirement of accessing blocked internet content, from high speed to data security, integrated into its VPN services.

Pages