PIA Connection, working for 5 months, now drops after 5 minutes.

tendonut

So I've been using PIA as a secondary gateway on my pfsense box since December. I route all traffic on a specific subnet over it.

It has been working great, until some time last week. Since then, the PIA connection never seems to really work.

Here are the last 50 log entries.

https://pastebin.com/1KuGBs1X

Notice at 10:13 is when the connection is initialized, and at 10:19 is when it gets an inactivity timeout. It then attempts to reconnect, but that fails with an "AUTH_FAILED" error, then the service stops.

The thing is, even when the connection is active, I am unable to ping out over it. So it doesn't appear to be working at all.

I've tried a few different VPN servers in a few different geos, but it didn't make a difference.

Finger79

May 1 10:19:27  openvpn 58105  [706d7693721e5b67d3cd20e49ffcb621] Inactivity timeout (–ping-restart), restarting

I get this same "Inactivity timeout (–ping-restart)" in my logs as well (but not after 5 minutes, if that's what you're getting), and I'm trying to figure it out (maybe my ISP connectivity goes down or something, so it restarts).  pfSense automatically puts in keepalive 10 60 setting which I believe pings every 10 seconds and restarts after 60 seconds if the pings fail.  So either the PIA server fails to reply to the ping in 60 seconds, or the regular ISP connection hiccups.

Here's what the manual says:
@OpenVPN:

–keepalive interval timeout
    A helper directive designed to simplify the expression of –ping and --ping-restart.

This option can be used on both client and server side, but it is in enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client. If used on both server and client, the values pushed from server will override the client local values.

The timeout argument will be twice as long on the server side. This ensures that a timeout is detected on client side before the server side drops the connection.

For example, --keepalive 10 60 expands as follows:

if mode server:
      ping 10                    # Argument: interval
      ping-restart 120          # Argument: timeout*2
      push "ping 10"            # Argument: interval
      push "ping-restart 60"    # Argument: timeout
    else
      ping 10                    # Argument: interval
      ping-restart 60            # Argument: timeout

I wish I could help you more at this time, but I'm in a similar boat.  What's your log verbosity set at?  3?  Can you bump that up to 5 or higher?  I set mine at 5 for the time being.  It adds way more gibberish to sort through but may help with troubleshooting.

Edit:  Question for you.  Does this happen when you change PIA servers?  Like, say you're using us-california.  Does it happen with us-east or us-texas?  I've noticed that not all PIA servers are configured the same or behave the same.

tendonut

The verbosity was originally set to 3, then I set it to 5 for the attached log dump, then back down to 3. It didn't really give me much more insight into the issue.

I've tried the two in Canada and then 2 in the US. Same issues.

Even when the VPN is connected, I am unable to even do a ping test on that interface. Absolutely nothing will travel over it.