PIA VPN drops randomly, does not auto rebuild until OpenVPN service restarted

eds89

Hi There,

For a while now, my Private Internet Access client in OpenVPN on PFsense, has been dropping randomly, and then not auto rebuilding.
The only way to get this to correctly rebuild, is to restart the OpenVPN service in PFsense.

This seems to be the set of logs that repeats during attempted rebuild:

Jun 11 13:12:49	openvpn	2576	SIGUSR1[soft,auth-failure] received, process restarting
Jun 11 13:14:09	openvpn	2576	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:14:09	openvpn	2576	TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.188.245:1198
Jun 11 13:14:09	openvpn	2576	UDPv4 link local (bound): [AF_INET]82.11.231.186:0
Jun 11 13:14:09	openvpn	2576	UDPv4 link remote: [AF_INET]46.166.188.245:1198
Jun 11 13:14:09	openvpn	2576	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Jun 11 13:14:09	openvpn	2576	WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Jun 11 13:14:09	openvpn	2576	[11d76880eec1db91df156e6462cbd782] Peer Connection Initiated with [AF_INET]46.166.188.245:1198
Jun 11 13:14:15	openvpn	2576	AUTH: Received control message: AUTH_FAILED
Jun 11 13:14:15	openvpn	2576	SIGUSR1[soft,auth-failure] received, process restarting

One thing that I have spotted, after restarting the service, is the VPN gateway IP seems to change. Here are the first few log entries after a process restart:

Jun 11 13:35:29	openvpn	2576	SIGUSR1[soft,auth-failure] received, process restarting
Jun 11 13:35:44	openvpn	2576	/usr/local/sbin/ovpn-linkdown ovpnc1 0 0 10.30.10.6 10.30.10.5 init
Jun 11 13:35:44	openvpn	2576	SIGTERM[hard,init_instance] received, process exiting
Jun 11 13:35:44	openvpn	21923	WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Jun 11 13:35:44	openvpn	21923	OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 4 2018
Jun 11 13:35:44	openvpn	21923	library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Jun 11 13:35:44	openvpn	22184	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 11 13:35:44	openvpn	22184	Initializing OpenSSL support for engine 'cryptodev'
Jun 11 13:35:44	openvpn	22184	TCP/UDP: Preserving recently used remote address: [AF_INET]185.107.44.34:1198
Jun 11 13:35:44	openvpn	22184	UDPv4 link local (bound): [AF_INET]82.11.231.186:0
Jun 11 13:35:44	openvpn	22184	UDPv4 link remote: [AF_INET]185.107.44.34:1198
Jun 11 13:35:44	openvpn	22184	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 11 13:35:44	openvpn	22184	WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Jun 11 13:35:44	openvpn	22184	WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Jun 11 13:35:44	openvpn	22184	[04134aa54058b865589304ac9f8351c3] Peer Connection Initiated with [AF_INET]185.107.44.34:1198
Jun 11 13:35:45	openvpn	22184	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jun 11 13:35:45	openvpn	22184	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun 11 13:35:45	openvpn	22184	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun 11 13:35:45	openvpn	22184	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jun 11 13:35:45	openvpn	22184	TUN/TAP device ovpnc1 exists previously, keep at program end
Jun 11 13:35:45	openvpn	22184	TUN/TAP device /dev/tun1 opened
Jun 11 13:35:45	openvpn	22184	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jun 11 13:35:45	openvpn	22184	/sbin/ifconfig ovpnc1 10.18.10.6 10.18.10.5 mtu 1500 netmask 255.255.255.255 up
Jun 11 13:35:45	openvpn	22184	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.18.10.6 10.18.10.5 init
Jun 11 13:35:45	openvpn	22184	Initialization Sequence Completed

Is this enough info to help me determine why it doesn't auto rebuild? At this stage I'm not concerned as to why it's dropping, as long as it rebuilds correctly.
Note, the time between drops is normally in the order of days or a couple of weeks.

Cheers
Eds

bcruze

This is one of many reasons I dropped pia and nord.

Either way I suggest reading up on the remote host command
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/