Constant disconnections and "Restart pause" in the system logs

techtester-m

Custom mini pc build, running pfSense 2.4.4-RELEASE-p3.

Recently I'm having repeated disconnections when from the OpenVPN client connection set on the router.
This is what I see in the OpenVPN logs (the rest of the logs show nothing):

This one is new and only showed up in the logs once so far:

Any idea people?

Thank you,

@johnpoz

Rico

Check for the same/correct time for your server and clients.

-Rico

techtester-m

@Rico I'm not sure I understood you. The server is a NordVPN server and the clients are all on my pfSense router.
How do I achieve what you've suggested?

Gertjan

@techtester-m said in Constant disconnections and "Restart pause" in the system logs:

How do I achieve what you've suggested?

Just presume their (Open*VPN) has the correct time and date.
Check that your system is on the correct date.

Btw : this :

is a show stopper.
cipher and auth should be the same remote and local..
Nord*VPN expects AES-256-CBS, so you should setup your client to be the same.
Same thing for the 'auth', make it SHA512.

techtester-m

@Gertjan said in Constant disconnections and "Restart pause" in the system logs:

Check that your system is on the correct date.

It is on the correct date-time but set to my location/region of course and not the general UTC time. Don't know about theirs.

@Gertjan said in Constant disconnections and "Restart pause" in the system logs:

cipher and auth should be the same remote and local..
Nord*VPN expects AES-256-CBS, so you should setup your client to be the same.
Same thing for the 'auth', make it SHA512.

Cipher - NordVPN support team told me that I can force their servers to use AES-GCM (which is better and faster) because they support that cipher as well. The only reason it shows a warning in the logs is because their config file for all the servers states AES-CBS as the default cipher and in my VPN client's settings I set "Enable NCP - Enable Negotiable Cryptographic Parameters" to disabled, forcing the server to use the better faster GCM.

Auth - This one is weird because I did set in to SHA512 in the VPN client's settings. So why the warning?

@johnpoz Could you step in and help me again please?

Pippin

If you disable NCP you won't get AES-GCM ciphers but those specified.
If NCP is enabled it will override what is specified in the client config if the server also does NCP, which they do according to

NordVPN support team told me that I can force their servers to use AES-GCM (which is better and faster) because they support that cipher as well.

techtester-m

@Pippin I think you're wrong. I do get AES-GCM ciphers because that's what I chose in the settings.
See the logs in the screenshots - it initializes with GCM.

Also, check this screenshot:

Pippin

That's not what you wrote:
@techtester-m said in Constant disconnections and "Restart pause" in the system logs:

in my VPN client's settings I set "Enable NCP - Enable Negotiable Cryptographic Parameters" to disabled, forcing the server to use the better faster GCM.

Also, showing a fragment of the log doesn't help.
And just now showing other option selected.

Provide more info...

Just enable NCP, it will select the best cipher supported by both ends.

techtester-m

@Pippin According to NordVPN guys, the cipher thing is not an issue and their servers also support GCM.
The fact that my choice of SHA512 is not recognized/mentioned in the logs is wierd though...

@Pippin said in Constant disconnections and "Restart pause" in the system logs:

Also, showing a fragment of the log doesn't help.

It's not a fragment. It's the majority of it and it just repeats itself from time to time.