Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Constant disconnections and "Restart pause" in the system logs

    OpenVPN
    4
    9
    121
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      techtester-m last edited by techtester-m

      Custom mini pc build, running pfSense 2.4.4-RELEASE-p3.

      Recently I'm having repeated disconnections when from the OpenVPN client connection set on the router.
      This is what I see in the OpenVPN logs (the rest of the logs show nothing):
      Screen Shot 2020-02-02 at 13.07.06.png

      This one is new and only showed up in the logs once so far:
      Screen Shot 2020-02-02 at 11.11.46.png

      Any idea people?

      Thank you,

      @johnpoz

      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by

        Check for the same/correct time for your server and clients.

        -Rico

        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

        T 1 Reply Last reply Reply Quote 0
        • T
          techtester-m @Rico last edited by

          @Rico I'm not sure I understood you. The server is a NordVPN server and the clients are all on my pfSense router.
          How do I achieve what you've suggested?

          Gertjan 1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan @techtester-m last edited by

            @techtester-m said in Constant disconnections and "Restart pause" in the system logs:

            How do I achieve what you've suggested?

            Just presume their (Open*VPN) has the correct time and date.
            Check that your system is on the correct date.

            Btw : this :

            350eaadd-a887-4deb-a497-038d975385c8-image.png

            is a show stopper.
            cipher and auth should be the same remote and local..
            Nord*VPN expects AES-256-CBS, so you should setup your client to be the same.
            Same thing for the 'auth', make it SHA512.

            No "help me" PM's please. Use the forum.

            T 1 Reply Last reply Reply Quote 0
            • T
              techtester-m @Gertjan last edited by techtester-m

              @Gertjan said in Constant disconnections and "Restart pause" in the system logs:

              Check that your system is on the correct date.

              It is on the correct date-time but set to my location/region of course and not the general UTC time. Don't know about theirs.

              @Gertjan said in Constant disconnections and "Restart pause" in the system logs:

              cipher and auth should be the same remote and local..
              Nord*VPN expects AES-256-CBS, so you should setup your client to be the same.
              Same thing for the 'auth', make it SHA512.

              Cipher - NordVPN support team told me that I can force their servers to use AES-GCM (which is better and faster) because they support that cipher as well. The only reason it shows a warning in the logs is because their config file for all the servers states AES-CBS as the default cipher and in my VPN client's settings I set "Enable NCP - Enable Negotiable Cryptographic Parameters" to disabled, forcing the server to use the better faster GCM.

              Auth - This one is weird because I did set in to SHA512 in the VPN client's settings. So why the warning?

              @johnpoz Could you step in and help me again please?

              1 Reply Last reply Reply Quote 0
              • Pippin
                Pippin last edited by

                If you disable NCP you won't get AES-GCM ciphers but those specified.
                If NCP is enabled it will override what is specified in the client config if the server also does NCP, which they do according to

                NordVPN support team told me that I can force their servers to use AES-GCM (which is better and faster) because they support that cipher as well.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                T 1 Reply Last reply Reply Quote 0
                • T
                  techtester-m @Pippin last edited by techtester-m

                  @Pippin I think you're wrong. I do get AES-GCM ciphers because that's what I chose in the settings.
                  See the logs in the screenshots - it initializes with GCM.

                  Also, check this screenshot:
                  Screen Shot 2020-02-09 at 22.38.52.png

                  1 Reply Last reply Reply Quote 0
                  • Pippin
                    Pippin last edited by Pippin

                    That's not what you wrote:
                    @techtester-m said in Constant disconnections and "Restart pause" in the system logs:

                    in my VPN client's settings I set "Enable NCP - Enable Negotiable Cryptographic Parameters" to disabled, forcing the server to use the better faster GCM.

                    Also, showing a fragment of the log doesn't help.
                    And just now showing other option selected.

                    Provide more info...

                    Just enable NCP, it will select the best cipher supported by both ends.

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      techtester-m @Pippin last edited by techtester-m

                      @Pippin According to NordVPN guys, the cipher thing is not an issue and their servers also support GCM.
                      The fact that my choice of SHA512 is not recognized/mentioned in the logs is wierd though...

                      @Pippin said in Constant disconnections and "Restart pause" in the system logs:

                      Also, showing a fragment of the log doesn't help.

                      It's not a fragment. It's the majority of it and it just repeats itself from time to time.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post