Thoughts on VPN setup

Hi. I’ve had a really solid vpn setup running on my vero 4K for a while now, based on your support from this post Eth0 not connected- vpn setup issue?.

I’ve taken you down the rabbit hole once before and have no intention of doing that again, but wonder if you have any general thoughts on the following, other than to get a more reliable ISP?

In my new accommodation I’m getting occasional internet drops (xDSL link is down on my sky sr203 router a few times a week). My router clears ip addresses, WAN link returns and is typically connected to the internet again within a minute. Every few days I’ve been finding the vero’s internet connection (via Ethernet) in limbo, for want of a more technical term. Watchdog service hasn’t reconnected the vpn, curl ipinfo.io does not return an IP address and Speedtester addon hangs while attempting to ping. Issuing sudo systemctl stop openvpn returns my ip address and enables watchdog to automatically reconnect the vpn shortly after and I’m back in business…

An example of not being able to reconnect:
https://paste.osmc.tv/bedabamalo
Time of internet drop: Nov 16 06:29

I recently set up port forwarding on my router (port 1198 for pia’s UDP vpn), and watchdog reconnected the vpn after the only internet drop I’ve had since.

https://paste.osmc.tv/josuqaxomo
Time of internet drop: Nov 18 06:27

I’m not sure if that’s proof of success, as I have a feeling the VPN connection has previously survived more drops than I’m aware of, but will continue testing. If I see more reconnection failures after internet drops going forward, I plan to test a TCP connection next.

A couple of questions…

Is port forwarding potentially important in this setup?

What is the best way to set up my vpn (if dns conflicts might be an issue here)?

Manually assign static ip and VPN’s dns on vero via my osmc, and have vero on an address outside of router’s DHCP range?

Or, my current setup…

Create a DHCP reservation on router and have vero configure network using DHCP, using openresolv to connect to VPN’s dns server? Or is none of this relevant to the problem? Either way, I’m quite interested to know what you’d recommend.

Apologies for the long post :pray:

Hi,

For what?

After the VPN connection drops, its appears the vero4k is unable to resolve dns. Please post the vpn conf file?

Thanks Tom.

Hi Tom

Yeah, should’ve been clearer. I was wondering if port forwarding is necessary to prevent potential dns conflicts with a vpn, which I guessed may be happening.

VPN conf file:

client
dev tun
proto udp
remote ireland.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass login.txt
compress
verb 1
reneg-sec 0
<certs snipped>
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I’ve removed all the certificates from your post.

As to your problem, you should remove persist-tun from the config. It’s probably not necessary and can lead to problems, such as resolving DNS addresses after the network has failed.

I’d also suggest that you change verb 1 to verb 3, since the latter provides more diagnostic information.

1 Like

Port forwarding won’t affect this.

Apologies re. including certificates! Ok, thanks both, will give this a go. I take it either of the two vero/router setups is ok.

Whats the portforward setup up for?

Reading a previous thread on this forum about a similar sounding issue - which the user resolved by using tcp and port forwarding - made me try it, hoping that it might resolve whatever conflict was happening, possibly with my router. I’ve very limited knowledge about this but thought it worth a try. I was forwarding UDP 1198 to the vero’s LAN address on the second log I posted.

I suggest you remove the forward and close the port.

Ok will do. Thanks

1 Like

Internet connection has been pretty stable last few days, so not much chance to test, but did get a drop this eve at 19:56 which the vpn survived.
https://paste.osmc.tv/egovatoqij

Also decided to see what would happen if I unplugged the ethernet cable and plug it back in. Removing persist-tun seems to have worked as the vpn automatically reconnected, which it would not have done before. Really chuffed about that. Took around 2-3 minutes to reconnect and there seems to be a conflict with the connection during this time, but the main thing is that it reconnected.
http://paste.osmc.tv/iwudibahak

Hi,

All Looks good to me.

Still taking a while to for DNS resolution to work, but with persist-tun removed @dillthedog suggested; DNS resolution works after a few minutes and vpn reconnects. Working as expected now, I suggest Marking Dill’s post as the solution.

Thanks Tom.

Thanks both.

1 Like