ER8411 OpenVPN/SSL VPN Issue
About OpenVPN/SSL VPN issue.
Today is 6 months since I reported the VPN error, it still hasn't been fixed. Do you have any more information about what's going on? Is there anyone working on this?
Do you know if the ER707-M2 has the same VPN bug?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks, yes, this has been tested with my ER605 connected to NordVPN and there were no drops (just a slow connection, hence the upgrade)
I could try to use the 8411 as a client to another vpn server to see if it still get the drops, (though I have tried multiple Nord servers and get the same drops), but as the 605 could connect happily to NordVPN, it does suggest that it's the 8411 that's dropping. As you say, as it worked well on the 605v2 could that suggest that it'll never work on the 8411v1?
- Copy Link
- Report Inappropriate Content
this is not a big test, but I left the OpenVPN tunnel connected for a few more hours, 4-5 hours without it stopping and working this time.
I use the latest firmware on ER8411 which is 1.2.2 Build 20240809 Rel.48592
ER8411 is a client against a Unifi OpenVPN Server. protocol is TCP
it seems like it's an improvement over the last time I tried, at least it works. I have no posibility to test with UDP at this time.
- Copy Link
- Report Inappropriate Content
Great thank you... I have just had that firmware suggested to me actually.
I am working from home and connected to a facilities house (via pcoip), so am unable to interupt my internet connection in work hours, but will attempt to install this firmware tonight.
What you say does sound promising for sure, 4-5 hrs beats the hour I'm getting at the moment... the speeds that I do get though are very good with UDP.
I can try this new firmware with a OVPN UDP connection to NordVPN tonight and see how stable it is... Fingers crossed!
Thank you
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @gskips
Thanks for posting in our business forum.
gskips wrote
Thanks, yes, this has been tested with my ER605 connected to NordVPN and there were no drops (just a slow connection, hence the upgrade)
I could try to use the 8411 as a client to another vpn server to see if it still get the drops, (though I have tried multiple Nord servers and get the same drops), but as the 605 could connect happily to NordVPN, it does suggest that it's the 8411 that's dropping. As you say, as it worked well on the 605v2 could that suggest that it'll never work on the 8411v1?
This might be a server issue. Like MR.S described he did not experience a problem when connecting to a Unifi router.
The OVPN version is different between the 8411 and 605 V2. I think that might be the reason.
Try to see if NordVPN can modify the encryption. Or does it have any other parameters the 8411 might not support?
You can remove the sensitive information and post it here so the community can take a look.
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
Hi there,
Thanks for this. Interestingly, a nice person from support suggested (and gave me a link) to a beta firmware (1.2.2 Build 20240809 Rel.48592) that they suggested I try.
I just thought I'd pass on my experience over the weekend, incase it's usefuly to know?
I installed on Friday night and have been attempting to monitor the connection over the weekend. It seems to go quite some way to correct the problem actually! After re-connecting the OVPN client to NordVPN (post firmware upgrade), since Friday night, I've not seen any total drops, resulting in the VPN not disconnecting and dropping back to the WAN/ISP ip address, which is great.
What I have noticed though is that the 'uptime' of the client, frequently resets. This can be after a few mins, or, I did see it go up to 3.5 hrs at one point. Sadly I didn't have the opportunity to constantly monitor it. This also caused a new IP address to be assigned to the client (which I totally appreciate is a NordVPN thing, as each time you connect to their OPVN server, they issue a new IP... if it was connected to a normal OVPN server, I'm sure static IPs would be issued, so less of an issue in that scenario). So over the space of a few hours, there may be several reconnects, with new IP addresses issues, BUT this didn't cause any full drops and has maintained a connection with NordVPN. I have yet to see if this interrupts any large file transfer, however, I don't really see that that is something I'd ever need.
I will continue to monitor it and see if the connection remains, but it's looking good so far.
So although, seemingly not perfect, this firmware is definitely a lot better than the previous, and it is maintaining the VPN connection, albeit reconnecting every so often. I currently haven't been able to test/prove it there are any leaks in this "dropped" time (I don't know if there is a docker type app that I can run to monitor this, say something to constantly monitor the WAN IP, to see if it momentarily changes?), but it is reconnecting successfully.
Anyway, I thought I'd pass this on in case it's useful. For the moment, it seems to be working, perhaps not perfectly, but certainly well enough to make it worth the upgrade to the beta firmware. Oh, and it did have the added benefit of giving a slightly quicker connection speed too, which was never an issue, but nice to have!
Cheers
- Copy Link
- Report Inappropriate Content
Further to the above. I have just, briefly noticed, that the connection does in fact drop back to the WAN connection when these quick disconnects happen. Therefore, routing traffic through the ISP rather than through the OVPN connection. From what I can see, it is brief.. but still not ideal.
Just to confirm, that the OVPN connection to NordVPN does seems to be able to quickly reconnect, but it does still have disconnects, anywhere from after a 1 minute to staying connected for a few hours - there seems to be no reason/trigger for it’s disconnections. (Is there a way of seeing OVPN client logs from the ER8411, so we can see if there is a reason for the disconnects?)
If there was a way of blocking traffic while these disconnects happen, that might be one way to ensure that no traffic travels beyond the OVPN connection. I’m afraid I’m not savvy enough to know, but there a way using Policy Routing, that may block traffic while the OVPN connection is down and reinstate it when it’s reconnected (ultimately working like a killswitch), i think i read on here that Policy Routing isn't avialble yet for OVPN?
The firmware has not fixed the problem completely but is has gone a long way to making OVPN client almost usable, it’s just a bit of a security risk at the moment with these disconnects and traffic dropping back to the WAN/ISP. I have seen that there are several posts about OVPN and client connection issues that have been dating back a couple of years now. Is there anything that can be looked at by the team to try and fix these VPN issues?
Thanks.
- Copy Link
- Report Inappropriate Content
Hi @gskips
Thanks for posting in our business forum.
gskips wrote
Hi there,
Thanks for this. Interestingly, a nice person from support suggested (and gave me a link) to a beta firmware (1.2.2 Build 20240809 Rel.48592) that they suggested I try.
I posted the 1.2.2 official release last Saturday. It is not a beta anymore. See the pinned post?
gskips wrote
I installed on Friday night and have been attempting to monitor the connection over the weekend. It seems to go quite some way to correct the problem actually! After re-connecting the OVPN client to NordVPN (post firmware upgrade), since Friday night, I've not seen any total drops, resulting in the VPN not disconnecting and dropping back to the WAN/ISP ip address, which is great.
Like I described earlier, the ER8411 does not have the same OpenSSL version as the ER605 V2. If you say ER605 V2 can work stably, then that's the reason I believe.
It lags one release behind. Now the last update of 1.2.2 20240809 fixed it. 1.2.2 beta iterated twice on the forum and it was pinned over a month if I don't recall it wrong.
- Copy Link
- Report Inappropriate Content
Hi @gskips
Thanks for posting in our business forum.
gskips wrote
Further to the above. I have just, briefly noticed, that the connection does in fact drop back to the WAN connection when these quick disconnects happen. Therefore, routing traffic through the ISP rather than through the OVPN connection. From what I can see, it is brief.. but still not ideal.
Just to confirm, that the OVPN connection to NordVPN does seems to be able to quickly reconnect, but it does still have disconnects, anywhere from after a 1 minute to staying connected for a few hours - there seems to be no reason/trigger for it’s disconnections. (Is there a way of seeing OVPN client logs from the ER8411, so we can see if there is a reason for the disconnects?)
We don't have ways to locate the reason why it disconnects unless you Wireshark but it might be hard to find out the reason why.
Try a lower version OVPN app on your devices and connect to the third-party VPN and see if there is any disconnection?
ER605 V2 does not disconnect at all or you did notice it?
I don't have much trust in third-party vendors as they have different rules on their end to restrict. One of the reasons we don't keep the latest OVPN version on the devices is that the encryption is already good enough and we advertise our products to connect with our servers mostly.
Not deny that you can use a third-party router or server, yet we are more prone to advise you to use the recommended way as we have tested them.
gskips wrote
If there was a way of blocking traffic while these disconnects happen, that might be one way to ensure that no traffic travels beyond the OVPN connection. I’m afraid I’m not savvy enough to know, but there a way using Policy Routing, that may block traffic while the OVPN connection is down and reinstate it when it’s reconnected (ultimately working like a killswitch), i think i read on here that Policy Routing isn't avialble yet for OVPN?
The firmware has not fixed the problem completely but is has gone a long way to making OVPN client almost usable, it’s just a bit of a security risk at the moment with these disconnects and traffic dropping back to the WAN/ISP. I have seen that there are several posts about OVPN and client connection issues that have been dating back a couple of years now. Is there anything that can be looked at by the team to try and fix these VPN issues?
Thanks.
No.
I'd point out that how you research this is not correct. If you track down "Internet Issues", you can data this back to 10 years ago. You got people having trouble with the DNS/Internet/(or maybe Windows activation or bootup) in 2024. Will that be a problem with the product itself? That's not how you think of a product.
For example, I don't experience a DNS problem when I host a DNS server because I optimize my DNS servers and local networks. During the optimization phase, I know what I did and I am capable of troubleshooting it. Clearly it is not a router's fault. It must be me not understanding the DNS settings and the way it works on the router. So, that's my lesson that when you try something not recommended for a product, you experience a problem, that still got possible errors you need to marginalize.
I didn't experience a burnt 4090 on my computer, at the very first when it came out, was it to be a design flaw? Not really. People did more tests and methodological tests and fond out it was not the issue with the card. But the power supply connection fault at the installation. During their test(before and after the board is manufactured I believe every product does the same), they did not notice a problem with the recommended power supply and cables. Only comes to be a problem at the user's hands.
Hard to say it is a problem with the router. Notice when MR.S proposed this, this was a year ago. Early than that, before 8411, we never recommended NordVPN. It was until someone mentioned that Nord would work on our products, that we actually quoted that user experience to others. Before that, I recalled that there was a time when Nord did not work out on our products at all.
8411 was experiencing this problem and we reported this way early. I cannot recall the MR.S ticket. I took care of his ticket and that was during the COVID time(?). We did not track down the reason.
I am asking the team to evaluate the necessity of looking into third-party VPN vendors.
I doubt if there is a way for our device to locate the reason. VPN log is not available yet.
Try a 2.3.8 OVPN software on your computer and capture the log to see if there is a disconnection problem on it. And one newer 2.4.3 as well.
- Copy Link
- Report Inappropriate Content
Hi @gskips
Thanks for posting in our business forum.
In addition, what's your WAN type? MTU and MSS?
Change the MTU and MSS to 1450 and 1350 correspondingly. As NordVPN provides 1500 and 1450. That could be a reason why it disconnects gradually.
Due to the regional issue, we are not able to use the NordVPN for tests. On my end, I have subscribed the NordVPN out of my pocket. I don't think I can make a connection at least I tried several different IPs I have.
If possible, we may need a remote session to debug this. Let me know if you agree to remote, time zone, and your available time.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 2830
Replies: 45
Voters 0
No one has voted for it yet.