ER8411 OpenVPN/SSL VPN Issue

ER8411 OpenVPN/SSL VPN Issue

45 Reply
Re:ER8411 OpenVPN/SSL VPN Issue
2024-04-02 08:16:21

 

 

Summarize this now:

1. OpenVPN will disconnect after a while.

2. Performance is not expected. Like what you reported: https://community.tp-link.com/en/business/forum/topic/596196?replyId=1296198

Persists till now? 20Mbps or so? What is your upload and download speed? ISP plan.
3. IPsec and SSL would not work at the same time.

 

Do I understand you correctly?

 

Let me ask you this about the last one, did you bring up #3 in the past when you contacted us about OpenVPN? I recall I have met this and the dev told me they didn't reproduce this. It was because your network with too many VPN tunnels.

Do you reproduce this in two routers without too many variables?

  @Clive_A 

 

1  VPN stop communicating again after added keepalive 10 120.

Router show connected and OpenVPN server show connected but no ping or other fun in the tunnel.

 

2 Performance is no about 80-100 Mbps so much better, Unifi UXG-PRO do 200 Mbps or more, 200Mbps limit is problably server limit.

 

3 I have the config I have so I haven't tested anything with less configuration, there are some Ipsec VPNs about 25 but only 6 are enabled.

I have no active  L2TP PPTP or OpenVPN exept OpenVPN that I test just now, normaly disabled.

 

But SSL VPN is not a big deal for me, I don't use this but others may want to use SSL

 

 

 

 

 

  1  
  1  
#12
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-12 19:33:14

  @MR.S 

 

Hi there, 

 

I wonder if there is any more on this at all, regarding OpenVPN and client disconnects?

 

I have literally just bought a ER8411 and am regretting a little now I've read more about the OpenVPN issues. Everything about the router is good, but the main reason for buying one (replacing my ER605) was for the improved speeds over OpenVPN.

 

I have a client setup to connect to NordVPN, and linked to a VLAN. However I'm lucky to have it connected for an hour before it disconnects, or at least stops traffic (appearing still to be connected). Anything that is attahced to the VLAN then defaults back to the WAN port, totally making the VPN pointless and the devices exposed to my ISP, rather than being secured through NordVPN.

 

I had the exact same setup on my ER605 and it seemed to work fine, allbeit rather slow.... so the ER8411 was just supposed to give me a much quicker connection (which it does while it's connected, around 270mbps) - but the disconnections are driving me mad, surely it should stay connected for days/weeks/months... not minutes?!

 

Would be great is there was any kind of resolve of this, considering the most expensive, flagship TP-Link router, can't seem to be as sucessful at OpenVPN as the smaller, cheapest Omada router.

 

Cheers

gskips

 

  1  
  1  
#13
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 07:03:39

  @gskips 

There is no change, when I tested the last disconnected tunnel and did not connect again until I disabled and enabled the tunnel again, then it worked a bit, the vpn showed that it was connected but there was no traffic.


 in addition openvpn is super slow. TP-Link doesn't do anything about the problem, for comparison I have an ER706W which is 5 times faster with openvpn an ER8411 against the same VPN server and from the same internet line.

 

I've given up and use Unifi for both Wireguard and OpenVPN, TP-Lnk has no plans to fix ER8411

 

 

  1  
  1  
#14
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 07:38:22

  @MR.S  @Clive_A

 

Thanks for getting back to me.

 

That's really disappointing. Considering I have just spend a near fortune on this router, for the most part, for the faster OpenVPN features, and it can barely stay connected for an hours is ridiculous.

 

Surely this makes the ER8411 not fit for purpose... a working VPN, in all protocols, is a must for a business "VPN" Router? I appreciate that firmware is sometimes released with issues, but for something as fundamental as this, it should be a priority to get it fixed... especially as other Omada routers in the range are able to stay connected albeit with much slower speeds.

 

I'd say that the speeds I do get when it does stay connected are pretty good, but useless if it can't stay connected.

 

 @Clive_A any comment on this please,  and if TP-Link are fixing this essential flaw in the ER8411? - If not, I'll be looking to return ths unit, which isn't the fault of the reseller, so not very fair to return to them.

 

Thanks

 

  1  
  1  
#15
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 07:48:33 - last edited 2024-09-13 07:50:11

  @gskips 

 

I have an ER706W in a lab and it connects fine, OpenVPN never disconnects, it also delivers close to what the specifications for this router are. last time I tried ER8411 against the same OpenVPN server the speed was only 20-30 Mbps. I used the same configuration file on both ER8411 and ER706W but with different usernames.

 

ER706W had a transfer speed of about 80-150Mbps slightly up and down.

 

but there are rumors that there will be a change to OpenVPN in controller version 5.15.x, so I hope for an improvement for ER8411 as well

 

 

 

 

  1  
  1  
#16
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 07:54:46

Hi @gskips

gskips wrote

  @MR.S  @Clive_A

 

Thanks for getting back to me.

 

That's really disappointing. Considering I have just spend a near fortune on this router, for the most part, for the faster OpenVPN features, and it can barely stay connected for an hours is ridiculous.

 

Surely this makes the ER8411 not fit for purpose... a working VPN, in all protocols, is a must for a business "VPN" Router? I appreciate that firmware is sometimes released with issues, but for something as fundamental as this, it should be a priority to get it fixed... especially as other Omada routers in the range are able to stay connected albeit with much slower speeds.

 

I'd say that the speeds I do get when it does stay connected are pretty good, but useless if it can't stay connected.

 

 @Clive_A any comment on this please,  and if TP-Link are fixing this essential flaw in the ER8411? - If not, I'll be looking to return ths unit, which isn't the fault of the reseller, so not very fair to return to them.

 

Thanks

 

I will not discuss what we have done to address what MR.S reported earlier.

Just put some facts about the status now.

 

  • We have upgraded the firmware to address the speed issue which was improved in the previous firmware. This should be fixed I think.
  • The VPN speed is related to the upload and download speed of both ends. In case you miss this point.
  • MR.S cannot remote desktop with us. So does the MatthiasL22. Both have tickets created over the troubleshooting. We actually never reproduced the problem in our scenario as I recall. The email between MR.S goes back all the way to the end of 2022. Nothing concrete.
  • In a local network environment, my test with my computer which never sleeps, I can connect to the router all the time and do not experience downtime. I have not brought the ER8411 back to my home for tests. But in a local environment(LAN), this does not seem to be happening.

 

Hardware and firmware version? Mode?

What steps have you tried to diagnose the issue? What does your OVPN client log say on your phone/PC?

What configs do you have on your router except for the VPN?

Regardless of what you have with the third-party VPN, that's not my concern. As you described the client(phone/PC not at home) will disconnect from ER8411 as the server for every hour, that's a confirmative information?

Let me see if I can borrow and get an 8411 back home today and test it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#17
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 08:05:57 - last edited 2024-09-13 08:09:49

  @Clive_A The only solution TP-Link offered to me at a certain time, was switching to standalone mode, where the issues should be fixed, which I never tried.

I also found out, that the VPN server at the other end was really outdated and because of some encryption settings incompatible with ER8411 (which is not a TP-Link fault).

To overcome this issue and the lack of HISGMII support on the SFP(+), I got rid of the ER8411 and set up a really nice working DIY OPNSense router. 

 

Having the ER8411 as VPN Server, worked indeed very well, but I think no one is complaining about that.

Omada Controller Linux 5.14.26.1 TL-SG2008 v3.0 - 3.0.9 EAP653(EU) v1.0 - 1.0.14 EAP650-Outdoor(EU)v1.0 - 1.1.4 EAP610-Outdoor(EU) v1.0 - 1.2.5 EAP615-Wall(EU) v1.0 - 1.2.4
  1  
  1  
#18
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 08:17:10

Hi @MatthiasL22 

MatthiasL22 wrote

  @Clive_A The only solution TP-Link offered to me at a certain time, was switching to standalone mode, where the issues should be fixed, which I never tried.

I also found out, that the VPN server at the other end was really outdated and because of some encryption settings incompatible with ER8411 (which is not a TP-Link fault).

To overcome this issue and the lack of HISGMII support on the SFP(+), I got rid of the ER8411 and set up a really nice working DIY OPNSense router. 

 

Having the ER8411 as VPN Server, worked indeed very well, but I think no one is complaining about that.

Oh. I see. Seems to be the above user is describing something else. It's been a long time and this was reactivated, I forgot what specific details were discussed. 

Reviewed your old posts and MR.S. It was about the ER8411 as the OVPN client.

 

But if you are connecting to a third-party server, I must say it is really hard to identify. What we have tested is between two Omada routers, and they work okay.

Cannot decide what may have on the third-party VPN vendors.

 

I don't recall what kind of scenario yours is? Third-party server or router to Omada(as a client)?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#19
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 08:26:19

  @Clive_A 

 

Hiya, thanks for your reply and understood for all your points.

 

My problems are using my ER8411 as a client to NordVPN, using their OpenVPN connection.  The client on the ER8411 is set up as standard, using the NordVPN UDP config file downloaded from their site. This is then tied to a VLAN. All connects well, and yes, I totally agree, speeds are pretty good.

 

The problems come after a few mins, or up to an hour (it tends not to go much beyond an hour) where the connection is dropped. The VPN in insights still lists as running, however devices (I have a synology NAS as the main until connected to the VLAN that's associated with the OVPN client connection) that are connected are not able to access the internet/connection and report as failed, eventually the VPN client will either drop or reconnect- but this could be after a couple of hours of this "limbo" state. Thus defaulting the devices to connect to the WAN and ISP rather than being tunnelled through the OVPN

 

Disconnecting and reconnecting the client manually, reconnects fine, until it drops again, as i say, normally within the hour.

 

I had this set up on my ER605 and all worked well, apart from the painfully slow speeds, which is why I excitedly upgraded to the ER8411.

 

I have the ER8411 V1.0 running FW 1.2.1 Build 20240308 Rel.75819

It is in a system with a OC200, SG2008P v3.20 (x2) , SG2016P v1.20, EAP615-Wall(EU) v1.0 (x3)

I only run one OVPN server, which has an offsite Synology NAS connected as a offsite backup, which has been connected flawlessly for days now.

 

So it is the Client side of the ER8411 that is causing the issues. If you are able, please, to point me in the direction of how I can get to the OVPN client log on the ER8411 I can look/send on for diagnostics, but I'm not expert enough to be able to know where that is, sorry.

 

Thank you again for your reply.  Apologies for my tone previously, I am just a little disappointed as I wasn't expecting the client to operate any differently to my ER605, and was looking forward to the fast connection speed (which I do get with the ER8411) with a stable connection.

 

Cheers

  1  
  1  
#20
Options
Re:ER8411 OpenVPN/SSL VPN Issue
2024-09-13 08:38:32 - last edited 2024-09-13 09:09:05

Hi @gskips 

Thanks for posting in our business forum.

gskips wrote

  @Clive_A 

 

Hiya, thanks for your reply and understood for all your points.

 

My problems are using my ER8411 as a client to NordVPN, using their OpenVPN connection.  The client on the ER8411 is set up as standard, using the NordVPN UDP config file downloaded from their site. This is then tied to a VLAN. All connects well, and yes, I totally agree, speeds are pretty good.

 

The problems come after a few mins, or up to an hour (it tends not to go much beyond an hour) where the connection is dropped. The VPN in insights still lists as running, however devices (I have a synology NAS as the main until connected to the VLAN that's associated with the OVPN client connection) that are connected are not able to access the internet/connection and report as failed, eventually the VPN client will either drop or reconnect- but this could be after a couple of hours of this "limbo" state. Thus defaulting the devices to connect to the WAN and ISP rather than being tunnelled through the OVPN

 

Disconnecting and reconnecting the client manually, reconnects fine, until it drops again, as i say, normally within the hour.

 

I had this set up on my ER605 and all worked well, apart from the painfully slow speeds, which is why I excitedly upgraded to the ER8411.

 

I have the ER8411 V1.0 running FW 1.2.1 Build 20240308 Rel.75819

It is in a system with a OC200, SG2008P v3.20 (x2) , SG2016P v1.20, EAP615-Wall(EU) v1.0 (x3)

I only run one OVPN server, which has an offsite Synology NAS connected as a offsite backup, which has been connected flawlessly for days now.

 

So it is the Client side of the ER8411 that is causing the issues. If you are able, please, to point me in the direction of how I can get to the OVPN client log on the ER8411 I can look/send on for diagnostics, but I'm not expert enough to be able to know where that is, sorry.

 

Thank you again for your reply.  Apologies for my tone previously, I am just a little disappointed as I wasn't expecting the client to operate any differently to my ER605, and was looking forward to the fast connection speed (which I do get with the ER8411) with a stable connection.

 

Cheers

Hmm. 8411 as the VPN client to the NordVPN server?

So, 8411 is not a server?

Have you tested 8411 with a regular router with a VPN function? 8411---Router with OVPN? At least you verify that is this is a problem with the 8411 or the Nord server.

 

I probably cannot push this too far with the test or dev team.. If you are doing this with a third-party VPN.

ER605 and 8411 got different OVPN version builds which is certain information. We have not guaranteed full compatibility and support to third-party VPN vendors.

It should be the version issue if you can get it working perfectly, no drop on 605 V2 but not on 8411 V1.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#21
Options