OpenVPN disconnects after an hour
I can connect to any vpn access point fine, but regardless of which vpn I use, it always fails after about an hour with the same messages:
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
I am using network manager setup by the downloadable pia-nm.sh script a available on the support pages. I have not modified the default config settings which are all:
cert is the 4096bit one
cipher = AES-256-CBC
auth=SHA256
port=1197
Per this page:
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-
1197 is the proper port for this encryption type and hash, however it looks like the PIA servers are trying to degrade the connection.
How do I get this functioning properly?
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 29 03:10:38 grok nm-openvpn[27438]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
I am using network manager setup by the downloadable pia-nm.sh script a available on the support pages. I have not modified the default config settings which are all:
cert is the 4096bit one
cipher = AES-256-CBC
auth=SHA256
port=1197
Per this page:
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-
1197 is the proper port for this encryption type and hash, however it looks like the PIA servers are trying to degrade the connection.
How do I get this functioning properly?
Comments
Dec 29 17:35:55 grok nm-openvpn[27016]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Dec 29 17:35:55 grok nm-openvpn[27016]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Dec 29 17:35:55 grok nm-openvpn[27016]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Dec 29 17:35:55 grok nm-openvpn[27016]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Dec 29 17:37:55 grok nm-openvpn[27016]: [f671a525d095cafb23f02429ea32f04c] Inactivity timeout (--ping-restart), restarting
Dec 29 17:37:55 grok nm-openvpn[27016]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 29 17:37:57 grok nm-openvpn[27016]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 29 17:37:57 grok nm-openvpn[27016]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 29 17:38:37 grok nm-openvpn[27016]: RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com: No address associated with hostname
It is not always followed immediately by the "inactivity timeout" message, sometimes it takes two minutes before this happens, but the vpn always stops working with the warning messages.
Dec 29 17:38:37 grok nm-openvpn[27016]: RESOLVE: Cannot resolve host address: swiss.privateinternetaccess.com: No address associated with hostname
what is the content of /etc/resolv.conf at the moment a message (like the one above) appears?
nameserver 209.222.18.218
Dec 29 20:10:05 grok nm-openvpn[1946]: [828394d50c58e14a820757b8ec9b2c64] Inactivity timeout (--ping-restart), restarting
Dec 29 20:10:05 grok nm-openvpn[1946]: SIGUSR1[soft,ping-restart] received, process restarting
Dec 29 20:10:07 grok nm-openvpn[1946]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 29 20:10:07 grok nm-openvpn[1946]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 29 20:10:07 grok nm-openvpn[1946]: UDPv4 link local: [undef]
Dec 29 20:10:07 grok nm-openvpn[1946]: UDPv4 link remote: [AF_INET]185.230.125.45:1197
and then this:
Dec 29 20:11:01 grok NetworkManager[28948]: <warn> nl_recvmsgs() error: (-33) Dump inconsistency detected, interrupted
Dec 29 20:11:07 grok nm-openvpn[1946]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 29 20:11:07 grok nm-openvpn[1946]: TLS Error: TLS handshake failed
Dec 29 20:11:07 grok nm-openvpn[1946]: SIGUSR1[soft,tls-error] received, process restarting
Communication would not work the entire time so I just restarted the VPN as usual.
- Open the VPN profile's settings from NetworkManager (or run nm-connection-editor from a terminal if you can't find it from the GUI menus)
- In the "Identity" tab, click on the "Advanced..." button
- Check the "Use custom renegotiation internal" box, and set it to 0
- OK/Apply/save everything we just opened
- Reconnect to the VPN
Hopefully with that change it should work better!