I was helping a client yesterday set up a VPN tunnel only to have it constantly disconnected. The client was located outside of the country. For the sake of avoiding throttling and saving on CPU, we were using the Blowfish cipher and it kept on getting disconnected.
I found this rather strange as I’ve never had this problem before. We’d literally get the client up and running only to find that it was immediately disconnected. This went on for a while (about 15 min.) when the lightbulb went off in my head to try something different. (Lateral Thinking has always been my forte). I switched the encryption from Blowfish to AES-128. Surprisingly, it changed everything, the tunnel stayed up and didn’t disconnect.
So apparently some Deep Packet inspection technology has the ability to decrypt on the fly very quickly Blowfish and determine what the contents of the tunnel are.
It didn’t matter what port we were running on. We tried several different ports prior to this.
So If you’re noticing many random disconnects for no apparent reason (and I’ve set up enough VPN servers in my day to definitely know I didn’t do anything wrong. Consider changing your encryption to a stronger cipher. Apparently, it does make a difference.
Total time to figure it out? About 1 hour Tops.
The good thing about the AES cipher is that it’s still considered pretty much unbreakable. Even by the NSA and their supercomputer at building 5300.
So my recommendation is switch the cipher before switching ports around to see if it makes a difference.
I’m not naming the country or the ISP, but clearly privacy is not high on their list.
It’s two simple changes.
On the OpenVPN server if that’s what you’re using, just uncomment the AES line in /etc/openvpn/server.conf
and on the client, just change the Cipher to AES-128. All done.
Obviously issue an openvpn and dnsmasq restart.
For good measure, I always restart the iptables as well.
This should help many people if you’re having constant disconnects with OpenVPN.
Cheers.