Hi there,

I'm wondering why, when the VPN connection with the provider is broken, the internet access is not connected on the second attempt. The structure of the network consists of the provider's local area network, where a VPN connection is established. After that, internet access is routed through this VPN connection, which has a static address. The DNS of the local network provider (172.22.0.1) is specified in the DNS settings, and the VPN connection uses the domain address (vpn.local) instead of the IP address. The IP address for vpn.local can range from 172.22.0.230 to 172.22.0.254.

It seems that after the VPN connection is broken, the IP of the vpn.local domain is not recognized by DNS, and it's unclear where the issue lies within the VPN loop. There is no ping response from vpn.local on microtik, nor is it visible from the computers on my network. I have set up the routing properly, specifying the network with vpn.local and DNS (172.22.0.0/24), along with the gateway (172.30.94.1). However, it doesn't make any sense. I have also specified the source preference as my IP in the provider's local network (172.30.94.38). It's quite confusing.

After conducting extensive experiments, I have come to the following conclusion:

In general, I have tried disabling the VPN. First, I disable the VPN entirely, then the routing switches to the backup line and everything works fine. Next, I bring back the main line, and the routing switches accordingly. Then, I enable the VPN again, but it has no effect. The VPN seems to be stuck somewhere in the loop.

I suspect that the VPN provider has a domain name for the vpn.local connection. The DNS provider assigns an IP address within the range of 172.22.0.230 to 172.22.0.254 for this domain name. The microtik router receives this IP from the VPN provider and establishes a connection, which it seems to remember. Hence, when the VPN line is broken, the DNS of the provider disappears. And when it reappears, it offers a different IP for the connection. However, the microtik router remembers the previous IP and attempts to connect to it, despite being prohibited from doing so. This creates a VPN cycle.

Resetting the IP in the VPN seems to resolve the issue because it prompts the router to request a new IP from the DNS provider before establishing the connection. This enables an immediate connection. It is likely that the VPN remembers the IP to expedite the reconnection process in case of a break. However, this mechanism works only if the IP for the connection remains the same.

These thoughts emerged after observing the restoration of the main line. Occasionally (but rarely), the switching works correctly. This happens when the IP assigned by the DNS matches the IP to which the VPN was previously connected.

The question now is how to configure the VPN to request a new IP from the DNS provider each time before establishing the connection.

possible that the old session was causing the issue. Sometimes, when a VPN connection is broken, the previous session remains active in the VPN settings and prevents the same login from being accepted again.

To troubleshoot this, you can try disabling the VPN interface after the break and wait for 5-10 minutes before enabling it again. If the connection is successful after doing this, it suggests that the old session was indeed causing the problem.

In such cases, it is essential to ensure that the previous session is properly terminated before attempting to establish a new connection. This can help resolve any conflicts or issues related to the old session, ensuring a smooth and uninterrupted VPN experience.

I used to rely on NordVPN while working in China but discovered that it was banned in 2021. Since I need to communicate with my wife and child using FB or Line, I am in search of a reliable VPN to connect to. I have explored various websites and sought advice from my friend in China.

They recommended ExpressVPN as a suitable option.

The Kill Switch feature ensures the security of your data even in the event of a VPN connection interruption. It effectively blocks all internet traffic until the protection is restored by the free VPN service.

Having a reliable Kill Switch function in a VPN is crucial to safeguarding your sensitive information and maintaining privacy online. It acts as an extra layer of protection, ensuring that your data remains secure even if the VPN connection is unexpectedly disrupted. This feature provides peace of mind, knowing that your online activities are shielded from potential risks or exposure.

It seems the core of the problem lies in how the VPN client interacts with the DNS server and how it manages cached or remembered IP addresses.

From your description, it appears that the VPN connection relies on potentially outdated IP information when re-establishing the connection after a drop. This is a common issue with VPN clients that cache DNS responses for performance reasons. When the connection fails, the VPN client might not query the DNS server again for a new IP, leading to the cycle where it continues to try connecting to an obsolete IP address.

To address this issue in the best way possible, I recommend the following steps:

1. DNS Settings: Verify that your DNS settings in the Mikrotik router point to the correct IP (172.22.0.1). You may also consider using an alternative DNS resolver that supports dynamic DNS updates if it fits into your architecture.

2. Clear DNS Cache: If your Mikrotik router has a DNS caching feature, ensure that it's set to clear stale records frequently. This can usually be configured in the settings.

3. Adjust VPN Client Settings: Depending on the VPN client you're using, see if there are any options to disable DNS caching or to force a DNS lookup each time before establishing a connection. This would help to avoid using the old IP.

4. Static Route Configuration: Make sure any static routes specified do not conflict with default routing. Sometimes, conflicting routes can cause packet misdirection, leading to further complications in routing.

5. Scripting for Connection Re-establishing: You might consider implementing a script that runs each time the VPN connection drops. This script could clear any cached DNS entries and force a reconnection using the new IP from the DNS lookup.

6. Monitoring and Logs: Enable logging on your Mikrotik router to capture when the DNS queries happen and track what IP addresses are being returned. This log will be instrumental in diagnosing the timing issues between the VPN reconnect and the DNS query.

7. Keepalive Configuration: In many VPN configurations, there's an option for keepalives or periodic pings that can maintain the connection. Setting this up might help detect connection problems quicker than the default timeout settings.

8. Contact VPN Provider: If all else fails, reach out to your VPN provider to see if they have any suggestions or configurations that might help maintain persistence in the DNS records related to the vpn.local domain.

It's essential to remember that network issues like these often involve a bit of trial and error. Document each step of your modifications and monitor the effects so you can identify what works effectively. With a combination of the suggestions above, you should be able to find a solution that allows your Mikrotik router to successfully request a new IP address from the DNS provider each time the VPN connection is re-established.