Solved: OpenVPN Client with Perfect Privacy on ASUS RT-AC66U

asn1bur

Junior Member
ASUS RT-AC66U running Merlin Build 3.0.0.4.374.39

Has anyone had any luck with getting the OpenVPN client on an ASUS RT-AC66U working with Perfect Privacy? I used to have this working when the config files included the certificate authority, client certificate, Static Key and client key but now that they only include p12 and ta.key I have no idea how to get this working.

Currently when I try to enable the service it fails with the following in the log:

Mar 2 23:35:36 rc_service: httpd 318:notify_rc start_vpnclient1
Mar 2 23:35:37 openvpn[756]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 31 2014
Mar 2 23:35:37 openvpn[756]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 2 23:35:37 openvpn[756]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 2 23:35:37 openvpn[756]: Cannot load CA certificate file ca.crt (OpenSSL)
Mar 2 23:35:37 openvpn[756]: Exiting due to fatal error


Current config files attached, would really appreciate any help possible!

Thanks,
 

PP Daniel

Staff member
Hi,

the openvpn client is missing the ca.crt file, or rather its content. Note how on your Config3 screenshot the "Certificate Authority" field is empty, that is where to put the content of the ca.crt file. Also the fileds for Client Certificate and Client Key need to be filled with the content of the respective files (or have you used these files anywhere I might have overlooked?) Inserting the information to these fields should get you a working setup.

Once it works you might want to use UDP instead of TCP and "Verify Server Certificate" should be enabled also.

Please let me know how this works out.

I noticed there is an option to import an ovpn file (containing all the necessary settings). We will have these files ready to download for mobile devices in a couple of days when we do the maintenance.
 

asn1bur

Junior Member
I've never actually been able to get this working which is frustrating. I have tested using another VPN provider and that works fine, the difference seems to be that you only need to use the CA cert with their setup.

So my current config is attached, I am trying to connect to the Chicago pop, I am using the following for the certificates:

Chicago_ta.key as the static key,
ca.crt for the Certificate authority
Chicago_cl.crt for the Client Certificate
Chicago_cl.key for the client key

The service state shows as "ON" but I am seeing the following error in the system log " TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and "TLS Error: TLS handshake failed"

Copy of the syslog log is here:
Aug 20 16:44:08 rc_service: httpd 820:notify_rc start_vpnclient2
Aug 20 16:44:08 kernel: tun: Universal TUN/TAP device driver, 1.6
Aug 20 16:44:08 kernel: tun: (C) 1999-2004 Max Krasnyansky
Aug 20 16:44:08 openvpn[17922]: DEPRECATED OPTION: --tls-remote, please update your configuration
Aug 20 16:44:08 openvpn[17922]: OpenVPN 2.3.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 3 2014
Aug 20 16:44:08 openvpn[17922]: library versions: OpenSSL 1.0.0m 5 Jun 2014, LZO 2.06
Aug 20 16:44:08 openvpn[17922]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 20 16:44:09 openvpn[17928]: UDPv4 link local: [undef]
Aug 20 16:44:09 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150
Aug 20 16:45:09 openvpn[17928]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 20 16:45:09 openvpn[17928]: TLS Error: TLS handshake failed
Aug 20 16:45:09 openvpn[17928]: SIGUSR1[soft,tls-error] received, process restarting
Aug 20 16:45:11 openvpn[17928]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 20 16:45:11 openvpn[17928]: UDPv4 link local: [undef]
Aug 20 16:45:11 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150
Aug 20 16:46:11 openvpn[17928]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 20 16:46:11 openvpn[17928]: TLS Error: TLS handshake failed
Aug 20 16:46:11 openvpn[17928]: SIGUSR1[soft,tls-error] received, process restarting
Aug 20 16:46:13 openvpn[17928]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 20 16:46:13 openvpn[17928]: UDPv4 link local: [undef]
Aug 20 16:46:13 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150

Any help would be greatly appreciated.
 

Gerd

Junior Member
Try this:

-Select client instance-> Client 1
-Start with WAN-> Yes
-Interface Type-> TUN
-Protocol-> UDP
-Server Address and Port-> Address:amsterdam.perfect-pricavy.com Port:1149
-Firewall-> Automatic
-Authorization Mode-> TLS
-Username/Password Authentication-> Yes
(Type PP Username and Password)
-Username Auth. Only-> No
-Extra HMAC authorization-> (I'm not sure, but not Disabled. Try "Outgoing" if exist)
-Create NAT on tunnel-> Yes
-Poll Interval-> 0
-Redirect Internet traffic-> Yes
-Accept DNS Configuration-> Strict
-Encryption cipher-> AES-256-CBC
-Compression-> Adaptive
-TLS Renegotiation Time-> -1
-Connection Retry-> -1
-Verify Server Certificate-> No
-Custom Configuration-> (see Code)

Code:
script-security 2
ns-cert-type server
tun-mtu 1500
fragment 1300
mssfix
float
reneg-sec 86400
resolv-retry 60
persist-key
persist-tun
persist-remote-ip
route-method exe
route-delay 2
hand-window 120
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
auth SHA512
verb 4
inactive 604800
ping 5
ping-restart 120
replay-window 512 60
mute-replay-warnings
-Static Key-> (Amsterdam_ta.key)
-Certificate Authority-> (ca.crt)
-Client Certificate-> (Amsterdam_cl.crt)
-Client Key-> (Amsterdam_cl.key)
 

asn1bur

Junior Member
Apologies for the slow response, I just saw your reply today. Tested with the above settings and it works great, thank you for taking the time to assist me with this, much appreciated.
 

Wall-E

Junior Member
Hello, I would like to know if the Open_VPN Connection still runs good on Asus Router (with original firmware), since I plan to buy an Asus device.
Can you tell something about the connection speed with vpn? Thank you!
 

Zoltar

New Member
Hi
Can somebody tell me how to setup my asus rt ac68u asusrt-merlin? How to redirect internet traffic witch policy rules? I need vpn only for my synology nas.

Thanks
 

MikeTO

New Member
There is an easy way to get it work simply upload the openvpn config file then you manually put in the certificates and keys.
 

shot2bitz

New Member
Sorry to jump your post, I'm using latest Merlin FW on a RT-AC66U-B1 and I cannot get VPN to run, I used the mobile_single_udp_AES-128-CBC.zip/ stockholm.perfect-privacy.com. files to set up but when I click the "Run" button I get a "Error - check configuration!" by the side of said button.
Thanks in Advance for any help given to a old fart who is bangin his head as I hadn't had these problems with other providers ;)

System Log
Jun 27 16:05:31 rc_service: httpd 495:notify_rc start_vpnclient1
Jun 27 16:05:33 openvpn[2113]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Jun 27 16:05:33 openvpn[2113]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.08
Jun 27 16:05:33 openvpn[2114]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Jun 27 16:05:33 openvpn[2114]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 27 16:05:33 openvpn[2114]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 27 16:05:33 openvpn[2114]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 27 16:05:33 openvpn[2114]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.105.134.50:150
Jun 27 16:05:33 openvpn[2114]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jun 27 16:05:33 openvpn[2114]: UDP link local: (not bound)
Jun 27 16:05:33 openvpn[2114]: UDP link remote: [AF_INET]193.105.134.50:150
Jun 27 16:05:33 openvpn[2114]: TLS: Initial packet from [AF_INET]193.105.134.50:150, sid=9a7032df 9d6e04f5
Jun 27 16:05:33 openvpn[2114]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 27 16:05:33 openvpn[2114]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
Jun 27 16:05:33 openvpn[2114]: VERIFY OK: nsCertType=SERVER
Jun 27 16:05:33 openvpn[2114]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_stockholm.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
Jun 27 16:05:35 openvpn[2114]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
Jun 27 16:05:35 openvpn[2114]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Jun 27 16:05:35 openvpn[2114]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 27 16:05:35 openvpn[2114]: [Server_stockholm.perfect-privacy.com] Peer Connection Initiated with [AF_INET]193.105.134.50:150
Jun 27 16:05:37 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:05:42 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:05:47 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:05:52 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:05:57 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:02 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:07 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:12 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:17 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:22 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:27 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Jun 27 16:06:27 openvpn[2114]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.2.36.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 193.105.134.158,dhcp-option DNS 31.204.150.153,ifconfig-ipv6 fdbf:1d37:bbe0:0:34:4:0:1243/112 fdbf:1d37:bbe0:0:34:4:0:1,ifconfig 10.2.36.243 255.255.255.0,peer-id 0'
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: timers and/or timeouts modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: compression parms modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jun 27 16:06:27 openvpn[2114]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --ifconfig/up options modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: route options modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: route-related options modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: peer-id set
Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: adjusting link_mtu to 1629
Jun 27 16:06:27 openvpn[2114]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 27 16:06:27 openvpn[2114]: Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 27 16:06:27 openvpn[2114]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 27 16:06:27 openvpn[2114]: Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 27 16:06:27 openvpn[2114]: GDG6: remote_host_ipv6=n/a
Jun 27 16:06:27 openvpn[2114]: TUN/TAP device tun11 opened
Jun 27 16:06:27 openvpn[2114]: TUN/TAP TX queue length set to 100
Jun 27 16:06:27 openvpn[2114]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Jun 27 16:06:27 openvpn[2114]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jun 27 16:06:27 openvpn[2114]: /usr/sbin/ip addr add dev tun11 10.2.36.243/24 broadcast 10.2.36.255
Jun 27 16:06:27 openvpn[2114]: Linux ip addr add failed: external program exited with error status: 2
Jun 27 16:06:27 openvpn[2114]: Exiting due to fatal error
 

flyingpig

New Member
I am running an Asus RT-AC68U with the latest Merlin firmware 380.68 and cannot get the VPN to work. This is what the logs tell me after I upload the router VPN file for Montreal (or any other). Anyone any ideas?

Code:
Aug 14 14:17:10 rc_service: httpd 493:notify_rc start_vpnclient1
Aug 14 14:17:12 openvpn[7835]: Current Parameter Settings:
Aug 14 14:17:12 openvpn[7835]:   config = 'config.ovpn'
Aug 14 14:17:12 openvpn[7835]:   mode = 0
Aug 14 14:17:12 openvpn[7835]:   persist_config = DISABLED
Aug 14 14:17:12 openvpn[7835]:   persist_mode = 1
Aug 14 14:17:12 openvpn[7835]:   show_ciphers = DISABLED
Aug 14 14:17:12 openvpn[7835]:   show_digests = DISABLED
Aug 14 14:17:12 openvpn[7835]:   show_engines = DISABLED
Aug 14 14:17:12 openvpn[7835]:   genkey = DISABLED
Aug 14 14:17:12 openvpn[7835]:   key_pass_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   show_tls_ciphers = DISABLED
Aug 14 14:17:12 openvpn[7835]:   connect_retry_max = 0
Aug 14 14:17:12 openvpn[7835]: Connection profiles [0]:
Aug 14 14:17:12 openvpn[7835]:   proto = udp
Aug 14 14:17:12 openvpn[7835]:   local = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   local_port = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   remote = 'montreal.perfect-privacy.com'
Aug 14 14:17:12 openvpn[7835]:   remote_port = '150'
Aug 14 14:17:12 openvpn[7835]:   remote_float = DISABLED
Aug 14 14:17:12 openvpn[7835]:   bind_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   bind_local = DISABLED
Aug 14 14:17:12 openvpn[7835]:   bind_ipv6_only = DISABLED
Aug 14 14:17:12 openvpn[7835]:   connect_retry_seconds = 5
Aug 14 14:17:12 openvpn[7835]:   connect_timeout = 120
Aug 14 14:17:12 openvpn[7835]:   socks_proxy_server = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   socks_proxy_port = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   tun_mtu = 1500
Aug 14 14:17:12 openvpn[7835]:   tun_mtu_defined = ENABLED
Aug 14 14:17:12 openvpn[7835]:   link_mtu = 1500
Aug 14 14:17:12 openvpn[7835]:   link_mtu_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tun_mtu_extra = 0
Aug 14 14:17:12 openvpn[7835]:   tun_mtu_extra_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   mtu_discover_type = -1
Aug 14 14:17:12 openvpn[7835]:   fragment = 1300
Aug 14 14:17:12 openvpn[7835]:   mssfix = 1300
Aug 14 14:17:12 openvpn[7835]:   explicit_exit_notification = 0
Aug 14 14:17:12 openvpn[7835]: Connection profiles END
Aug 14 14:17:12 openvpn[7835]:   remote_random = ENABLED
Aug 14 14:17:12 openvpn[7835]:   ipchange = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   dev = 'tun11'
Aug 14 14:17:12 openvpn[7835]:   dev_type = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   dev_node = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   lladdr = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   topology = 1
Aug 14 14:17:12 openvpn[7835]:   ifconfig_local = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ifconfig_remote_netmask = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ifconfig_noexec = DISABLED
Aug 14 14:17:12 openvpn[7835]:   ifconfig_nowarn = DISABLED
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_local = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_netbits = 0
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_remote = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   shaper = 0
Aug 14 14:17:12 openvpn[7835]:   mtu_test = 0
Aug 14 14:17:12 openvpn[7835]:   mlock = DISABLED
Aug 14 14:17:12 openvpn[7835]:   keepalive_ping = 0
Aug 14 14:17:12 openvpn[7835]:   keepalive_timeout = 0
Aug 14 14:17:12 openvpn[7835]:   inactivity_timeout = 604800
Aug 14 14:17:12 openvpn[7835]:   ping_send_timeout = 5
Aug 14 14:17:12 openvpn[7835]:   ping_rec_timeout = 120
Aug 14 14:17:12 openvpn[7835]:   ping_rec_timeout_action = 2
Aug 14 14:17:12 openvpn[7835]:   ping_timer_remote = DISABLED
Aug 14 14:17:12 openvpn[7835]:   remap_sigusr1 = 0
Aug 14 14:17:12 openvpn[7835]:   persist_tun = ENABLED
Aug 14 14:17:12 openvpn[7835]:   persist_local_ip = DISABLED
Aug 14 14:17:12 openvpn[7835]:   persist_remote_ip = ENABLED
Aug 14 14:17:12 openvpn[7835]:   persist_key = ENABLED
Aug 14 14:17:12 openvpn[7835]:   passtos = DISABLED
Aug 14 14:17:12 openvpn[7835]:   resolve_retry_seconds = 60
Aug 14 14:17:12 openvpn[7835]:   resolve_in_advance = DISABLED
Aug 14 14:17:12 openvpn[7835]:   username = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   groupname = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   chroot_dir = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   cd_dir = '/etc/openvpn/client1'
Aug 14 14:17:12 openvpn[7835]:   writepid = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   up_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   down_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   down_pre = DISABLED
Aug 14 14:17:12 openvpn[7835]:   up_restart = DISABLED
Aug 14 14:17:12 openvpn[7835]:   up_delay = DISABLED
Aug 14 14:17:12 openvpn[7835]:   daemon = ENABLED
Aug 14 14:17:12 openvpn[7835]:   inetd = 0
Aug 14 14:17:12 openvpn[7835]:   log = DISABLED
Aug 14 14:17:12 openvpn[7835]:   suppress_timestamps = DISABLED
Aug 14 14:17:12 openvpn[7835]:   machine_readable_output = DISABLED
Aug 14 14:17:12 openvpn[7835]:   nice = 0
Aug 14 14:17:12 openvpn[7835]:   verbosity = 4
Aug 14 14:17:12 openvpn[7835]:   mute = 0
Aug 14 14:17:12 openvpn[7835]:   status_file = 'status'
Aug 14 14:17:12 openvpn[7835]:   status_file_version = 2
Aug 14 14:17:12 openvpn[7835]:   status_file_update_freq = 5
Aug 14 14:17:12 openvpn[7835]:   occ = ENABLED
Aug 14 14:17:12 openvpn[7835]:   rcvbuf = 0
Aug 14 14:17:12 openvpn[7835]:   sndbuf = 0
Aug 14 14:17:12 openvpn[7835]:   mark = 0
Aug 14 14:17:12 openvpn[7835]:   sockflags = 0
Aug 14 14:17:12 openvpn[7835]:   fast_io = DISABLED
Aug 14 14:17:12 openvpn[7835]:   comp.alg = 2
Aug 14 14:17:12 openvpn[7835]:   comp.flags = 1
Aug 14 14:17:12 openvpn[7835]:   route_script = 'vpnrouting.sh'
Aug 14 14:17:12 openvpn[7835]:   route_default_gateway = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   route_default_metric = 0
Aug 14 14:17:12 openvpn[7835]:   route_noexec = DISABLED
Aug 14 14:17:12 openvpn[7835]:   route_delay = 2
Aug 14 14:17:12 openvpn[7835]:   route_delay_window = 30
Aug 14 14:17:12 openvpn[7835]:   route_delay_defined = ENABLED
Aug 14 14:17:12 openvpn[7835]:   route_nopull = DISABLED
Aug 14 14:17:12 openvpn[7835]:   route_gateway_via_dhcp = DISABLED
Aug 14 14:17:12 openvpn[7835]:   allow_pull_fqdn = DISABLED
Aug 14 14:17:12 openvpn[7835]:   [redirect_default_gateway local=0]
Aug 14 14:17:12 openvpn[7835]:   management_addr = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_port = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_user_pass = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_log_history_cache = 250
Aug 14 14:17:12 openvpn[7835]:   management_echo_buffer_size = 100
Aug 14 14:17:12 openvpn[7835]:   management_write_peer_info_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_client_user = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_client_group = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   management_flags = 0
Aug 14 14:17:12 openvpn[7835]:   shared_secret_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   key_direction = 2
Aug 14 14:17:12 openvpn[7835]:   ciphername = 'AES-128-CBC'
Aug 14 14:17:12 openvpn[7835]:   ncp_enabled = DISABLED
Aug 14 14:17:12 openvpn[7835]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Aug 14 14:17:12 openvpn[7835]:   authname = 'SHA512'
Aug 14 14:17:12 openvpn[7835]:   prng_hash = 'SHA1'
Aug 14 14:17:12 openvpn[7835]:   prng_nonce_secret_len = 16
Aug 14 14:17:12 openvpn[7835]:   keysize = 0
Aug 14 14:17:12 openvpn[7835]:   engine = DISABLED
Aug 14 14:17:12 openvpn[7835]:   replay = ENABLED
Aug 14 14:17:12 openvpn[7835]:   mute_replay_warnings = ENABLED
Aug 14 14:17:12 openvpn[7835]:   replay_window = 64
Aug 14 14:17:12 openvpn[7835]:   replay_time = 15
Aug 14 14:17:12 openvpn[7835]:   packet_id_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   use_iv = ENABLED
Aug 14 14:17:12 openvpn[7835]:   test_crypto = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tls_server = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tls_client = ENABLED
Aug 14 14:17:12 openvpn[7835]:   key_method = 2
Aug 14 14:17:12 openvpn[7835]:   ca_file = 'ca.crt'
Aug 14 14:17:12 openvpn[7835]:   ca_path = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   dh_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   cert_file = 'client.crt'
Aug 14 14:17:12 openvpn[7835]:   extra_certs_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   priv_key_file = 'client.key'
Aug 14 14:17:12 openvpn[7835]:   pkcs12_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   cipher_list = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA'
Aug 14 14:17:12 openvpn[7835]:   tls_verify = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   tls_export_cert = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   verify_x509_type = 0
Aug 14 14:17:12 openvpn[7835]:   verify_x509_name = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   crl_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ns_cert_type = 1
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
 

flyingpig

New Member
Part 2 off the log:
Code:
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
Aug 14 14:17:12 openvpn[7835]:   remote_cert_eku = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ssl_flags = 0
Aug 14 14:17:12 openvpn[7835]:   tls_timeout = 5
Aug 14 14:17:12 openvpn[7835]:   renegotiate_bytes = -1
Aug 14 14:17:12 openvpn[7835]:   renegotiate_packets = 0
Aug 14 14:17:12 openvpn[7835]:   renegotiate_seconds = 3600
Aug 14 14:17:12 openvpn[7835]:   handshake_window = 120
Aug 14 14:17:12 openvpn[7835]:   transition_window = 3600
Aug 14 14:17:12 openvpn[7835]:   single_session = DISABLED
Aug 14 14:17:12 openvpn[7835]:   push_peer_info = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tls_exit = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tls_auth_file = 'static.key'
Aug 14 14:17:12 openvpn[7835]:   tls_crypt_file = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   server_network = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   server_netmask = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   server_network_ipv6 = ::
Aug 14 14:17:12 openvpn[7835]:   server_netbits_ipv6 = 0
Aug 14 14:17:12 openvpn[7835]:   server_bridge_ip = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   server_bridge_netmask = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   server_bridge_pool_start = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   server_bridge_pool_end = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_start = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_end = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_netmask = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_persist_filename = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_persist_refresh_freq = 600
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_base = ::
Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_netbits = 0
Aug 14 14:17:12 openvpn[7835]:   n_bcast_buf = 256
Aug 14 14:17:12 openvpn[7835]:   tcp_queue_limit = 64
Aug 14 14:17:12 openvpn[7835]:   real_hash_size = 256
Aug 14 14:17:12 openvpn[7835]:   virtual_hash_size = 256
Aug 14 14:17:12 openvpn[7835]:   client_connect_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   learn_address_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   client_disconnect_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   client_config_dir = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   ccd_exclusive = DISABLED
Aug 14 14:17:12 openvpn[7835]:   tmp_dir = '/tmp'
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_local = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_remote_netmask = 0.0.0.0
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_defined = DISABLED
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_local = ::/0
Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_remote = ::
Aug 14 14:17:12 openvpn[7835]:   enable_c2c = DISABLED
Aug 14 14:17:12 openvpn[7835]:   duplicate_cn = DISABLED
Aug 14 14:17:12 openvpn[7835]:   cf_max = 0
Aug 14 14:17:12 openvpn[7835]:   cf_per = 0
Aug 14 14:17:12 openvpn[7835]:   max_clients = 1024
Aug 14 14:17:12 openvpn[7835]:   max_routes_per_client = 256
Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_verify_script = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_verify_script_via_file = DISABLED
Aug 14 14:17:12 openvpn[7835]:   auth_token_generate = DISABLED
Aug 14 14:17:12 openvpn[7835]:   auth_token_lifetime = 0
Aug 14 14:17:12 openvpn[7835]:   port_share_host = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   port_share_port = '[UNDEF]'
Aug 14 14:17:12 openvpn[7835]:   client = ENABLED
Aug 14 14:17:12 openvpn[7835]:   pull = ENABLED
Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_file = 'up'
Aug 14 14:17:12 openvpn[7835]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 13 2017
Aug 14 14:17:12 openvpn[7835]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Aug 14 14:17:12 openvpn[7836]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Aug 14 14:17:12 openvpn[7836]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 14 14:17:12 openvpn[7836]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 14 14:17:12 openvpn[7836]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 14 14:17:12 openvpn[7836]: LZO compression initializing
Aug 14 14:17:12 openvpn[7836]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Aug 14 14:17:12 openvpn[7836]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Aug 14 14:17:12 openvpn[7836]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Aug 14 14:17:12 openvpn[7836]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Aug 14 14:17:12 openvpn[7836]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Aug 14 14:17:12 openvpn[7836]: TCP/UDP: Preserving recently used remote address: [AF_INET]167.114.209.103:150
Aug 14 14:17:12 openvpn[7836]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Aug 14 14:17:12 openvpn[7836]: UDP link local: (not bound)
Aug 14 14:17:12 openvpn[7836]: UDP link remote: [AF_INET]167.114.209.103:150
Aug 14 14:17:12 openvpn[7836]: TLS: Initial packet from [AF_INET]167.114.209.103:150, sid=81abcaf2 f0247efa
Aug 14 14:17:12 openvpn[7836]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 14 14:17:13 openvpn[7836]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
Aug 14 14:17:13 openvpn[7836]: VERIFY OK: nsCertType=SERVER
Aug 14 14:17:13 openvpn[7836]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_montreal.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
Aug 14 14:17:16 openvpn[7836]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
Aug 14 14:17:16 openvpn[7836]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Aug 14 14:17:16 openvpn[7836]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Aug 14 14:17:16 openvpn[7836]: [Server_montreal.perfect-privacy.com] Peer Connection Initiated with [AF_INET]167.114.209.103:150
Aug 14 14:17:17 openvpn[7836]: SENT CONTROL [Server_montreal.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Aug 14 14:17:17 openvpn[7836]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.1.20.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 149.56.153.190,dhcp-option DNS 130.180.200.36,ifconfig-ipv6 fdbf:1d37:bbe0:0:17:4:0:1245/112 fdbf:1d37:bbe0:0:17:4:0:1,ifconfig 10.1.20.245 255.255.255.0,peer-id 4'
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: compression parms modified
Aug 14 14:17:17 openvpn[7836]: LZO compression initializing
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug 14 14:17:17 openvpn[7836]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: route options modified
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: route-related options modified
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: peer-id set
Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: adjusting link_mtu to 1629
Aug 14 14:17:17 openvpn[7836]: Data Channel MTU parms [ L:1609 D:1300 EF:109 EB:407 ET:0 EL:3 ]
Aug 14 14:17:17 openvpn[7836]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 14 14:17:17 openvpn[7836]: Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 14 14:17:17 openvpn[7836]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 14 14:17:17 openvpn[7836]: Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 14 14:17:17 openvpn[7836]: GDG6: remote_host_ipv6=n/a
Aug 14 14:17:17 openvpn[7836]: TUN/TAP device tun11 opened
Aug 14 14:17:17 openvpn[7836]: TUN/TAP TX queue length set to 100
Aug 14 14:17:17 openvpn[7836]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip link set dev tun11 up mtu 1500
Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip addr add dev tun11 10.1.20.245/24 broadcast 10.1.20.255
Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip -6 addr add fdbf:1d37:bbe0:0:17:4:0:1245/112 dev tun11
Aug 14 14:17:17 openvpn[7836]: Linux ip -6 addr add failed: external program exited with error status: 2
Aug 14 14:17:17 openvpn[7836]: Exiting due to fatal error
 

flyingpig

New Member
Thanks for your help.
After digging into the log files, the last few lines stood out to me
Code:
openvpn[7836]: /usr/sbin/ip -6 addr add fdbf:1d37:bbe0:0:17:4:0:1245/112 dev tun11
openvpn[7836]: Linux ip -6 addr add failed: external program exited with error status: 2
It appears that an IP6 address could not be assigned to the tunnel, so I set the IPv6 settings in the router to native (even though my ISP does not assign IPv6 addresses) from off. Low and behold it now works!
 
Top