Solved: OpenVPN Client with Perfect Privacy on ASUS RT-AC66U

Discussion in 'Router' started by asn1bur, Mar 2, 2014.

  1. a

    asn1bur Junior Member

    ASUS RT-AC66U running Merlin Build 3.0.0.4.374.39

    Has anyone had any luck with getting the OpenVPN client on an ASUS RT-AC66U working with Perfect Privacy? I used to have this working when the config files included the certificate authority, client certificate, Static Key and client key but now that they only include p12 and ta.key I have no idea how to get this working.

    Currently when I try to enable the service it fails with the following in the log:

    Mar 2 23:35:36 rc_service: httpd 318:notify_rc start_vpnclient1
    Mar 2 23:35:37 openvpn[756]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 31 2014
    Mar 2 23:35:37 openvpn[756]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mar 2 23:35:37 openvpn[756]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 2 23:35:37 openvpn[756]: Cannot load CA certificate file ca.crt (OpenSSL)
    Mar 2 23:35:37 openvpn[756]: Exiting due to fatal error


    Current config files attached, would really appreciate any help possible!

    Thanks,
     
  2. PP Daniel

    PP Daniel Staff Member

    Hi,

    the openvpn client is missing the ca.crt file, or rather its content. Note how on your Config3 screenshot the "Certificate Authority" field is empty, that is where to put the content of the ca.crt file. Also the fileds for Client Certificate and Client Key need to be filled with the content of the respective files (or have you used these files anywhere I might have overlooked?) Inserting the information to these fields should get you a working setup.

    Once it works you might want to use UDP instead of TCP and "Verify Server Certificate" should be enabled also.

    Please let me know how this works out.

    I noticed there is an option to import an ovpn file (containing all the necessary settings). We will have these files ready to download for mobile devices in a couple of days when we do the maintenance.
     
  3. a

    asn1bur Junior Member

    I've never actually been able to get this working which is frustrating. I have tested using another VPN provider and that works fine, the difference seems to be that you only need to use the CA cert with their setup.

    So my current config is attached, I am trying to connect to the Chicago pop, I am using the following for the certificates:

    Chicago_ta.key as the static key,
    ca.crt for the Certificate authority
    Chicago_cl.crt for the Client Certificate
    Chicago_cl.key for the client key

    The service state shows as "ON" but I am seeing the following error in the system log " TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and "TLS Error: TLS handshake failed"

    Copy of the syslog log is here:
    Aug 20 16:44:08 rc_service: httpd 820:notify_rc start_vpnclient2
    Aug 20 16:44:08 kernel: tun: Universal TUN/TAP device driver, 1.6
    Aug 20 16:44:08 kernel: tun: (C) 1999-2004 Max Krasnyansky
    Aug 20 16:44:08 openvpn[17922]: DEPRECATED OPTION: --tls-remote, please update your configuration
    Aug 20 16:44:08 openvpn[17922]: OpenVPN 2.3.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 3 2014
    Aug 20 16:44:08 openvpn[17922]: library versions: OpenSSL 1.0.0m 5 Jun 2014, LZO 2.06
    Aug 20 16:44:08 openvpn[17922]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 20 16:44:09 openvpn[17928]: UDPv4 link local: [undef]
    Aug 20 16:44:09 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150
    Aug 20 16:45:09 openvpn[17928]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Aug 20 16:45:09 openvpn[17928]: TLS Error: TLS handshake failed
    Aug 20 16:45:09 openvpn[17928]: SIGUSR1[soft,tls-error] received, process restarting
    Aug 20 16:45:11 openvpn[17928]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 20 16:45:11 openvpn[17928]: UDPv4 link local: [undef]
    Aug 20 16:45:11 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150
    Aug 20 16:46:11 openvpn[17928]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Aug 20 16:46:11 openvpn[17928]: TLS Error: TLS handshake failed
    Aug 20 16:46:11 openvpn[17928]: SIGUSR1[soft,tls-error] received, process restarting
    Aug 20 16:46:13 openvpn[17928]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 20 16:46:13 openvpn[17928]: UDPv4 link local: [undef]
    Aug 20 16:46:13 openvpn[17928]: UDPv4 link remote: [AF_INET]67.202.67.106:1150

    Any help would be greatly appreciated.
     
  4. a

    asn1bur Junior Member

    Morning.... any help with this would be greatly appreciated...
     
  5. G

    Gerd Junior Member

    Try this:

    -Select client instance-> Client 1
    -Start with WAN-> Yes
    -Interface Type-> TUN
    -Protocol-> UDP
    -Server Address and Port-> Address:amsterdam.perfect-pricavy.com Port:1149
    -Firewall-> Automatic
    -Authorization Mode-> TLS
    -Username/Password Authentication-> Yes
    (Type PP Username and Password)
    -Username Auth. Only-> No
    -Extra HMAC authorization-> (I'm not sure, but not Disabled. Try "Outgoing" if exist)
    -Create NAT on tunnel-> Yes
    -Poll Interval-> 0
    -Redirect Internet traffic-> Yes
    -Accept DNS Configuration-> Strict
    -Encryption cipher-> AES-256-CBC
    -Compression-> Adaptive
    -TLS Renegotiation Time-> -1
    -Connection Retry-> -1
    -Verify Server Certificate-> No
    -Custom Configuration-> (see Code)

    Code:
    script-security 2
    ns-cert-type server
    tun-mtu 1500
    fragment 1300
    mssfix
    float
    reneg-sec 86400
    resolv-retry 60
    persist-key
    persist-tun
    persist-remote-ip
    route-method exe
    route-delay 2
    hand-window 120
    tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    auth SHA512
    verb 4
    inactive 604800
    ping 5
    ping-restart 120
    replay-window 512 60
    mute-replay-warnings
    
    -Static Key-> (Amsterdam_ta.key)
    -Certificate Authority-> (ca.crt)
    -Client Certificate-> (Amsterdam_cl.crt)
    -Client Key-> (Amsterdam_cl.key)
     
  6. a

    asn1bur Junior Member

    Apologies for the slow response, I just saw your reply today. Tested with the above settings and it works great, thank you for taking the time to assist me with this, much appreciated.
     
  7. Wall-E

    Wall-E Junior Member

    Hello, I would like to know if the Open_VPN Connection still runs good on Asus Router (with original firmware), since I plan to buy an Asus device.
    Can you tell something about the connection speed with vpn? Thank you!
     
  8. Z

    Zoltar New Member

    Hi
    Can somebody tell me how to setup my asus rt ac68u asusrt-merlin? How to redirect internet traffic witch policy rules? I need vpn only for my synology nas.

    Thanks
     
  9. M

    MikeTO New Member

    There is an easy way to get it work simply upload the openvpn config file then you manually put in the certificates and keys.
     
  10. s

    shot2bitz New Member

    Sorry to jump your post, I'm using latest Merlin FW on a RT-AC66U-B1 and I cannot get VPN to run, I used the mobile_single_udp_AES-128-CBC.zip/ stockholm.perfect-privacy.com. files to set up but when I click the "Run" button I get a "Error - check configuration!" by the side of said button.
    Thanks in Advance for any help given to a old fart who is bangin his head as I hadn't had these problems with other providers ;)

    System Log
    Jun 27 16:05:31 rc_service: httpd 495:notify_rc start_vpnclient1
    Jun 27 16:05:33 openvpn[2113]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 21 2017
    Jun 27 16:05:33 openvpn[2113]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.08
    Jun 27 16:05:33 openvpn[2114]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    Jun 27 16:05:33 openvpn[2114]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 27 16:05:33 openvpn[2114]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Jun 27 16:05:33 openvpn[2114]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Jun 27 16:05:33 openvpn[2114]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.105.134.50:150
    Jun 27 16:05:33 openvpn[2114]: Socket Buffers: R=[122880->122880] S=[122880->122880]
    Jun 27 16:05:33 openvpn[2114]: UDP link local: (not bound)
    Jun 27 16:05:33 openvpn[2114]: UDP link remote: [AF_INET]193.105.134.50:150
    Jun 27 16:05:33 openvpn[2114]: TLS: Initial packet from [AF_INET]193.105.134.50:150, sid=9a7032df 9d6e04f5
    Jun 27 16:05:33 openvpn[2114]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jun 27 16:05:33 openvpn[2114]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
    Jun 27 16:05:33 openvpn[2114]: VERIFY OK: nsCertType=SERVER
    Jun 27 16:05:33 openvpn[2114]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_stockholm.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
    Jun 27 16:05:35 openvpn[2114]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
    Jun 27 16:05:35 openvpn[2114]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
    Jun 27 16:05:35 openvpn[2114]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Jun 27 16:05:35 openvpn[2114]: [Server_stockholm.perfect-privacy.com] Peer Connection Initiated with [AF_INET]193.105.134.50:150
    Jun 27 16:05:37 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:05:42 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:05:47 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:05:52 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:05:57 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:02 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:07 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:12 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:17 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:22 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:27 openvpn[2114]: SENT CONTROL [Server_stockholm.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Jun 27 16:06:27 openvpn[2114]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.2.36.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 193.105.134.158,dhcp-option DNS 31.204.150.153,ifconfig-ipv6 fdbf:1d37:bbe0:0:34:4:0:1243/112 fdbf:1d37:bbe0:0:34:4:0:1,ifconfig 10.2.36.243 255.255.255.0,peer-id 0'
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: timers and/or timeouts modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: compression parms modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Jun 27 16:06:27 openvpn[2114]: Socket Buffers: R=[122880->245760] S=[122880->245760]
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --ifconfig/up options modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: route options modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: route-related options modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: peer-id set
    Jun 27 16:06:27 openvpn[2114]: OPTIONS IMPORT: adjusting link_mtu to 1629
    Jun 27 16:06:27 openvpn[2114]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 27 16:06:27 openvpn[2114]: Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Jun 27 16:06:27 openvpn[2114]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 27 16:06:27 openvpn[2114]: Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Jun 27 16:06:27 openvpn[2114]: GDG6: remote_host_ipv6=n/a
    Jun 27 16:06:27 openvpn[2114]: TUN/TAP device tun11 opened
    Jun 27 16:06:27 openvpn[2114]: TUN/TAP TX queue length set to 100
    Jun 27 16:06:27 openvpn[2114]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
    Jun 27 16:06:27 openvpn[2114]: /usr/sbin/ip link set dev tun11 up mtu 1500
    Jun 27 16:06:27 openvpn[2114]: /usr/sbin/ip addr add dev tun11 10.2.36.243/24 broadcast 10.2.36.255
    Jun 27 16:06:27 openvpn[2114]: Linux ip addr add failed: external program exited with error status: 2
    Jun 27 16:06:27 openvpn[2114]: Exiting due to fatal error
     
    flyingpig likes this.
  11. f

    flyingpig New Member

    I am running an Asus RT-AC68U with the latest Merlin firmware 380.68 and cannot get the VPN to work. This is what the logs tell me after I upload the router VPN file for Montreal (or any other). Anyone any ideas?

    Code:
    Aug 14 14:17:10 rc_service: httpd 493:notify_rc start_vpnclient1
    Aug 14 14:17:12 openvpn[7835]: Current Parameter Settings:
    Aug 14 14:17:12 openvpn[7835]:   config = 'config.ovpn'
    Aug 14 14:17:12 openvpn[7835]:   mode = 0
    Aug 14 14:17:12 openvpn[7835]:   persist_config = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   persist_mode = 1
    Aug 14 14:17:12 openvpn[7835]:   show_ciphers = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   show_digests = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   show_engines = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   genkey = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   key_pass_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   show_tls_ciphers = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   connect_retry_max = 0
    Aug 14 14:17:12 openvpn[7835]: Connection profiles [0]:
    Aug 14 14:17:12 openvpn[7835]:   proto = udp
    Aug 14 14:17:12 openvpn[7835]:   local = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   local_port = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   remote = 'montreal.perfect-privacy.com'
    Aug 14 14:17:12 openvpn[7835]:   remote_port = '150'
    Aug 14 14:17:12 openvpn[7835]:   remote_float = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   bind_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   bind_local = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   bind_ipv6_only = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   connect_retry_seconds = 5
    Aug 14 14:17:12 openvpn[7835]:   connect_timeout = 120
    Aug 14 14:17:12 openvpn[7835]:   socks_proxy_server = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   socks_proxy_port = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   tun_mtu = 1500
    Aug 14 14:17:12 openvpn[7835]:   tun_mtu_defined = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   link_mtu = 1500
    Aug 14 14:17:12 openvpn[7835]:   link_mtu_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tun_mtu_extra = 0
    Aug 14 14:17:12 openvpn[7835]:   tun_mtu_extra_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   mtu_discover_type = -1
    Aug 14 14:17:12 openvpn[7835]:   fragment = 1300
    Aug 14 14:17:12 openvpn[7835]:   mssfix = 1300
    Aug 14 14:17:12 openvpn[7835]:   explicit_exit_notification = 0
    Aug 14 14:17:12 openvpn[7835]: Connection profiles END
    Aug 14 14:17:12 openvpn[7835]:   remote_random = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   ipchange = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   dev = 'tun11'
    Aug 14 14:17:12 openvpn[7835]:   dev_type = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   dev_node = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   lladdr = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   topology = 1
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_local = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_remote_netmask = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_noexec = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_nowarn = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_local = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_netbits = 0
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_remote = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   shaper = 0
    Aug 14 14:17:12 openvpn[7835]:   mtu_test = 0
    Aug 14 14:17:12 openvpn[7835]:   mlock = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   keepalive_ping = 0
    Aug 14 14:17:12 openvpn[7835]:   keepalive_timeout = 0
    Aug 14 14:17:12 openvpn[7835]:   inactivity_timeout = 604800
    Aug 14 14:17:12 openvpn[7835]:   ping_send_timeout = 5
    Aug 14 14:17:12 openvpn[7835]:   ping_rec_timeout = 120
    Aug 14 14:17:12 openvpn[7835]:   ping_rec_timeout_action = 2
    Aug 14 14:17:12 openvpn[7835]:   ping_timer_remote = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   remap_sigusr1 = 0
    Aug 14 14:17:12 openvpn[7835]:   persist_tun = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   persist_local_ip = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   persist_remote_ip = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   persist_key = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   passtos = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   resolve_retry_seconds = 60
    Aug 14 14:17:12 openvpn[7835]:   resolve_in_advance = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   username = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   groupname = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   chroot_dir = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   cd_dir = '/etc/openvpn/client1'
    Aug 14 14:17:12 openvpn[7835]:   writepid = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   up_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   down_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   down_pre = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   up_restart = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   up_delay = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   daemon = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   inetd = 0
    Aug 14 14:17:12 openvpn[7835]:   log = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   suppress_timestamps = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   machine_readable_output = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   nice = 0
    Aug 14 14:17:12 openvpn[7835]:   verbosity = 4
    Aug 14 14:17:12 openvpn[7835]:   mute = 0
    Aug 14 14:17:12 openvpn[7835]:   status_file = 'status'
    Aug 14 14:17:12 openvpn[7835]:   status_file_version = 2
    Aug 14 14:17:12 openvpn[7835]:   status_file_update_freq = 5
    Aug 14 14:17:12 openvpn[7835]:   occ = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   rcvbuf = 0
    Aug 14 14:17:12 openvpn[7835]:   sndbuf = 0
    Aug 14 14:17:12 openvpn[7835]:   mark = 0
    Aug 14 14:17:12 openvpn[7835]:   sockflags = 0
    Aug 14 14:17:12 openvpn[7835]:   fast_io = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   comp.alg = 2
    Aug 14 14:17:12 openvpn[7835]:   comp.flags = 1
    Aug 14 14:17:12 openvpn[7835]:   route_script = 'vpnrouting.sh'
    Aug 14 14:17:12 openvpn[7835]:   route_default_gateway = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   route_default_metric = 0
    Aug 14 14:17:12 openvpn[7835]:   route_noexec = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   route_delay = 2
    Aug 14 14:17:12 openvpn[7835]:   route_delay_window = 30
    Aug 14 14:17:12 openvpn[7835]:   route_delay_defined = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   route_nopull = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   route_gateway_via_dhcp = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   allow_pull_fqdn = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   [redirect_default_gateway local=0]
    Aug 14 14:17:12 openvpn[7835]:   management_addr = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_port = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_user_pass = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_log_history_cache = 250
    Aug 14 14:17:12 openvpn[7835]:   management_echo_buffer_size = 100
    Aug 14 14:17:12 openvpn[7835]:   management_write_peer_info_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_client_user = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_client_group = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   management_flags = 0
    Aug 14 14:17:12 openvpn[7835]:   shared_secret_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   key_direction = 2
    Aug 14 14:17:12 openvpn[7835]:   ciphername = 'AES-128-CBC'
    Aug 14 14:17:12 openvpn[7835]:   ncp_enabled = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
    Aug 14 14:17:12 openvpn[7835]:   authname = 'SHA512'
    Aug 14 14:17:12 openvpn[7835]:   prng_hash = 'SHA1'
    Aug 14 14:17:12 openvpn[7835]:   prng_nonce_secret_len = 16
    Aug 14 14:17:12 openvpn[7835]:   keysize = 0
    Aug 14 14:17:12 openvpn[7835]:   engine = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   replay = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   mute_replay_warnings = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   replay_window = 64
    Aug 14 14:17:12 openvpn[7835]:   replay_time = 15
    Aug 14 14:17:12 openvpn[7835]:   packet_id_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   use_iv = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   test_crypto = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tls_server = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tls_client = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   key_method = 2
    Aug 14 14:17:12 openvpn[7835]:   ca_file = 'ca.crt'
    Aug 14 14:17:12 openvpn[7835]:   ca_path = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   dh_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   cert_file = 'client.crt'
    Aug 14 14:17:12 openvpn[7835]:   extra_certs_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   priv_key_file = 'client.key'
    Aug 14 14:17:12 openvpn[7835]:   pkcs12_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   cipher_list = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA'
    Aug 14 14:17:12 openvpn[7835]:   tls_verify = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   tls_export_cert = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   verify_x509_type = 0
    Aug 14 14:17:12 openvpn[7835]:   verify_x509_name = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   crl_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ns_cert_type = 1
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    
     
  12. f

    flyingpig New Member

    Part 2 off the log:
    Code:
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_ku[i] = 0
    Aug 14 14:17:12 openvpn[7835]:   remote_cert_eku = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ssl_flags = 0
    Aug 14 14:17:12 openvpn[7835]:   tls_timeout = 5
    Aug 14 14:17:12 openvpn[7835]:   renegotiate_bytes = -1
    Aug 14 14:17:12 openvpn[7835]:   renegotiate_packets = 0
    Aug 14 14:17:12 openvpn[7835]:   renegotiate_seconds = 3600
    Aug 14 14:17:12 openvpn[7835]:   handshake_window = 120
    Aug 14 14:17:12 openvpn[7835]:   transition_window = 3600
    Aug 14 14:17:12 openvpn[7835]:   single_session = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   push_peer_info = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tls_exit = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tls_auth_file = 'static.key'
    Aug 14 14:17:12 openvpn[7835]:   tls_crypt_file = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   server_network = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   server_netmask = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   server_network_ipv6 = ::
    Aug 14 14:17:12 openvpn[7835]:   server_netbits_ipv6 = 0
    Aug 14 14:17:12 openvpn[7835]:   server_bridge_ip = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   server_bridge_netmask = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   server_bridge_pool_start = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   server_bridge_pool_end = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_start = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_end = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_netmask = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_persist_filename = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_pool_persist_refresh_freq = 600
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_base = ::
    Aug 14 14:17:12 openvpn[7835]:   ifconfig_ipv6_pool_netbits = 0
    Aug 14 14:17:12 openvpn[7835]:   n_bcast_buf = 256
    Aug 14 14:17:12 openvpn[7835]:   tcp_queue_limit = 64
    Aug 14 14:17:12 openvpn[7835]:   real_hash_size = 256
    Aug 14 14:17:12 openvpn[7835]:   virtual_hash_size = 256
    Aug 14 14:17:12 openvpn[7835]:   client_connect_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   learn_address_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   client_disconnect_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   client_config_dir = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   ccd_exclusive = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   tmp_dir = '/tmp'
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_local = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_remote_netmask = 0.0.0.0
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_defined = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_local = ::/0
    Aug 14 14:17:12 openvpn[7835]:   push_ifconfig_ipv6_remote = ::
    Aug 14 14:17:12 openvpn[7835]:   enable_c2c = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   duplicate_cn = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   cf_max = 0
    Aug 14 14:17:12 openvpn[7835]:   cf_per = 0
    Aug 14 14:17:12 openvpn[7835]:   max_clients = 1024
    Aug 14 14:17:12 openvpn[7835]:   max_routes_per_client = 256
    Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_verify_script = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_verify_script_via_file = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   auth_token_generate = DISABLED
    Aug 14 14:17:12 openvpn[7835]:   auth_token_lifetime = 0
    Aug 14 14:17:12 openvpn[7835]:   port_share_host = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   port_share_port = '[UNDEF]'
    Aug 14 14:17:12 openvpn[7835]:   client = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   pull = ENABLED
    Aug 14 14:17:12 openvpn[7835]:   auth_user_pass_file = 'up'
    Aug 14 14:17:12 openvpn[7835]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 13 2017
    Aug 14 14:17:12 openvpn[7835]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
    Aug 14 14:17:12 openvpn[7836]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Aug 14 14:17:12 openvpn[7836]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 14 14:17:12 openvpn[7836]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Aug 14 14:17:12 openvpn[7836]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Aug 14 14:17:12 openvpn[7836]: LZO compression initializing
    Aug 14 14:17:12 openvpn[7836]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
    Aug 14 14:17:12 openvpn[7836]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
    Aug 14 14:17:12 openvpn[7836]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
    Aug 14 14:17:12 openvpn[7836]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
    Aug 14 14:17:12 openvpn[7836]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
    Aug 14 14:17:12 openvpn[7836]: TCP/UDP: Preserving recently used remote address: [AF_INET]167.114.209.103:150
    Aug 14 14:17:12 openvpn[7836]: Socket Buffers: R=[122880->122880] S=[122880->122880]
    Aug 14 14:17:12 openvpn[7836]: UDP link local: (not bound)
    Aug 14 14:17:12 openvpn[7836]: UDP link remote: [AF_INET]167.114.209.103:150
    Aug 14 14:17:12 openvpn[7836]: TLS: Initial packet from [AF_INET]167.114.209.103:150, sid=81abcaf2 f0247efa
    Aug 14 14:17:12 openvpn[7836]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Aug 14 14:17:13 openvpn[7836]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
    Aug 14 14:17:13 openvpn[7836]: VERIFY OK: nsCertType=SERVER
    Aug 14 14:17:13 openvpn[7836]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_montreal.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
    Aug 14 14:17:16 openvpn[7836]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
    Aug 14 14:17:16 openvpn[7836]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
    Aug 14 14:17:16 openvpn[7836]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Aug 14 14:17:16 openvpn[7836]: [Server_montreal.perfect-privacy.com] Peer Connection Initiated with [AF_INET]167.114.209.103:150
    Aug 14 14:17:17 openvpn[7836]: SENT CONTROL [Server_montreal.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
    Aug 14 14:17:17 openvpn[7836]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.1.20.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 149.56.153.190,dhcp-option DNS 130.180.200.36,ifconfig-ipv6 fdbf:1d37:bbe0:0:17:4:0:1245/112 fdbf:1d37:bbe0:0:17:4:0:1,ifconfig 10.1.20.245 255.255.255.0,peer-id 4'
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: timers and/or timeouts modified
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: compression parms modified
    Aug 14 14:17:17 openvpn[7836]: LZO compression initializing
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Aug 14 14:17:17 openvpn[7836]: Socket Buffers: R=[122880->245760] S=[122880->245760]
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --ifconfig/up options modified
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: route options modified
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: route-related options modified
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: peer-id set
    Aug 14 14:17:17 openvpn[7836]: OPTIONS IMPORT: adjusting link_mtu to 1629
    Aug 14 14:17:17 openvpn[7836]: Data Channel MTU parms [ L:1609 D:1300 EF:109 EB:407 ET:0 EL:3 ]
    Aug 14 14:17:17 openvpn[7836]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 14 14:17:17 openvpn[7836]: Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Aug 14 14:17:17 openvpn[7836]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 14 14:17:17 openvpn[7836]: Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Aug 14 14:17:17 openvpn[7836]: GDG6: remote_host_ipv6=n/a
    Aug 14 14:17:17 openvpn[7836]: TUN/TAP device tun11 opened
    Aug 14 14:17:17 openvpn[7836]: TUN/TAP TX queue length set to 100
    Aug 14 14:17:17 openvpn[7836]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
    Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip link set dev tun11 up mtu 1500
    Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip addr add dev tun11 10.1.20.245/24 broadcast 10.1.20.255
    Aug 14 14:17:17 openvpn[7836]: /usr/sbin/ip -6 addr add fdbf:1d37:bbe0:0:17:4:0:1245/112 dev tun11
    Aug 14 14:17:17 openvpn[7836]: Linux ip -6 addr add failed: external program exited with error status: 2
    Aug 14 14:17:17 openvpn[7836]: Exiting due to fatal error
    
     
  13. Z

    Zitzo New Member

    Last edited: Aug 15, 2017
    flyingpig likes this.
  14. f

    flyingpig New Member

    Thanks for your help.
    After digging into the log files, the last few lines stood out to me
    Code:
    openvpn[7836]: /usr/sbin/ip -6 addr add fdbf:1d37:bbe0:0:17:4:0:1245/112 dev tun11
    openvpn[7836]: Linux ip -6 addr add failed: external program exited with error status: 2
    
    It appears that an IP6 address could not be assigned to the tunnel, so I set the IPv6 settings in the router to native (even though my ISP does not assign IPv6 addresses) from off. Low and behold it now works!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice