VPN-Verbindung mit RT-AC88U wird aufgebaut, Webseiten werden aber nicht angezeigt

Truman

Freshly Joined Member
Ich verwende einen Asus RT-AC88U Router mit Merlin Firmware (384.14.2) und habe den VPN-Client, wie auf der Perfect Privacy Homepage beschrieben, eingerichtet. Dies hat nun seit ca. 1 Jahr funktioniert, bevor ich vor ein paar Tagen festgestellt habe, dass keine Verbindung zum VPN mehr aufgebaut wurde (Fehlermeldung im Router: Error Authentication oder so ähnlich).

Ich habe daraufhin alles nach einer Anleitung hier aus dem Forum neu eingerichtet und zuvor auch die Firmware auf 314.19 aktualisiert.

Danach wurde die Verbindung aufgebaut, aber und das ist das komische, die meisten Webseiten können nicht aufgerufen werden. Beispielsweise kann www.google.de nicht aufgerufen werden (Server kann nicht gefunden werden), während www.kicker.de zumindest partiell geladen wird.

Der Asus-Router ist über den WAN Port mit einem Netzwerkausgang einer Fritzbox verbunden.

Anbei meine Konfiguration:

WAN-Verbindungstyp: automatisch
WAN aktivieren: ja
NAT aktivieren: ja
UPnP aktivieren: ja
Enable secure UPnP mode: ja

Automatisch mit DNS-Server verbinden: nein
DNS-Server 1: 8.8.8.8
DNS-Server 2: 8.8.4.4
Forward local domain queries to upstream DNS: nein
Enable DNS Rebind protection: nein
Enable DNSSEC support: nein
Prevent client auto DoH: auto
DNS Privacy Protocol: none

IPV6-Einstellung:

Verbindungstyp: Native
DHCP-PD: aktivieren
Release prefix on exit: aktivieren

VPN Client-Einstellung:

Automatic start at boot time: ja
Importiert habe ich die Amsterdam.opvn
Schnittstellentyp: TUN
Protokoll: UDP
Server Address and Port: 85.17.64.131:1151
Accept DNS Configuration: Strict
Create NAT on tunnel: ja
Inbound Firewall: Block

Autorisations-Modus: TLS
Username/Password Authentication: ja
Nur Benutzername / Passwort Auth.: nein

Cipher Negotiation: Enable
Negotiable ciphers: AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
TLS control channel security (tls-auth / tls-crypt): Outgoing Auth (1)
Auth digest: SHA512

Komprimieren: LZO Adaptive
TLS Renegotiation Time: 3600
Connection Retry attempts: 15
Verify Server Certificate Name: No
Force Internet traffic through tunnel: Policy Rules (strict)
Block routed clients if tunnel goes down: ja

Benutzerdefinierte Konfiguration:

Code:
script-security 2
ns-cert-type server
tun-mtu 1500
fragment 1300
mssfix
float
reneg-sec 86400
resolv-retry 60
persist-key
persist-tun
persist-remote-ip
route-method exe
route-delay 2
hand-window 120
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
auth SHA512
verb 4
inactive 604800
ping 5
ping-restart 120
replay-window 512 60
mute-replay-warnings

Ich habe gesehen, es sind ein paar Warnungen im Systemprotokoll, aber ich kann damit nichts anfangen.
Vielleicht hat jemand eine Idee, warum das Ganze bei mir nicht funktioniert ?
 

Truman

Freshly Joined Member
Hier ein Ausschnitt des Systemprotokolls:

Oct 20 15:53:31 ovpn-client1[1428]: UDP link local: (not bound)
Oct 20 15:53:31 ovpn-client1[1428]: UDP link remote: [AF_INET]85.17.64.131:1151
Oct 20 15:53:32 ovpn-client1[1428]: TLS: Initial packet from [AF_INET]85.17.64.131:1151, sid=4d8c25bb 34190d40
Oct 20 15:53:32 ovpn-client1[1428]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 20 15:53:32 ovpn-client1[1428]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
Oct 20 15:53:32 ovpn-client1[1428]: VERIFY OK: nsCertType=SERVER
Oct 20 15:53:32 ovpn-client1[1428]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_amsterdam.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
Oct 20 15:53:35 ovpn-client1[1428]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1606'
Oct 20 15:53:35 ovpn-client1[1428]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Oct 20 15:53:35 ovpn-client1[1428]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Oct 20 15:53:35 ovpn-client1[1428]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Oct 20 15:53:35 ovpn-client1[1428]: [Server_amsterdam.perfect-privacy.com] Peer Connection Initiated with [AF_INET]85.17.64.131:1151
Oct 20 15:53:36 ovpn-client1[1428]: SENT CONTROL [Server_amsterdam.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Oct 20 15:53:36 ovpn-client1[1428]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.4.84.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 37.48.94.55,dhcp-option DNS 5.79.98.56,ifconfig-ipv6 fdbf:1d37:bbe0:0:69:4:0:f6/112 fdbf:1d37:bbe0:0:69:4:0:1,ifconfig 10.4.84.246 255.255.255.0,peer-id 5,cipher AES-256-GCM'
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: compression parms modified
Oct 20 15:53:36 ovpn-client1[1428]: LZO compression initializing
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Oct 20 15:53:36 ovpn-client1[1428]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: route options modified
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: route-related options modified
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: peer-id set
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: adjusting link_mtu to 1629
Oct 20 15:53:36 ovpn-client1[1428]: OPTIONS IMPORT: data channel crypto options modified
Oct 20 15:53:36 ovpn-client1[1428]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 20 15:53:36 ovpn-client1[1428]: Data Channel MTU parms [ L:1557 D:1300 EF:57 EB:407 ET:0 EL:3 ]
Oct 20 15:53:36 ovpn-client1[1428]: Fragmentation MTU parms [ L:1626 D:1300 EF:53 EB:407 ET:1 EL:3 ]
Oct 20 15:53:36 ovpn-client1[1428]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 20 15:53:36 ovpn-client1[1428]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 20 15:53:36 ovpn-client1[1428]: GDG6: remote_host_ipv6=n/a
Oct 20 15:53:36 ovpn-client1[1428]: TUN/TAP device tun11 opened
Oct 20 15:53:36 ovpn-client1[1428]: TUN/TAP TX queue length set to 1000
Oct 20 15:53:36 ovpn-client1[1428]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Oct 20 15:53:36 ovpn-client1[1428]: /sbin/ifconfig tun11 10.4.84.246 netmask 255.255.255.0 mtu 1500 broadcast 10.4.84.255
Oct 20 15:53:36 lldpd[466]: removal request for address of 10.4.84.246%14, but no knowledge of it
Oct 20 15:53:36 lldpd[466]: removal request for address of 10.4.84.246%14, but no knowledge of it
Oct 20 15:53:36 ovpn-client1[1428]: /sbin/ifconfig tun11 add fdbf:1d37:bbe0:0:69:4:0:f6/112
Oct 20 15:53:36 ovpn-client1[1428]: ovpn-up 1 client tun11 1500 1557 10.4.84.246 255.255.255.0 init
Oct 20 15:53:36 rc_service: ovpn-up 1439:notify_rc start_dnsmasq
Oct 20 15:53:36 dnsmasq[385]: exiting on receipt of SIGTERM
Oct 20 15:53:37 dnsmasq[1445]: started, version 2.82-34-gb309cca cachesize 1500
Oct 20 15:53:37 dnsmasq[1445]: asynchronous logging enabled, queue limit is 5 messages
Oct 20 15:53:37 dnsmasq-dhcp[1445]: DHCP, IP range 192.168.1.2 -- 192.168.1.80, lease time 1d
Oct 20 15:53:37 dnsmasq-dhcp[1445]: DHCPv6 stateless on br0
Oct 20 15:53:37 dnsmasq-dhcp[1445]: router advertisement on br0
Oct 20 15:53:37 dnsmasq-dhcp[1445]: IPv6 router advertisement enabled
Oct 20 15:53:37 dnsmasq[1445]: read /etc/hosts - 11 addresses
Oct 20 15:53:37 dnsmasq[1445]: using nameserver 5.79.98.56#53
Oct 20 15:53:37 dnsmasq[1445]: using nameserver 37.48.94.55#53
Oct 20 15:53:37 dnsmasq[1445]: using nameserver 8.8.4.4#53
Oct 20 15:53:37 dnsmasq[1445]: using nameserver 8.8.8.8#53
Oct 20 15:53:38 openvpn-routing: Configuring policy rules for client 1
Oct 20 15:53:38 openvpn-routing: Creating VPN routing table (mode 3)
Oct 20 15:53:39 openvpn-routing: Removing rule 10001 from routing policy
Oct 20 15:53:39 openvpn-routing: Removing rule 10002 from routing policy
Oct 20 15:53:39 dnsmasq[1445]: nameserver 5.79.98.56 refused to do a recursive query
Oct 20 15:53:39 openvpn-routing: Removing rule 10003 from routing policy
Oct 20 15:53:39 openvpn-routing: Removing rule 10004 from routing policy
Oct 20 15:53:39 openvpn-routing: Removing rule 10005 from routing policy
Oct 20 15:53:39 openvpn-routing: Removing rule 10101 from routing policy
Oct 20 15:53:39 openvpn-routing: Adding route for 192.168.1.0/24 to 0.0.0.0 through VPN client 1
Oct 20 15:53:39 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 20 15:53:39 openvpn-routing: Completed routing policy configuration for client 1
Oct 20 15:53:39 ovpn-client1[1428]: Initialization Sequence Completed
Oct 20 15:54:04 crond[393]: time disparity of 1295148 minutes detected
Oct 20 15:55:36 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth A4:83:E7:1E:F8:BE, status: Successful (0)
Oct 20 15:55:36 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc A4:83:E7:1E:F8:BE, status: Successful (0)
Oct 20 15:55:43 dnsmasq-dhcp[1445]: DHCPDISCOVER(br0) a4:83:e7:1e:f8:be
Oct 20 15:55:43 dnsmasq-dhcp[1445]: DHCPOFFER(br0) 192.168.1.79 a4:83:e7:1e:f8:be
Oct 20 15:55:44 dnsmasq-dhcp[1445]: DHCPREQUEST(br0) 192.168.1.79 a4:83:e7:1e:f8:be
Oct 20 15:55:44 dnsmasq-dhcp[1445]: DHCPACK(br0) 192.168.1.79 a4:83:e7:1e:f8:be Computer1
 

Truman

Freshly Joined Member
Also ich habe jetzt alles beim Track Stop Filter deaktiviert. Das Ergebnis ist das Gleiche. Verbindung zum VPN ist hergestellt, Webseiten können aber keine aufgerufen werden. Es kommt immer die Meldung "Server nicht gefunden".

Ich habe weiterhin den DNS-Leak-Test bei verbundenem VPN durchgeführt. Dort hängt er dann für ewig mit der Meldung "Prüfe DNS Server, bitte warten...".
 

Aero

Junior Member
Moin...
Deiner Benutzerdefinierte Konfiguration solltest du dir nochmal anschauen

Probiere diese mal :

hand-window 120
inactive 604800
mute-replay-warnings
persist-remote-ip
ping 5
ping-restart 120
redirect-gateway def1
remote-random
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
tun-ipv6
tun-mtu 1500
fragment 1300
mssfix
ignore-unknown-option ncp-disable
remote-cert-tls server

Evtl. noch zum Schluß :
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "


Evt....Auch noch mal klick hier schauen
(DNS-Probleme beheben welche durch nicht funktionierendes IPv6 verursacht werden (Windows 10)



Grüße
 

Truman

Freshly Joined Member
Ich danke Dir. Ich habe die vorgeschlagenen Einstellungen probiert. Das hat nichts geholfen. Weiterhin verwende ich einen Mac, um auf das Internet zuzugreifen. Dort ist IPV6 auf automatisch gesetzt.

Vielleicht sollte ich den Router mal komplett zurücksetzen und von vorne beginnen ?

Hier auch nochmal ein Systemprotokollausschnitt, nachdem ich die vorgenannten Einstellungen vorgenommen habe:

131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.4.80.2,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 5.79.98.56,dhcp-option DNS 37.48.94.55,ifconfig-ipv6 fdbf:1d37:bbe0:0:69:8:0:34/112 fdbf:1d37:bbe0:0:69:8:0:1,ifconfig 10.4.80.52 255.255.255.0,peer-id 22,cipher AES-256-GCM'
Oct 23 11:51:33 ovpn-client1[8212]: Pushed option removed by filter: 'route-ipv6 2000::/3'
Oct 23 11:51:33 ovpn-client1[8212]: Pushed option removed by filter: 'ifconfig-ipv6 fdbf:1d37:bbe0:0:69:8:0:34/112 fdbf:1d37:bbe0:0:69:8:0:1'
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: compression parms modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Oct 23 11:51:33 ovpn-client1[8212]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: route options modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: route-related options modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: peer-id set
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: adjusting link_mtu to 1629
Oct 23 11:51:33 ovpn-client1[8212]: OPTIONS IMPORT: data channel crypto options modified
Oct 23 11:51:33 ovpn-client1[8212]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 23 11:51:33 ovpn-client1[8212]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 11:51:33 ovpn-client1[8212]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 11:51:33 ovpn-client1[8212]: GDG6: remote_host_ipv6=n/a
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 11:51:33 ovpn-client1[8212]: OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3
Oct 23 11:51:33 ovpn-client1[8212]: TUN/TAP device tun11 opened
Oct 23 11:51:33 ovpn-client1[8212]: TUN/TAP TX queue length set to 1000
Oct 23 11:51:33 ovpn-client1[8212]: /sbin/ifconfig tun11 10.4.80.52 netmask 255.255.255.0 mtu 1500 broadcast 10.4.80.255
Oct 23 11:51:33 lldpd[467]: removal request for address of 10.4.80.52%19, but no knowledge of it
Oct 23 11:51:33 lldpd[467]: removal request for address of 10.4.80.52%19, but no knowledge of it
Oct 23 11:51:33 ovpn-client1[8212]: ovpn-up 1 client tun11 1500 1557 10.4.80.52 255.255.255.0 init
Oct 23 11:51:33 dnsmasq[7416]: exiting on receipt of SIGTERM
Oct 23 11:51:33 dnsmasq[8228]: started, version 2.82-34-gb309cca cachesize 1500
Oct 23 11:51:33 dnsmasq[8228]: asynchronous logging enabled, queue limit is 5 messages
Oct 23 11:51:33 dnsmasq-dhcp[8228]: DHCP, IP range 192.168.1.2 -- 192.168.1.80, lease time 1d
Oct 23 11:51:33 dnsmasq[8228]: read /etc/hosts - 11 addresses
Oct 23 11:51:33 dnsmasq[8228]: using nameserver 37.48.94.55#53
Oct 23 11:51:33 dnsmasq[8228]: using nameserver 5.79.98.56#53
Oct 23 11:51:33 dnsmasq[8228]: using nameserver 8.8.4.4#53
Oct 23 11:51:33 dnsmasq[8228]: using nameserver 8.8.8.8#53
Oct 23 11:51:35 openvpn-routing: Configuring policy rules for client 1
Oct 23 11:51:36 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 23 11:51:36 ovpn-client1[8212]: Initialization Sequence Completed
Oct 23 11:52:00 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth a4:ff:ff:ff:ff:ff, status: Successful (0)
Oct 23 11:52:00 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc a4:ff:ff:ff:ff:ff, status: Successful (0)
Oct 23 11:52:01 dnsmasq[8228]: nameserver 37.48.94.55 refused to do a recursive query
Oct 23 11:52:02 dnsmasq-dhcp[8228]: DHCPREQUEST(br0) 192.168.1.79 a4:ff:ff:ff:ff:ff
Oct 23 11:52:02 dnsmasq-dhcp[8228]: DHCPACK(br0) 192.168.1.79 a4:ff:ff:ff:ff:ff Mac1
 

Xulux

New Member
Der Vorschlag von Vorposter sollte in Kombination mit deaktivierten IPv6 auf dem Router einhergehen. Also von native auf disabled.

Muss/Sollte man bei ASUS sowieso machen, da der OpenVPN-Stack von ASUS kein(!) IPv6 kann.

Da Webseiten partiell geladen werden tippe ich auf ein Routing oder DNS Problem bzgl. IPv6.
 

Aero

Junior Member
Hi......

Im Router

Erweiterte Einstellungen
IPv6

Konfiguration der Einstellungen für IPv6 Internet des RT-AC8******

Basiskonfiguration:
Verbindungstyp : Native
DHCP-PD : Aktivieren
Release prefix on exit : Aktivieren

IPv6 LAN-Einstellungen:
Automatische Konfigurationseinstellungen : Stateless

IPv6 DNS-Einstellungen:
Automatisch mit DNS-Server verbinden: Aktivieren

Automatische Konfigurationseinstellungen:
Router Werbung aktivieren : Aktivieren

Grüße
 

Truman

Freshly Joined Member
@Aero: Vielen Dank für die Einstellungshilfe.

Ich habe den Router resettet und neu eingerichtet. Die Einstellungen für IPv6 und die benutzerdefinierte Konfiguration habe ich übernommen.

Die VPN-Verbindung wird aufgebaut, allerdings steht z.B. bei der VPN-Statistik jetzt: Public IP: unknown

1603475583132.png

Die Einstellungen im Client sehen so aus:

1603475706399.png

1603475776387.png

Code:
hand-window 120
inactive 604800
mute-replay-warnings
persist-remote-ip
ping 5
ping-restart 120
redirect-gateway def1
remote-random
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
tun-ipv6
tun-mtu 1500
fragment 1300
mssfix
ignore-unknown-option ncp-disable
remote-cert-tls server
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"

Hier auch noch die WAN-Einstellungen:

1603476011953.png

Dieses Mal habe ich zwei der Perfect Privacy DNS-Server eingetragen.

Dafür gibt es ein paar neue Fehler im Systemprotokoll:

Oct 23 19:00:22 ovpn-client1[18132]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 19:00:22 ovpn-client1[18132]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 19:00:22 ovpn-client1[18132]: Preserving previous TUN/TAP instance: tun11
Oct 23 19:00:22 ovpn-client1[18132]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Oct 23 19:00:22 ovpn-client1[18132]: vpnrouting.sh tun11 1500 1557 10.3.243.240 255.255.255.0 init
Oct 23 19:00:22 openvpn-routing: Configuring policy rules for client 1
Oct 23 19:00:22 openvpn-routing: Removing rule 10001 from routing policy
Oct 23 19:00:22 openvpn-routing: Removing rule 10002 from routing policy
Oct 23 19:00:22 openvpn-routing: Removing rule 10003 from routing policy
Oct 23 19:00:22 openvpn-routing: Removing rule 10004 from routing policy
Oct 23 19:00:22 openvpn-routing: Removing rule 10005 from routing policy
Oct 23 19:00:22 openvpn-routing: Removing rule 10101 from routing policy
Oct 23 19:00:23 openvpn-routing: Tunnel down - VPN client access blocked
Oct 23 19:00:23 openvpn-routing: Adding route for 192.168.1.0/24 to through VPN client 1
Oct 23 19:00:23 openvpn-routing: Adding route for to 192.168.178.3 through WAN
Oct 23 19:00:23 openvpn-routing: Adding route for to 102.168.178.140 through WAN
Oct 23 19:00:23 openvpn-routing: Adding route for to 192.168.178.71 through WAN
Oct 23 19:00:23 openvpn-routing: Adding route for 192.168.1.0/24 to 192.168.178.0/24 through WAN
Oct 23 19:00:23 openvpn-routing: Adding route for to 192.168.178.85 through WAN
Oct 23 19:00:23 openvpn-routing: Completed routing policy configuration for client 1
Oct 23 19:00:23 ovpn-client1[18132]: Closing TUN/TAP interface
Oct 23 19:00:23 ovpn-client1[18132]: /sbin/ifconfig tun11 0.0.0.0
Oct 23 19:00:23 ovpn-client1[18132]: ovpn-down 1 client tun11 1500 1557 10.3.243.240 255.255.255.0 init
Oct 23 19:00:23 dnsmasq[17299]: read /etc/hosts - 11 addresses
Oct 23 19:00:23 dnsmasq[17299]: using nameserver 81.95.5.45#53
Oct 23 19:00:23 dnsmasq[17299]: using nameserver 31.204.150.121#53
Oct 23 19:00:24 dnsmasq[17299]: nameserver 31.204.150.121 refused to do a recursive query
Oct 23 19:00:24 dnsmasq[17299]: nameserver 81.95.5.45 refused to do a recursive query
Oct 23 19:00:24 ovpn-client1[18132]: GDG6: remote_host_ipv6=n/a
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Oct 23 19:00:24 ovpn-client1[18132]: OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3
Oct 23 19:00:24 ovpn-client1[18132]: TUN/TAP device tun11 opened
Oct 23 19:00:24 ovpn-client1[18132]: TUN/TAP TX queue length set to 1000
Oct 23 19:00:24 ovpn-client1[18132]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 23 19:00:24 ovpn-client1[18132]: /sbin/ifconfig tun11 10.3.240.21 netmask 255.255.255.0 mtu 1500 broadcast 10.3.240.255
Oct 23 19:00:24 ovpn-client1[18132]: ovpn-up 1 client tun11 1500 1557 10.3.240.21 255.255.255.0 init
Oct 23 19:00:24 openvpn: Forcing 192.168.1.0/24 to use DNS server 37.58.57.6
Oct 23 19:00:24 openvpn: Excluding 192.168.1.0/24 from forced DNS routing
Oct 23 19:00:24 dnsmasq[17299]: read /etc/hosts - 11 addresses
Oct 23 19:00:24 dnsmasq[17299]: using nameserver 81.95.5.45#53
Oct 23 19:00:24 dnsmasq[17299]: using nameserver 31.204.150.121#53
Oct 23 19:00:26 openvpn-routing: Configuring policy rules for client 1
Oct 23 19:00:26 openvpn-routing: Creating VPN routing table (mode 3)
Oct 23 19:00:26 openvpn-routing: Removing rule 10001 from routing policy
Oct 23 19:00:26 openvpn-routing: Removing rule 10002 from routing policy
Oct 23 19:00:26 openvpn-routing: Removing rule 10003 from routing policy
Oct 23 19:00:26 openvpn-routing: Removing rule 10004 from routing policy
Oct 23 19:00:27 openvpn-routing: Removing rule 10005 from routing policy
Oct 23 19:00:27 openvpn-routing: Removing rule 10101 from routing policy
Oct 23 19:00:27 openvpn-routing: Adding route for 192.168.1.0/24 to through VPN client 1
Oct 23 19:00:27 openvpn-routing: Adding route for to 192.168.178.3 through WAN
Oct 23 19:00:27 openvpn-routing: Adding route for to 102.168.178.140 through WAN
Oct 23 19:00:27 openvpn-routing: Adding route for to 192.168.178.71 through WAN
Oct 23 19:00:27 openvpn-routing: Adding route for 192.168.1.0/24 to 192.168.178.0/24 through WAN
Oct 23 19:00:27 openvpn-routing: Adding route for to 192.168.178.85 through WAN
Oct 23 19:00:27 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 23 19:00:27 openvpn-routing: Completed routing policy configuration for client 1
Oct 23 19:00:27 ovpn-client1[18132]: Initialization Sequence Completed
Oct 23 19:00:33 ovpn-client1[18132]: FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Oct 23 19:00:44 ovpn-client1[18132]: FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Oct 23 19:00:50 dnsmasq[17299]: nameserver 81.95.5.45 refused to do a recursive query
Oct 23 19:00:51 dnsmasq-dhcp[17299]: DHCPREQUEST(br0) 192.168.1.79 a4:83:e7:1e:f8:be
Oct 23 19:00:51 dnsmasq-dhcp[17299]: DHCPACK(br0) 192.168.1.79 a4:83:e7:1e:f8:be ChristisMBP2019
Oct 23 19:00:56 ovpn-client1[18132]: FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Oct 23 19:01:06 ovpn-client1[18132]: FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Oct 23 19:01:16 ovpn-client1[18132]: FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented
Oct 23 19:01:17 dnsmasq[17299]: nameserver 31.204.150.121 refused to do a recursive query
Oct 23 19:01:22 ovpn-client1[18132]: [Server_frankfurt.perfect-privacy.com] Inactivity timeout (--ping-restart), restarting
Oct 23 19:01:22 ovpn-client1[18132]: TCP/UDP: Closing socket
Oct 23 19:01:22 ovpn-client1[18132]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 23 19:01:22 ovpn-client1[18132]: Restart pause, 5 second(s)

Irgendwie blicke ich es nicht mehr.
 

Aero

Junior Member
Hi....

okay.......

nehm mal die
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
raus

Wenn du schon :
Neotiable ciphers als AES-256-GCM genommen hast in der Config. solltest du dieses auch so eintragen
Steht auf AES-128-GCM bei dir

Und tragen doch bitte doch mal die DNS von Gockel ein
DNS-Server 1 : 8.8.8.8
DNS-Server 2: 8.8.4.4

DHCP-Anfragefrequenz : Agressiver Modus

Grüße
 

Truman

Freshly Joined Member
Ok,

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"

habe ich herausgenommen.

Das mit den ciphers habe ich angepasst und die Konfiguration mit AES-128-CGM geladen.

Goggle DNS Server habe ich wieder eingetragen.

DHCP-Anfragefrequenz war bereits auf aggressiven Modus eingestellt.

Oct 23 19:47:42 ovpn-client1[1433]: OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 14 2020
Oct 23 19:47:42 ovpn-client1[1433]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.08
Oct 23 19:47:42 ovpn-client1[1434]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 23 19:47:42 ovpn-client1[1434]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 23 19:47:42 ovpn-client1[1434]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 23 19:47:42 ovpn-client1[1434]: LZO compression initializing
Oct 23 19:47:42 ovpn-client1[1434]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Oct 23 19:47:42 ovpn-client1[1434]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Oct 23 19:47:42 ovpn-client1[1434]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Oct 23 19:47:42 ovpn-client1[1434]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Oct 23 19:47:42 ovpn-client1[1434]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Oct 23 19:47:42 ovpn-client1[1434]: TCP/UDP: Preserving recently used remote address: [AF_INET]85.17.64.131:1151
Oct 23 19:47:42 ovpn-client1[1434]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Oct 23 19:47:42 ovpn-client1[1434]: UDP link local: (not bound)
Oct 23 19:47:42 ovpn-client1[1434]: UDP link remote: [AF_INET]85.17.64.131:1151
Oct 23 19:47:42 ovpn-client1[1434]: TLS: Initial packet from [AF_INET]85.17.64.131:1151, sid=3c868fd2 825ce35c
Oct 23 19:47:42 ovpn-client1[1434]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 23 19:47:43 ovpn-client1[1434]: VERIFY OK: depth=1, C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy, emailAddress=admin@perfect-privacy.com
Oct 23 19:47:43 ovpn-client1[1434]: VERIFY KU OK
Oct 23 19:47:43 ovpn-client1[1434]: Validating certificate extended key usage
Oct 23 19:47:43 ovpn-client1[1434]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 23 19:47:43 ovpn-client1[1434]: VERIFY EKU OK
Oct 23 19:47:43 ovpn-client1[1434]: VERIFY OK: depth=0, C=CH, ST=Zug, O=Perfect Privacy, CN=Server_amsterdam.perfect-privacy.com, emailAddress=admin@perfect-privacy.com
Oct 23 19:47:49 ovpn-client1[1434]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1606'
Oct 23 19:47:49 ovpn-client1[1434]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Oct 23 19:47:49 ovpn-client1[1434]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Oct 23 19:47:49 ovpn-client1[1434]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Oct 23 19:47:49 ovpn-client1[1434]: [Server_amsterdam.perfect-privacy.com] Peer Connection Initiated with [AF_INET]85.17.64.131:1151
Oct 23 19:47:50 ovpn-client1[1434]: SENT CONTROL [Server_amsterdam.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
Oct 23 19:47:50 ovpn-client1[1434]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.4.84.1,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 5.79.98.56,dhcp-option DNS 185.17.184.3,ifconfig-ipv6 fdbf:1d37:bbe0:0:69:4:0:fb/112 fdbf:1d37:bbe0:0:69:4:0:1,ifconfig 10.4.84.251 255.255.255.0,peer-id 15,cipher AES-256-GCM'
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: compression parms modified
Oct 23 19:47:50 ovpn-client1[1434]: LZO compression initializing
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Oct 23 19:47:50 ovpn-client1[1434]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: route options modified
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: route-related options modified
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: peer-id set
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: adjusting link_mtu to 1629
Oct 23 19:47:50 ovpn-client1[1434]: OPTIONS IMPORT: data channel crypto options modified
Oct 23 19:47:50 ovpn-client1[1434]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 23 19:47:50 ovpn-client1[1434]: Data Channel MTU parms [ L:1557 D:1300 EF:57 EB:407 ET:0 EL:3 ]
Oct 23 19:47:50 ovpn-client1[1434]: Fragmentation MTU parms [ L:1626 D:1300 EF:53 EB:407 ET:1 EL:3 ]
Oct 23 19:47:50 ovpn-client1[1434]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 19:47:50 ovpn-client1[1434]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 23 19:47:50 ovpn-client1[1434]: GDG6: remote_host_ipv6=n/a
Oct 23 19:47:50 ovpn-client1[1434]: TUN/TAP device tun11 opened
Oct 23 19:47:50 ovpn-client1[1434]: TUN/TAP TX queue length set to 1000
Oct 23 19:47:50 ovpn-client1[1434]: do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Oct 23 19:47:50 ovpn-client1[1434]: /sbin/ifconfig tun11 10.4.84.251 netmask 255.255.255.0 mtu 1500 broadcast 10.4.84.255
Oct 23 19:47:50 lldpd[466]: removal request for address of 10.4.84.251%14, but no knowledge of it
Oct 23 19:47:50 lldpd[466]: removal request for address of 10.4.84.251%14, but no knowledge of it
Oct 23 19:47:50 ovpn-client1[1434]: /sbin/ifconfig tun11 add fdbf:1d37:bbe0:0:69:4:0:fb/112
Oct 23 19:47:50 ovpn-client1[1434]: ovpn-up 1 client tun11 1500 1557 10.4.84.251 255.255.255.0 init
Oct 23 19:47:50 openvpn: Forcing 192.168.1.0/24 to use DNS server 5.79.98.56
Oct 23 19:47:50 openvpn: Excluding 192.168.1.0/24 from forced DNS routing
Oct 23 19:47:50 dnsmasq[385]: read /etc/hosts - 11 addresses
Oct 23 19:47:50 dnsmasq[385]: using nameserver 8.8.4.4#53
Oct 23 19:47:50 dnsmasq[385]: using nameserver 8.8.8.8#53
Oct 23 19:47:53 openvpn-routing: Configuring policy rules for client 1
Oct 23 19:47:53 openvpn-routing: Creating VPN routing table (mode 3)
Oct 23 19:47:53 openvpn-routing: Removing rule 10001 from routing policy
Oct 23 19:47:53 openvpn-routing: Removing rule 10002 from routing policy
Oct 23 19:47:53 openvpn-routing: Removing rule 10003 from routing policy
Oct 23 19:47:53 openvpn-routing: Removing rule 10004 from routing policy
Oct 23 19:47:53 openvpn-routing: Removing rule 10005 from routing policy
Oct 23 19:47:53 openvpn-routing: Removing rule 10101 from routing policy
Oct 23 19:47:53 openvpn-routing: Adding route for 192.168.1.0/24 to through VPN client 1
Oct 23 19:47:53 openvpn-routing: Adding route for to 192.168.178.3 through WAN
Oct 23 19:47:53 openvpn-routing: Adding route for to 102.168.178.140 through WAN
Oct 23 19:47:53 openvpn-routing: Adding route for to 192.168.178.71 through WAN
Oct 23 19:47:53 openvpn-routing: Adding route for 192.168.1.0/24 to 192.168.178.0/24 through WAN
Oct 23 19:47:54 openvpn-routing: Adding route for to 192.168.178.85 through WAN
Oct 23 19:47:54 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Oct 23 19:47:54 openvpn-routing: Completed routing policy configuration for client 1
Oct 23 19:47:54 ovpn-client1[1434]: Initialization Sequence Completed
Oct 23 19:48:15 crond[393]: time disparity of 1299703 minutes detected

Gleiches Problem wie vorher, "Public Server: unknown", aber Status verbunden.
 

Truman

Freshly Joined Member
Merkwürdigerweise funktioniert es jetzt soweit, dass ich über den Asus Router wieder Webseiten aufrufen kann. Dazu habe ich jetzt die Konfigurationsdatei für den Amsterdamer Server geladen.

Allerdings wird bei den Settings für den VPN-Client immer noch keine Public IP angezeigt. Müsste dort nicht eine IP stehen ? Stattdessen steht dort immer noch "unknown".

Der IP-Test wird angezeigt, dass ich Perfect Privacy benutze, als DNS-Server wird dort amsterdam5.perfect-privacy.com angezeigt.

Beim DNS-Test werden die Google DNS-Server:

172.253.197.2GOOGLEUS
172.217.33.197GOOGLEDE
172.253.197.5GOOGLEUS
172.253.197.4GOOGLEUS
172.217.33.194GOOGLEDE
172.217.33.129GOOGLEDE
172.253.199.2GOOGLEUS
172.253.225.35GOOGLEUS
172.253.199.4GOOGLEUS
172.253.225.33GOOGLEUS
172.253.197.1GOOGLEUS
172.253.199.5GOOGLEUS

angezeigt.

Mich irritiert etwas, dass die öffentliche IP nicht angezeigt wird.
 

Truman

Freshly Joined Member
Ok,

habe ich gemacht. Ergebnis identisch: Public IP: unknown

Lediglich der DNS-Test zeigt mir jetzt die ganzen niederländischen Google Serveradressen an:

1603544132415.png
 
Top