Having issue to setup OpenVPN client

Discussion in 'Tomato Firmware' started by IIFrOdOII, Apr 13, 2018.

  1. IIFrOdOII

    IIFrOdOII New Member Member

    I create OpenVPN using SoftEther on GCP and test connect with Android device it working.
    I try to set it on rt-ac56u running tomato 1.28.
    I think it can connect to the server because with ifconfig it have IP address.

    tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0 0-00
    inet addr:192.168.30.21 P-t-P:192.168.30.22 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1003 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:223740 (218.4 KiB)

    But I cannot access to internet at all when VPN client is running.
    my current configuration are
    Code:
    Start with WAN - true
    interface type - tun
    Protocol - UDP
    Server Address - [Address:Port]
    Firewall - Automatic
    Authen - TLSUsername/Password - True
    Username: [user]
    Password: [pass]
    Username only - False
    Extra HMAC  - Disabled
    Create NAT - true
    
    Advance
    Poll Interval - 0
    Redirect Internet traffic - false
    Ignore Redirect Gateway  - false
    Accept DNS - Disabled
    Encryption - Use Default
    Compression - Adaptive
    TLS Renegotiation - -1
    Connection retey - 30
    Verify server certification - false
    Custom Configuration -
    
    Routing through VPN - false
    OpenVPN - Client config file
    Code:
    dev tun
    proto udp
    remote [hostname] [port]
    ;http-proxy-retry
    ;http-proxy [proxy server] [proxy port]
    cipher AES-128-CBC
    auth SHA1
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    client
    verb 3
    auth-user-pass

    After run client for a while status is like this
    Code:
    Name    Value
    TUN/TAP read bytes    12421
    TUN/TAP write bytes    0
    TCP/UDP read bytes    11374
    TCP/UDP write bytes    4397
    Auth read bytes    0
    pre-compress bytes    8434
    post-compress bytes    5263
    pre-decompress bytes    0
    post-decompress bytes    0
    
    Look like never received any reply.


    Please help I have no idea what is next.
     
    Last edited: Apr 13, 2018
  2. IIFrOdOII

    IIFrOdOII New Member Member

    Network
    [router1]192.168.1.1/24<->[router2]192.168.111.1/24

    VPN subnet is 192.168.30.0

    Mobile device behind router2 can connect VPN using app.
    But when setup VPN client on router2--> rx of virtual nic always be 0 (both OpenVPN and PPTP)
    try to use version 132, 140AIO, 140VPN
     
  3. eibgrad

    eibgrad Network Guru Member

    I assume those two OpenVPN client configs represent the Tomato and Android platforms, respectively.

    One possible problem is that (iirc) the default for Encryption (which maps down to the --cipher directive) is *not* AES-128-CBC, as in the working Android config, but Blowfish CBC. So perhaps they are getting connected, but this mismatch in the cipher is preventing further communications.

    Might help to see the messages in the syslog relevant to OpenVPN. It will usually detect such mismatches and report it.
     
  4. IIFrOdOII

    IIFrOdOII New Member Member

    configuration file is generated from server.

    I change the Encryption to AES-128-CBC as the configuration file.
    but still have the same issue.
    Code:
    Apr 14 05:03:04 unknown kern.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Apr 14 05:03:04 unknown daemon.notice openvpn[3236]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 19 2017
    Apr 14 05:03:04 unknown daemon.notice openvpn[3236]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
    Apr 14 05:03:04 unknown daemon.warn openvpn[3239]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 05:03:04 unknown daemon.notice openvpn[3239]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.192.21.73:443
    Apr 14 05:03:04 unknown daemon.notice openvpn[3239]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Apr 14 05:03:04 unknown daemon.notice openvpn[3239]: Attempting to establish TCP connection with [AF_INET]35.192.21.73:443 [nonblock]
    Apr 14 05:03:04 unknown kern.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Apr 14 05:03:05 unknown user.notice root: vpnrouting: clean-up
    Apr 14 05:03:05 unknown daemon.notice openvpn[3239]: TCP connection established with [AF_INET]35.192.21.73:443
    Apr 14 05:03:05 unknown daemon.notice openvpn[3239]: TCP_CLIENT link local: (not bound)
    Apr 14 05:03:05 unknown daemon.notice openvpn[3239]: TCP_CLIENT link remote: [AF_INET]35.192.21.73:443
    Apr 14 05:03:05 unknown daemon.notice openvpn[3239]: TLS: Initial packet from [AF_INET]35.192.21.73:443, sid=cc1c475d d3d15dcf
    Apr 14 05:03:05 unknown daemon.warn openvpn[3239]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Apr 14 05:03:06 unknown daemon.notice openvpn[3239]: VERIFY OK: depth=0, CN=35.192.21.73, O=35.192.21.73, OU=35.192.21.73, C=US
    Apr 14 05:03:06 unknown daemon.warn openvpn[3239]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Apr 14 05:03:06 unknown daemon.notice openvpn[3239]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 14 05:03:06 unknown daemon.notice openvpn[3239]: [35.192.21.73] Peer Connection Initiated with [AF_INET]35.192.21.73:443
    Apr 14 05:03:07 unknown daemon.notice openvpn[3239]: SENT CONTROL [35.192.21.73]: 'PUSH_REQUEST' (status=1)
    Apr 14 05:03:08 unknown daemon.err openvpn[3239]: event_wait : Interrupted system call (code=4)
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OpenVPN STATISTICS
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Updated,Sat Apr 14 05:03:08 2018
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: TUN/TAP read bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: TUN/TAP write bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: TCP/UDP read bytes,1823
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: TCP/UDP write bytes,950
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Auth read bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: pre-compress bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: post-compress bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: pre-decompress bytes,0
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route options modified
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route-related options modified
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: TUN/TAP device tun11 opened
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: /sbin/route add -net 35.192.21.73 netmask 255.255.255.255 gw 192.168.1.1
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.30.14
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.30.14
    Apr 14 05:03:08 unknown daemon.notice openvpn[3239]: Initialization Sequence Completed
    Apr 14 05:03:18 unknown daemon.notice openvpn[3239]: [35.192.21.73] Inactivity timeout (--ping-restart), restarting
    Apr 14 05:03:18 unknown daemon.notice openvpn[3239]: SIGUSR1[soft,ping-restart] received, process restarting
    Apr 14 05:03:18 unknown daemon.notice openvpn[3239]: Restart pause, 5 second(s)
    Apr 14 05:03:23 unknown daemon.warn openvpn[3239]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 05:03:23 unknown daemon.notice openvpn[3239]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.192.21.73:443
    Apr 14 05:03:23 unknown daemon.notice openvpn[3239]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Apr 14 05:03:23 unknown daemon.notice openvpn[3239]: Attempting to establish TCP connection with [AF_INET]35.192.21.73:443 [nonblock]
    Apr 14 05:03:24 unknown daemon.notice openvpn[3239]: TCP connection established with [AF_INET]35.192.21.73:443
    Apr 14 05:03:24 unknown daemon.notice openvpn[3239]: TCP_CLIENT link local: (not bound)
    Apr 14 05:03:24 unknown daemon.notice openvpn[3239]: TCP_CLIENT link remote: [AF_INET]35.192.21.73:443
    Apr 14 05:03:24 unknown daemon.notice openvpn[3239]: TLS: Initial packet from [AF_INET]35.192.21.73:443, sid=95ecc6ec 932a96e6
    Apr 14 05:03:24 unknown daemon.notice openvpn[3239]: VERIFY OK: depth=0, CN=35.192.21.73, O=35.192.21.73, OU=35.192.21.73, C=US
    Apr 14 05:03:25 unknown daemon.warn openvpn[3239]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Apr 14 05:03:25 unknown daemon.notice openvpn[3239]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 14 05:03:25 unknown daemon.notice openvpn[3239]: [35.192.21.73] Peer Connection Initiated with [AF_INET]35.192.21.73:443
    Apr 14 05:03:26 unknown daemon.notice openvpn[3239]: SENT CONTROL [35.192.21.73]: 'PUSH_REQUEST' (status=1)
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route options modified
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route-related options modified
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Preserving previous TUN/TAP instance: tun11
    Apr 14 05:03:27 unknown daemon.notice openvpn[3239]: Initialization Sequence Completed
    Apr 14 05:03:38 unknown daemon.notice openvpn[3239]: [35.192.21.73] Inactivity timeout (--ping-restart), restarting
    Apr 14 05:03:38 unknown daemon.notice openvpn[3239]: SIGUSR1[soft,ping-restart] received, process restarting
    Apr 14 05:03:38 unknown daemon.notice openvpn[3239]: Restart pause, 5 second(s)
    Apr 14 05:03:43 unknown daemon.warn openvpn[3239]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 05:03:43 unknown daemon.notice openvpn[3239]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.192.21.73:443
    Apr 14 05:03:43 unknown daemon.notice openvpn[3239]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Apr 14 05:03:43 unknown daemon.notice openvpn[3239]: Attempting to establish TCP connection with [AF_INET]35.192.21.73:443 [nonblock]
    Apr 14 05:03:44 unknown daemon.notice openvpn[3239]: TCP connection established with [AF_INET]35.192.21.73:443
    Apr 14 05:03:44 unknown daemon.notice openvpn[3239]: TCP_CLIENT link local: (not bound)
    Apr 14 05:03:44 unknown daemon.notice openvpn[3239]: TCP_CLIENT link remote: [AF_INET]35.192.21.73:443
    Apr 14 05:03:44 unknown daemon.notice openvpn[3239]: TLS: Initial packet from [AF_INET]35.192.21.73:443, sid=292294fb 56530111
    Apr 14 05:03:44 unknown daemon.notice openvpn[3239]: VERIFY OK: depth=0, CN=35.192.21.73, O=35.192.21.73, OU=35.192.21.73, C=US
    Apr 14 05:03:45 unknown daemon.warn openvpn[3239]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Apr 14 05:03:45 unknown daemon.notice openvpn[3239]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 14 05:03:45 unknown daemon.notice openvpn[3239]: [35.192.21.73] Peer Connection Initiated with [AF_INET]35.192.21.73:443
    Apr 14 05:03:46 unknown daemon.notice openvpn[3239]: SENT CONTROL [35.192.21.73]: 'PUSH_REQUEST' (status=1)
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route options modified
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route-related options modified
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Preserving previous TUN/TAP instance: tun11
    Apr 14 05:03:47 unknown daemon.notice openvpn[3239]: Initialization Sequence Completed
    Apr 14 05:03:57 unknown daemon.notice openvpn[3239]: [35.192.21.73] Inactivity timeout (--ping-restart), restarting
    Apr 14 05:03:57 unknown daemon.notice openvpn[3239]: SIGUSR1[soft,ping-restart] received, process restarting
    Apr 14 05:03:57 unknown daemon.notice openvpn[3239]: Restart pause, 5 second(s)
    Apr 14 05:04:02 unknown daemon.warn openvpn[3239]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Apr 14 05:04:02 unknown daemon.notice openvpn[3239]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.192.21.73:443
    Apr 14 05:04:02 unknown daemon.notice openvpn[3239]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    Apr 14 05:04:02 unknown daemon.notice openvpn[3239]: Attempting to establish TCP connection with [AF_INET]35.192.21.73:443 [nonblock]
    Apr 14 05:04:03 unknown daemon.notice openvpn[3239]: TCP connection established with [AF_INET]35.192.21.73:443
    Apr 14 05:04:03 unknown daemon.notice openvpn[3239]: TCP_CLIENT link local: (not bound)
    Apr 14 05:04:03 unknown daemon.notice openvpn[3239]: TCP_CLIENT link remote: [AF_INET]35.192.21.73:443
    Apr 14 05:04:03 unknown daemon.notice openvpn[3239]: TLS: Initial packet from [AF_INET]35.192.21.73:443, sid=58b84aee dd6b23b1
    Apr 14 05:04:03 unknown daemon.notice openvpn[3239]: VERIFY OK: depth=0, CN=35.192.21.73, O=35.192.21.73, OU=35.192.21.73, C=US
    Apr 14 05:04:04 unknown daemon.warn openvpn[3239]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Apr 14 05:04:04 unknown daemon.notice openvpn[3239]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 14 05:04:04 unknown daemon.notice openvpn[3239]: [35.192.21.73] Peer Connection Initiated with [AF_INET]35.192.21.73:443
    Apr 14 05:04:05 unknown daemon.notice openvpn[3239]: SENT CONTROL [35.192.21.73]: 'PUSH_REQUEST' (status=1)
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: timers and/or timeouts modified
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ifconfig/up options modified
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route options modified
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: route-related options modified
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Preserving previous TUN/TAP instance: tun11
    Apr 14 05:04:06 unknown daemon.notice openvpn[3239]: Initialization Sequence Completed
    

    I found the error "WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'".
    I already make sure the compression on tomato is set to none, the setting is correct.
    So I try to restart the router and after it boot not everything is work as expect.
    I think the issue is somehow when I change the configuration router not using new configuration until restart.
    I waste a lot of time to set this up.
    So every one that come in and read this "Reboot your router every time you change configuration".

    Thanks eibgrad
     
  5. IIFrOdOII

    IIFrOdOII New Member Member

    Something weird I reset all the setting and set it up again.
    Some issue happen even i set compression on tomato to none.
    I solve this by set it to disable.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice