Problem with OpenVPN on FT 2019.1

Discussion in 'Tomato Firmware' started by Severus, Mar 7, 2019.

  1. Severus

    Severus Connected Client Member

    I have a problem connecting to OpenVPN server running on my FT 2019.1 on Asus RT-AC68U. I've generated all the keys and setup server as shown on pictures bellow. I've generated also a client config file that looks like this:
    client
    dev tun
    proto udp4
    remote my.domain.com 1194
    compress lz4-v2
    cipher AES-128-CBC
    #crypt tls
    remote-cert-tls server
    ca ca.pem
    tls-crypt static.key
    cert client.crt
    key client.key

    As you can see I had to comment line "crypt tls" because its's not recognized by opwnvpn client software. I'm using OpenVPN 2.4.7 on Windows 7 machine.
    When trying to connect I keep getting error: "TLS key negotiation failed within 60 seconds (check your network connectivity)". Should I forward port 1194 (to what ?) or do anything else? advanced.png basic.png
     
    Last edited: Mar 8, 2019
  2. Severus

    Severus Connected Client Member

    So, I found the solution. Looks like setting it to UDP4 doesn't work for my configuration. Why? Don't know. When I set the proto to just UDP, I get connected. There are still two things: first, as I mentioned before, there is "crypt tls" parameter, which is generated in the client config file and must be removed. Second, when I attempt to connect, I'm getting the warning "No server certificate verification method has been enabled". When I add "remote-cert-tls server" to client config, I cannot connect and I get "Certificate does not have usage extension" followed by TLS errors.
     
  3. Severus

    Severus Connected Client Member

    I did some further investigation and found out, that if I create all key files using easy-rsa and use them with openvpn server on FT, I can use "remote-cert-tls server" directive in client config and everything works as expected. So, looks like something is wrong with generating keys on FT.
     
  4. Severus

    Severus Connected Client Member

    One more thing: if "Allow User/Pass Auth" option is used, then generated client config file should contain "auth-user-pass" directive to work.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice