openvpn client configuration?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
kallsop
DD-WRT User


Joined: 10 Apr 2008
Posts: 135

PostPosted: Sat May 27, 2017 13:32    Post subject: openvpn client configuration? Reply with quote
31980M on R7000, up for 13 days. This morning the router lost VPN access (privateinternetaccess). I didn't reboot the router but killed openvpn and restarted it. VPN came back. This is what I see in the logs, before and after killing openvpn:

Code:

May 27 04:08:00 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]108.61.68.147:1197


Code:

May 27 04:55:01 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]66.55.144.248:1197


Did the VPN server change its IP or die, and openvpn was preserving the old IP and not picking up the new IP? The openvpn config has a "persist-tun" setting, is that what could cause openvpn to not change its remote address? Or any other suggestions to make openvpn client more reactive?
Sponsor
hubermania
DD-WRT User


Joined: 24 Aug 2012
Posts: 223

PostPosted: Mon May 29, 2017 23:53    Post subject: Reply with quote
Enable the WDS/Connection Watchdog on the Administration->Keep Alive tab, and specify an IP address local to the VPN provider's network like a 10.x.x.x DNS server. The router will periodically ping that address and reboot if the ping fails.
_________________
[Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
kallsop
DD-WRT User


Joined: 10 Apr 2008
Posts: 135

PostPosted: Tue May 30, 2017 11:14    Post subject: Reply with quote
hubermania wrote:
Enable the WDS/Connection Watchdog on the Administration->Keep Alive tab, and specify an IP address local to the VPN provider's network like a 10.x.x.x DNS server. The router will periodically ping that address and reboot if the ping fails.


Thanks, I do have a watchdog set up to the google dns IP. I could change that to the VPN providers DNS servers.

But I am still curious as to how to configure openvpn client to not preserve remote address. "persist-tun" is maybe the setting that needs to be removed, but there may be other consequences.
kallsop
DD-WRT User


Joined: 10 Apr 2008
Posts: 135

PostPosted: Wed Jun 21, 2017 17:42    Post subject: Reply with quote
Happened again today, openvpn did a ping-restart and it never recovers, see log below. The router, in a telnet session, can ping 208.167.254.223.

Any openvpn experts here - will changing any openvpn options make this recover after a ping restart? The openvpn.conf file is posted below after the log.

Code:

Jun 21 09:07:40 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Inactivity timeout (--ping-restart), restarting
Jun 21 09:07:40 Netgear_R7000 openvpn: SIGUSR1[soft,ping-restart] received, process restarting
Jun 21 09:07:40 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:07:50 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:07:50 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:07:50 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:07:50 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:07:50 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:07:50 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=41e2e97a 02789ca0
Jun 21 09:07:50 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:07:50 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:07:50 Netgear_R7000 openvpn: NOTE: --mute triggered...
Jun 21 09:07:53 Netgear_R7000 openvpn: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jun 21 09:07:53 Netgear_R7000 openvpn: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jun 21 09:07:53 Netgear_R7000 openvpn: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 21 09:07:53 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Peer Connection Initiated with [AF_INET]208.167.254.223:1197
Jun 21 09:07:54 Netgear_R7000 openvpn: SENT CONTROL [b24472d73a8801b4f1be3aec30f90bd6]: 'PUSH_REQUEST' (status=1)
Jun 21 09:07:54 Netgear_R7000 openvpn: AUTH: Received control message: AUTH_FAILED
Jun 21 09:07:54 Netgear_R7000 openvpn: SIGUSR1[soft,auth-failure] received, process restarting
Jun 21 09:07:54 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:08:04 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:08:04 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:08:04 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:08:04 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:08:04 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:08:04 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=99a681bb c43bdf86
Jun 21 09:08:04 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:08:04 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:08:04 Netgear_R7000 openvpn: NOTE: --mute triggered...
Jun 21 09:08:08 Netgear_R7000 openvpn: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jun 21 09:08:08 Netgear_R7000 openvpn: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jun 21 09:08:08 Netgear_R7000 openvpn: [b24472d73a8801b4f1be3aec30f90bd6] Peer Connection Initiated with [AF_INET]208.167.254.223:1197
Jun 21 09:08:09 Netgear_R7000 openvpn: SENT CONTROL [b24472d73a8801b4f1be3aec30f90bd6]: 'PUSH_REQUEST' (status=1)
Jun 21 09:08:09 Netgear_R7000 openvpn: AUTH: Received control message: AUTH_FAILED
Jun 21 09:08:09 Netgear_R7000 openvpn: SIGUSR1[soft,auth-failure] received, process restarting
Jun 21 09:08:09 Netgear_R7000 openvpn: Restart pause, 10 second(s)
Jun 21 09:08:19 Netgear_R7000 openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 21 09:08:19 Netgear_R7000 openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]208.167.254.223:1197
Jun 21 09:08:19 Netgear_R7000 openvpn: Socket Buffers: R=[180224->360448] S=[180224->360448]
Jun 21 09:08:19 Netgear_R7000 openvpn: UDPv4 link local: (not bound)
Jun 21 09:08:19 Netgear_R7000 openvpn: UDPv4 link remote: [AF_INET]208.167.254.223:1197
Jun 21 09:08:19 Netgear_R7000 openvpn: TLS: Initial packet from [AF_INET]208.167.254.223:1197, sid=c378a7b9 36f25c04
Jun 21 09:08:19 Netgear_R7000 openvpn: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jun 21 09:08:19 Netgear_R7000 openvpn: VERIFY KU OK
Jun 21 09:08:19 Netgear_R7000 openvpn: NOTE: --mute triggered...


Code:

ca /tmp/openvpncl/ca.crt
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp4
cipher aes-256-cbc
auth sha256
auth-user-pass /tmp/openvpncl/credentials
remote us-east.privateinternetaccess.com 1197
comp-lzo adaptive
redirect-private def1
route-noexec
tun-mtu 1500
mtu-disc yes
fast-io
passtos
tls-client
remote-cert-tls server
mute-replay-warnings
proto udp4
ping 10
ping-restart 60
auth-retry nointeract
sndbuf 524288
rcvbuf 524288
reneg-sec 0


EDIT - rebooted the router, now the vpn IP is at 208.167.254.22 and the vpn is working again.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Jun 25, 2017 8:28    Post subject: Your OpenVPN Additional Config Reply with quote
Can you post your OpenVPN Additional Config???
_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Jun 25, 2017 13:18    Post subject: Reply with quote
Whatever server you are trying to connect with log shows:
kallsop wrote:
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

Your config says you are using AES-256-CBC.
You need to change to Blowfish CBC

kallsop wrote:
Jun 21 09:08:08 Netgear_R7000 openvpn: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

Your config says you are using SHA256
You need to change to SHA1
kallsop
DD-WRT User


Joined: 10 Apr 2008
Posts: 135

PostPosted: Mon Jun 26, 2017 12:05    Post subject: Re: Your OpenVPN Additional Config Reply with quote
sploit wrote:
Can you post your OpenVPN Additional Config???


It's the bottom part of the posted openvpn.conf file above:

Code:

tls-client
remote-cert-tls server
mute-replay-warnings
proto udp4
ping 10
ping-restart 60
auth-retry nointeract
sndbuf 524288
rcvbuf 524288
reneg-sec 0
kallsop
DD-WRT User


Joined: 10 Apr 2008
Posts: 135

PostPosted: Mon Jun 26, 2017 12:31    Post subject: Reply with quote
mrjcd wrote:
Whatever server you are trying to connect with log shows:
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'



That is the recommended config per the provider (PIA) and those Warnings are always there even on successful connections.

https://www.privateinternetaccess.com/pages/vpn-encryption

This is a successful connection:
Code:

20170625 12:56:58 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1542'
20170625 12:56:58 W WARNING: 'cipher' is used inconsistently local='cipher AES-256-CBC' remote='cipher BF-CBC'
20170625 12:56:58 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1'
20170625 12:56:58 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20170625 12:56:58 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20170625 12:56:58 I [917bc8f95cfd723d30971370d4cff7fd] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xxx:1197
20170625 12:56:59 SENT CONTROL [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]: 'PUSH_REQUEST' (status=1)
20170625 12:56:59 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS xxx.xxx.xx.xxx dhcp-option DNS xxx.xxx.xx.xxx ping 10 comp-lzo no route xx.xx.xx.x topology net30 ifconfig xx.xx.xx.x xx.xx.xx.x auth-token'
20170625 12:56:59 OPTIONS IMPORT: timers and/or timeouts modified
20170625 12:56:59 NOTE: --mute triggered...
20170625 12:56:59 4 variation(s) on previous 3 message(s) suppressed by --mute
20170625 12:56:59 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170625 12:56:59 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
20170625 12:56:59 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170625 12:56:59 NOTE: --mute triggered...
20170625 12:56:59 1 variation(s) on previous 3 message(s) suppressed by --mute
20170625 12:56:59 I TUN/TAP device tun1 opened
20170625 12:56:59 TUN/TAP TX queue length set to 100
20170625 12:56:59 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170625 12:56:59 I /sbin/ifconfig tun1 xx.xx.xx.x pointopoint xx.xx.xx.x mtu 1500
20170625 12:57:03 I Initialization Sequence Completed
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum