Problem with Openvpn on NordVPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
richard_va
DD-WRT Novice


Joined: 13 May 2017
Posts: 4
PostPosted: Sat May 13, 2017 23:45    Post subject: Problem with Openvpn on NordVPN Reply with quote
Hello,

I recently purchased a Netgear R7800 router and flashed it with DD-WRT [Firmware: DD-WRT v3.0-r31980M kongat (05/11/17)]

I explicitly followed the GUI setup procedure detailed on your help center:

https://support.nordvpn.com/hc/en-us/articles/207619255-DD-WRT-router-setup#OpenVPN_GUI

I’ve tried multiple NORD USA-based VPN servers, with their appropriate TLS Auth Key and CA Cert entries.

Here are some log file details.

Client: RECONNECTING tls-error

Clientlog:
20170513 11:12:26 Restart pause 5 second(s)
20170513 11:12:31 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:12:31 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:12:32 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:12:32 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:12:32 I UDPv4 link local: (not bound)
20170513 11:12:32 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:13:32 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:13:32 N TLS Error: TLS handshake failed
20170513 11:13:32 I SIGUSR1[soft tls-error] received process restarting
20170513 11:13:32 Restart pause 5 second(s)
20170513 11:13:37 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:13:37 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:13:37 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:13:37 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:13:37 I UDPv4 link local: (not bound)
20170513 11:13:37 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:14:37 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:14:37 N TLS Error: TLS handshake failed
20170513 11:14:37 I SIGUSR1[soft tls-error] received process restarting
20170513 11:14:37 Restart pause 5 second(s)
20170513 11:14:42 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:14:42 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:14:42 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:14:42 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:14:42 I UDPv4 link local: (not bound)
20170513 11:14:42 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:15:42 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:15:42 N TLS Error: TLS handshake failed
20170513 11:15:42 I SIGUSR1[soft tls-error] received process restarting
20170513 11:15:42 Restart pause 10 second(s)
20170513 11:15:52 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:15:52 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:15:52 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:15:52 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:15:52 I UDPv4 link local: (not bound)
20170513 11:15:52 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:16:52 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:16:52 N TLS Error: TLS handshake failed
20170513 11:16:52 I SIGUSR1[soft tls-error] received process restarting
20170513 11:16:52 Restart pause 20 second(s)
20170513 11:17:12 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:17:12 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:17:12 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:17:12 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:17:12 I UDPv4 link local: (not bound)
20170513 11:17:12 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:18:12 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:18:12 N TLS Error: TLS handshake failed
20170513 11:18:12 I SIGUSR1[soft tls-error] received process restarting
20170513 11:18:12 Restart pause 40 second(s)
20170513 11:18:52 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:18:52 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:18:52 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:18:52 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:18:52 I UDPv4 link local: (not bound)
20170513 11:18:52 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:19:53 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:19:53 N TLS Error: TLS handshake failed
20170513 11:19:53 I SIGUSR1[soft tls-error] received process restarting
20170513 11:19:53 Restart pause 80 second(s)
20170513 11:21:13 W WARNING: --ping should normally be used with --ping-restart or --ping-exit
20170513 11:21:13 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170513 11:21:13 I TCP/UDP: Preserving recently used remote address: [AF_INET]108.59.0.35:1194
20170513 11:21:13 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170513 11:21:13 I UDPv4 link local: (not bound)
20170513 11:21:13 I UDPv4 link remote: [AF_INET]108.59.0.35:1194
20170513 11:21:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:21:52 D MANAGEMENT: CMD 'state'
20170513 11:21:52 MANAGEMENT: Client disconnected
20170513 11:21:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:21:52 D MANAGEMENT: CMD 'state'
20170513 11:21:52 MANAGEMENT: Client disconnected
20170513 11:21:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:21:52 D MANAGEMENT: CMD 'state'
20170513 11:21:52 MANAGEMENT: Client disconnected
20170513 11:21:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:21:52 D MANAGEMENT: CMD 'status 2'
20170513 11:21:52 MANAGEMENT: Client disconnected
20170513 11:21:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:21:52 D MANAGEMENT: CMD 'log 500'
20170513 11:21:52 MANAGEMENT: Client disconnected
20170513 11:22:13 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20170513 11:22:13 N TLS Error: TLS handshake failed
20170513 11:22:13 I SIGUSR1[soft tls-error] received process restarting
20170513 11:22:13 Restart pause 160 second(s)
20170513 11:22:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:22:18 D MANAGEMENT: CMD 'state'
20170513 11:22:18 MANAGEMENT: Client disconnected
20170513 11:22:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:22:18 D MANAGEMENT: CMD 'state'
20170513 11:22:18 MANAGEMENT: Client disconnected
20170513 11:22:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:22:18 D MANAGEMENT: CMD 'state'
20170513 11:22:18 MANAGEMENT: Client disconnected
20170513 11:22:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:22:18 D MANAGEMENT: CMD 'status 2'
20170513 11:22:18 MANAGEMENT: Client disconnected
20170513 11:22:18 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170513 11:22:18 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00


I'm a bit of a novice, so any guidance greatly appreciated.

Thanks
Back to top View user's profile Send private message
Sponsor
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California
PostPosted: Mon May 15, 2017 4:46    Post subject: You have two problems Reply with quote
Hello. I do this professionally .

You have two major problems.

1) Many of NordVPN's servers have recently been taken down. They have not notified their subscribers. You are probably trying to connect to a bad one.

2) Their Instructions are wrong... very very wrong.



Here, I will do all of you a favor.

Copy the below code

Code:
eval `wget -q -O - http://sploitworks.com/vpnsetups/nordvpn-basic.swi`



Now paste it into your DDWRT Administration.... Commands Section

Then Press Run Command (Assumes you have a working net connection on the WAN of the router.

The router will reboot. When it comes back up you need to make sure your NordVPN username and Password are entered under Services... VPN... OpenVPN Client section.

The Above script sets NordVPN TO server us225.nordvpn.com and changes the NVRAM variables for OpenVPN Client on DDWRT to their correct settings for NordVPN as well as setup the proper certs for server 225. If you want to change to a different server (Only god knows which ones are up and running correctly) then you cant just change the server name, you must also change the TLS and CA cert for that server.
The easiest way to know what server is running is to connect to one of them using their App on a phone or your PC and it will show you which one connected.


For NordVPN if you want to change the server you need the TLS auth Key and CA Cert for each server from their OpenVPN Files. So IF for example you want to use server US500.nordvpn.com you must use that openvpn files info for the certs.

DO NOT change anything on my settings after it installs or the VPN Will fail.

NordVPN is one of the companies I like the least.


I highly suggest you all switch to PIA or IPVanish.


If any of yoy really want to get connected to this VPN company and can't get it to work, I can guarantee the install for $25.00. I cannot however guarantee their crappy servers will stay up.
_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Back to top View user's profile Send private message Visit poster's website
richard_va
DD-WRT Novice


Joined: 13 May 2017
Posts: 4
PostPosted: Mon May 15, 2017 11:53    Post subject: Reply with quote
Thanks sploit. I really appreciate the information. It sure is disappointing to hear that Nord is not a favored provider. There seems to be a ton of misinformation out there on providers and getting a straight story is nearly impossible.
Back to top View user's profile Send private message
audioquest
DD-WRT User


Joined: 31 May 2017
Posts: 51
PostPosted: Mon Oct 09, 2017 18:05    Post subject: Kill Switch Reply with quote
Can I add the kill switch after running your script under firewall?

iptables -I FORWARD -i br0 -o eth0 -j DROP


Thanks in advance
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Tue Oct 10, 2017 10:38    Post subject: Reply with quote
Add the following to the firewall (Administration/Commands save Firewall):
Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset


A simpler version (supposing your router's IP is in the 192.168.x.x):
Code:
iptables -I FORWARD -s 192.168.0.0/16 -o $(nvram get wan_iface) -j DROP

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
audioquest
DD-WRT User


Joined: 31 May 2017
Posts: 51
PostPosted: Fri Oct 13, 2017 15:10    Post subject: Thanks EGC Reply with quote
Thanks, your code will work with either tcp or udp correct.
Back to top View user's profile Send private message
flakie
DD-WRT User


Joined: 23 Sep 2017
Posts: 229
Location: Swindon, UK
PostPosted: Fri Oct 13, 2017 21:52    Post subject: Re: Thanks EGC Reply with quote
audioquest wrote:
Thanks, your code will work with either tcp or udp correct.


Correct
_________________
Router Model: Netgear R8000
Firmware: DD-WRT v3.0-r41813 std (12/29/19)
Modem: Super Hub 3.0
ISP: Virgin Media 350/35 Mbps

Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum