Posted: Thu Apr 27, 2017 4:54 Post subject: r7000 Kong Can't get VPN Server to work
Hello,
I cannot get the an OpenVPN client to connect to OpenVPN server on r7000 with Kong v3.0-r31870M (04/16/17) firmware.
I'm new to r7000 so I don't have a baseline. I don't know if it is the firmware or most likely issue on my end. I read the r31870M thread and it appears that some people have their VPN server functioning normally.
I'm trying to setup TAP (layer 2) VPN Server so I could VPN into my place. Problem that I have is that I get:
TLS Error: TLS handshake failed.
root@DD-WRT:~# cat /var/log/messages
Apr 26 23:24:29 DD-WRT user.info : vpn modules : vpn modules successfully unloaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_conntrack_proto_gre successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_nat_proto_gre successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_conntrack_pptp successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_nat_pptp successfully loaded
Apr 26 23:24:29 DD-WRT user.info : openvpnserver : OpenVPN daemon (Server) successfully stopped
Apr 26 23:24:29 DD-WRT daemon.notice openvpn[1033]: /tmp/openvpn/route-down.sh tap2 1500 1656 init
Apr 26 23:24:29 DD-WRT user.info : syslogd : syslog daemon successfully stopped
Apr 26 23:24:29 DD-WRT syslog.info syslogd exiting
Apr 26 23:24:29 DD-WRT syslog.info syslogd started: BusyBox v1.26.2
Apr 26 23:24:29 DD-WRT daemon.notice openvpn[1033]: SIGTERM[hard,] received, process exiting
Apr 26 23:24:30 DD-WRT user.info : openvpn : OpenVPN daemon (Server) starting/restarting...
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3683]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 16 2017
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3683]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: NOTE: --fast-io is disabled since we are not using UDP
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: Note: cannot open ipp.txt for READ/WRITE
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Diffie-Hellman initialized with 2048 bit key
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TUN/TAP device tap2 opened
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TUN/TAP TX queue length set to 100
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TCPv4_SERVER link remote: [AF_UNSPEC]
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MULTI: multi_init called, r=256 v=256
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: IFCONFIG POOL: base=192.168.1.50 size=10, ipv6=0
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: IFCONFIG POOL LIST
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MULTI: TCP INIT maxclients=1024 max
Code:
root@DD-WRT:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 67.163.60.1 0.0.0.0 UG 0 0 0 vlan2
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan7
67.163.60.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
OpenVPN client settings, trying with latest OpenVPN on Win7.
Code:
client
dev tap
proto udp
remote foo.bar 1194
nobind
persist-key
persist-tun
verb 4
float
ca 'C:\Program Files\OpenVPN\config\ca.crt'
cert 'C:\Program Files\OpenVPN\config\kyle.crt'
key 'C:\Program Files\OpenVPN\config\kyle.key'
comp-lzo yes
tun-mtu 1500
auth SHA256
cipher AES-128-CBC
Things I tried
- make sure NTP is enabled and time is synced, which wasn't...but enabling didn't fix issue for me
- generate all keys/certs with same Common Name (I googled and found a person that used once he used same CN for certs he solved his TLS handshake issue). Prior to that I would have a 'server' CN for server.{key,crt}, 'user' for client, etc. But either way it did not help.
- I have verified that I can telnet to my public IP on 1194 port, so the issue does not appear to be firewall related.
I have been looking into this in past 20 hours and I'm exhausted. Please help.
Hi, I have an r7000 and your build too. Also my vpn server setup is very similar to your (except that I block DHCP across the tunnel and I use tcp) but for me works great on all my devices, so maybe the problem is on client side. I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server. Try looking carefully in client options...
Hi, I have an r7000 and your build too. Also my vpn server setup is very similar to your (except that I block DHCP across the tunnel and I use tcp) but for me works great on all my devices, so maybe the problem is on client side. I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server. Try looking carefully in client options...
Hello, I tried switching from UDP to TCP (both server&client) and it worked , however i would really like to use UDP due to better performance.
I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server.
There are two TLS (SSL) "things" used by OpenVPN. The first is an encrypted TLS connection between the client and server. The second is an optional TLS Authentication Key used to keytag each TLS packet, allowing the server to quickly drop unkeyed (DDOS) packets. _________________ [Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/