What's new

Asus Merlin OpenVPN Server and DD-WRT Client not working together

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Pseudomax

Occasional Visitor
Hi

I wonder if someone can take a look at my configuration and help me solve my problem ...

I have a desire to use my home (UK) Asus RT-87U flashed with Asus Merlin firmware as my DNS proxy given that I travel quite a bit and particularly to one other EU location regularly and wish to use BBC iPlayer etc. So I have purchased a TP-Link Archer C7 V2 router to use which I have flashed with DD-WRT (I have a internet line that I already pay for when I travel).

I expected that the setup would be simple, but no matter what I try I am unable to get the OpenVPN to successfully establish a complete connection. I think the error has to do with TLS but I am too much of a beginner to tell properly? I have played around with all the various settings without success, and have a mix of errors (in the server log): "openvpn authenticate/decrypt packet error hmac" to "tls error: reading acknowledgement record from packet".

Below are the client server configs and logs. Any help gratefully appreciated!
 

Attachments

  • Server.png
    Server.png
    238 KB · Views: 370
  • clientvpn.png
    clientvpn.png
    165.7 KB · Views: 372
  • serverLog.png
    serverLog.png
    344.4 KB · Views: 349
  • clientLog.png
    clientLog.png
    323.9 KB · Views: 348
Hi, any kind soul able to help? I only have 2 days left to do any testing and figure this out .... (on this occasion). Thanks in advance ...
 
Go back to the default settings that were there before you "played around" with them and export and upload the config file to the client again. Then post the error logs.
 
Hi Colin

Thanks for the reply ... you have however highlighted my problem ... in that DD-WRT doesn't accept an uploaded .ovpn file (at least the version that is available for my router). Thank is why I have been 'playing around' with the settings as I am trying to guess what Asus VPN labels mean for DD-WRT. Ideally I would have done exactly what you have suggested...

One additional piece of information that may or may not be relevant ... but the TLS Key starts with it is a 2048 bit encryption (even after changing it down to 1024 bit in the Merlin settings).

Thanks
 
Unfortunately your DD-WRT client settings screen shot is too small to read. Can you make it larger?

Do you know what version of the OpenVPN client it uses? You said that "DD-WRT doesn't accept an uploaded .ovpn file". What error message does it give you?
 
Last edited:
I attach what I think is a better resolution screenshot.

Per the DD-WRT version of OpenVPN ... I am not sure, but I think it is beyond 2.4... when I said I can't upload a .ovpn file ... its because the version of DD-WRT does not include an upload option (there is no error).
 

Attachments

  • ddwrt client config.png
    ddwrt client config.png
    148.1 KB · Views: 382
I think the resolution has been downgraded again (the image I am trying to upload is 350kb whereas the image shown is 148kb?!! Can you tell me a better way to upload as the forum seems to default to the resolution ...
 
I think the resolution has been downgraded again (the image I am trying to upload is 350kb whereas the image shown is 148kb?!! Can you tell me a better way to upload as the forum seems to default to the resolution ...
I don't think it likes "large" images. Try cutting it into 3 separate pictures or upload it to some picture sharing site.

In the meantime I had a think about what you said earlier. The guide I found on the internet for DD-WRT implied (as you said) that the RSA key can only be 1024 bytes. I think you need to start there and fix the problem with Merlin not creating that key size.
 
Hi, I have 'regenerated' all the certificates on the server and then copied them into the client settings. Unfortunately the same error has reappeared!! I think (after reading the logs again) that the issue probably lies with the version of OpenVPN used in DD-WRT for my router. I have therefore posted the question to the DD-WRT forums as well ...

Do you know if OpenVPN 2.7.0 (on the Asus Merlin Server) is backwards compatible? I have intentionally used the most basic of settings to see if I could get it working this way but still no success!
 
Are you using the default settings now? The error in your original post appeared to be caused by a setting you had changed from its default value.

Did you solve the 1024 byte problem?
 
The key is only generated on first initialization. If you need to switch from 2048 to 1024 bit, then you need to reset the server to its default, and set to 1024 as you re-initialize it.

However, I doubt that DD-WRT would be limited to 1024-bit, since this certificate is just a PEM that is provided to the client - it's not an actual config option.
 
Hi

Yes, as Merlin says, I have had one of the 'gurus' at the DDWRT forum say that it has OpenVPN 2.4.7 as the version. So this can't seemingly be the problem as an incompatibility.

I will keep trying as there is a 'set up guide' that I was pointed to and I will try (albeit this is for DDWRT ... but so long as I can figure out what each label means for the two different firmwares ... not so obvious for a newbie ... then I should be able to connect!)

Thanks again!
 
The key is only generated on first initialization. If you need to switch from 2048 to 1024 bit, then you need to reset the server to its default, and set to 1024 as you re-initialize it.

However, I doubt that DD-WRT would be limited to 1024-bit, since this certificate is just a PEM that is provided to the client - it's not an actual config option.
... also just to add (and thanks for taking the time to reply Merlin) I did figure out how to regenrate the keys ... I deleted all of them, turned off the server and then turned it on again with them generating a new set of keys/certificates ...
 
Hi, to try and help explain both the options I have available and the ones I have chosen ... attached is a table of the server and client options. I have highlighted in red the options I have selected. Additionally, I have referenced the certificates and keys by number to show where they have been placed (all generated by the server scripts). Please take a look and let me know if there is anything obvious? Equally is there any other non-default setting in the router that could stop this? I have not changed much ... but I have some port forwarding etc ...
 

Attachments

  • OpenVPN Config.pdf
    60.8 KB · Views: 385
Hi Colin, Merlin ... I have run out of time to sort this out on this occasion but may have a spare I keep using to test with ... thanks for your time previously...
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top