What's new

Asus-wrt AC52U configuration problems.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

whatever2222

New Around Here
I am having problems getting my Asus ac52u working with openvpn from mullvad.net, a swedish VPN provider.
It is not working despite many hours with both trying and googling.

---SHORT INTRODUCTION---
I seem to get the router to connect to the mullvad server with VPN, but I cannot get any internet conectivity.
I can ping the server, but nothing else. The strange thing is that if I use my Mullvad Client locally on my computer when connected to the Mullvad server with my router I can surf normally. Dumps from my loggs with follow.
When I disconnect from VPN in my router it does not revert to the previous non VPN routing.

---NEED HELP---
I would really love to get some help.
Do you seen anything that is wrong?
Why can't I get out on the internet when i connect to the Mullvad server.

The following is secondary in the matter, but to please my curiosity.
I would also like to know why there is two certificates in the ca.crt. I have not been able to find any information or examples where there is two. What is the stuff above the cert, whats it for?

---ASUS AC52U ROUTER WITH ASUSWRT---
Asus ac52u is running a AsusWRT version, guessing it is some clone of dd-wrt.
I will try to describe what I have succeed with and where my progress has stopped.
There is no version of mullvad config that seems to be working out of the box.
I have used their config for Linux OS that uses "update-resolv-conf" and by comparing their own VPN file that the router generates for connecting to the router LAN from the outside and other configuration files from mullvad and other VPN providers.
I modified the configuration to try to make it work.

---SOME BACKGROUND---
It seems that the router is not able to handle the certificates in the way mullvad have them. They have to bee clean just from the "----" to the "----". Mullvad has lots of extra stuff before the cert. I have a copy of the ca cert further down in the post.
When I either point to their complete certificates as a single file or do complete "embedded" in the conf-file, with <ca></ca>, the router just crashes, reboots. On the other hand if i strip the certificate of everything but the certificate the router accepts them. By that I mean from the "-----" to the "------".
It is also possible to copy paste the certificates manually when uploading the config. I have chosen this way, because it seems to be giving the most stable result.
It is here i encounter - - PROBLEM-1 - -
I have only room to paste one certificate of each type and the mullvad ca.crt is double, it has two certificates in the ca.crt file. See copy of the ca.crt file further down. I have no space for that when pasting and if I point to a stripped version with both certificate the router crashes, reboot. I have with some trail and error concluded that the second of the two ca.crt certificates seems the most promising.
The certificates is pasted into four "boxes" with the following names:

Certificate Authority | here I have pasted a the second of the ca.crt

Client Certificate | here I have pasted the stripped "mullvad.crt"

Client Key | here i have pasted the content of the file with the name "mullvad.key", just contains a "stripped" certificate.

Static Key (optional) | have not pasted anything here.

---CURRENT SETTING---
Here is my current settings from my modified mullvad_linux.conf:

client
proto udp
remote openvpn.mullvad.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
remote-cert-tls server
ping-restart 60
script-security 2

# Parses DHCP options from openvpn to update resolv.conf

// commented out because it seems that the router is handling this byt itself. I have not been able to find any indication that there is any
update-resolv-conf scripts in the router. And it seems to be working without.

#up /tmp/mnt/sda1/etc/update-resolv-conf
#down /tmp/mnt/sda1/etc/update-resolv-conf
ping 10

// The certificates is automatically added to the right directory when I past them in the above mentioned manner.

ca ca.crt
cert client.crt
key client.key

//I have placed the crt.pem on a USB stick and it is pointing there.

crl-verify /mnt/sda1/etc/crl.pem

---SYSTEM LOG EXCERPT---
Code:
Jul 30 19:23:02 rc_service: udhcpc 1706:notify_rc start_vpnserver1
Jul 30 19:23:02 dhcp client: bound [ext-ip].50.16 via [ext-ip].48.1 during 10800 seconds.
Jul 30 19:23:07 openvpn[2941]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Dec 13 2013
Jul 30 19:23:07 openvpn[2941]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jul 30 19:23:07 openvpn[2941]: Diffie-Hellman initialized with 512 bit key
Jul 30 19:23:07 openvpn[2941]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Jul 30 19:23:07 openvpn[2941]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jul 30 19:23:07 openvpn[2941]: TUN/TAP device tun21 opened
Jul 30 19:23:07 openvpn[2941]: TUN/TAP TX queue length set to 100
Jul 30 19:23:07 openvpn[2941]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 30 19:23:07 openvpn[2941]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Jul 30 19:23:07 openvpn[2941]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Jul 30 19:23:07 openvpn[2951]: UDPv4 link local (bound): [undef]
Jul 30 19:23:07 openvpn[2951]: UDPv4 link remote: [undef]
Jul 30 19:23:07 openvpn[2951]: MULTI: multi_init called, r=256 v=256
Jul 30 19:23:07 openvpn[2951]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jul 30 19:23:07 openvpn[2951]: Initialization Sequence Completed

---ROUTING TABLE---

--ONLY MULLVAD CLIENT ACTIVE--

Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
[ext-ip].48.1 * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
[ext-ip].48.0 * 255.255.240.0 U 0 0 0 WAN
default [ext-ip].48.1 0.0.0.0 UG 0 0 0 WAN

—WHEN CONNECTED WITH THE ROUTER AND MULLVAD CLIENT—

Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.145 * 255.255.255.255 UH 0 0 0 tun11
10.8.0.1 10.8.0.145 255.255.255.255 UGH 0 0 0 tun11
193.138.219.226 [ext-ip].48.1 255.255.255.255 UGH 0 0 0 WAN
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
[ext-ip].48.1 * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
[ext-ip].48.0 * 255.255.240.0 U 0 0 0 WAN
default 10.8.0.145 128.0.0.0 UG 0 0 0 tun11
128.0.0.0 10.8.0.145 128.0.0.0 UG 0 0 0 tun11
default [ext-ip].48.1 0.0.0.0 UG 0 0 0 WAN

--COPY OF CA.CRT--

Code:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA/emailAddress=info@mullvad.net
Validity
Not Before: Mar 24 16:19:48 2009 GMT
Not After : Mar 22 16:19:48 2019 GMT
Subject: C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net/emailAddress=info@mullvad.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c5:00:39:5d:fe:9b:0c:b7:ff:76:a4:93:bf:26:
1b:d6:c8:4a:e5:3c:ce:1c:2c:16:80:a2:61:a6:e9:
63:4b:70:a1:80:6f:0e:0c:bb:a9:b6:d1:bd:f5:a0:
78:82:09:4d:94:22:aa:77:7c:09:36:42:cd:a5:a6:
90:73:27:42:00:31:e4:d4:8b:49:36:65:a3:25:82:
b8:26:d7:d1:f5:b5:a9:be:57:93:9d:7c:d6:1c:df:
9a:87:81:53:0b:17:81:d1:0d:ca:dc:4d:19:13:fa:
11:e6:da:68:eb:81:05:39:e3:1e:3a:3f:fc:e2:64:
3c:98:3c:89:a9:42:b3:30:70:57:56:a1:f5:08:b2:
75:12:a0:36:93:9d:69:e9:7e:11:71:d9:1c:e8:7d:
ec:03:21:11:7a:0a:7a:03:35:ba:b8:b2:0c:3a:6f:
57:88:62:45:3d:0c:6c:18:ff:21:49:37:ae:40:78:
6d:45:52:29:ac:21:ad:4a:01:61:67:0b:01:c4:ac:
b0:88:97:52:ff:cb:3a:21:f0:14:2b:c1:79:8d:79:
35:14:fc:9c:3f:6c:c9:62:fc:8c:c7:a8:51:34:75:
1c:23:d5:db:b9:44:08:1c:0c:17:2c:21:2a:b4:29:
db:15:59:e7:a9:1c:d6:19:19:ef:e4:6b:ea:78:6d:
76:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
75:8A:14:92:0D:F3:6E:B7:36:4F:8B:4F:15:6C:3F:18:15:90:64:DE
X509v3 Authority Key Identifier:
keyid:E1:63:B4:3E:55:A3:D2:37:5F:DE:3A:91:48:51:4B:20:1A:F2:9B:C5
DirName:/C=NA/ST=None/L=None/O=Mullvad/CN=Mullvad CA/emailAddress=info@mullvad.net
serial:84:68:2E:A0:51:2A:BB:D4

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
a4:b4:62:3d:cb:7e:57:b3:bd:2a:41:e0:3b:94:d0:4c:08:69:
8a:b1:73:15:13:20:c9:d7:b0:b6:5d:65:4a:4d:1d:27:cc:ca:
11:0e:86:fa:65:61:26:39:c2:54:8e:da:eb:78:21:37:0e:c7:
a4:d2:17:8a:4b:ad:17:84:25:5e:24:0e:9a:81:ff:d1:1b:0e:
32:9b:f4:81:e0:07:e9:8f:9d:c1:43:7f:40:30:01:07:7c:02:
c7:c4:9c:05:48:4c:bf:41:69:57:c1:d3:bb:a3:5a:01:17:96:
b0:c9:00:22:57:2f:84:da:45:33:6e:6c:2b:13:c5:af:75:a7:
b2:6b:71:6e:13:2c:97:0e:d9:93:da:6d:d9:34:c6:06:7d:0e:
e2:b8:d2:78:13:79:0f:ac:ac:a8:68:a9:72:73:7a:d8:ab:7b:
0a:b0:54:b5:f3:ce:29:0d:47:82:0c:b4:d9:20:64:ff:ef:17:
46:92:de:65:e8:67:ce:3a:92:de:e4:3e:99:73:9f:7a:7c:00:
72:07:39:78:77:37:62:89:a2:db:24:fd:60:2a:e0:82:57:f6:
55:94:f6:79:47:19:c9:13:3b:5d:b7:6b:66:14:d4:7d:3c:76:
75:e9:a3:55:ba:b4:92:30:3b:ad:66:72:0c:39:4b:cc:95:a9:
bc:06:ef:2b
-----BEGIN CERTIFICATE-----
[Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Certificate]
-----END CERTIFICATE-----
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top