AX88U OPENVPN Problem

[schmiddi19xx]

Hi,

when i add an Ovpn config it says i have to shorten the text. i use 570 letters instead of 510 allowed. how can i get around this?
It destroys the entire config.

 

[eibgrad]

Sometimes certain directives in the config file aren't truly necessary. They may either be superflous, irrelevant, represent default values, something the server side will set for itself, etc. But without seeing *all* the directives, it's hard to say which are the best candidates for exclusion.

For example, tls-timoeut defaults to '2' when not specified, so it's not *vital* to have it specified just to change it to '5'. Or remote-crt-tls; it's *nice* to verify the remote cert, but it's not as if you *have* to, esp. if it forces you to exceed the maximum size of the openvpn config file.

 

[schmiddi19xx]

Sometimes certain directives in the config file aren't truly necessary. They may either be superflous, irrelevant, represent default values, something the server side will set for itself, etc. But without seeing *all* the directives, it's hard to say which are the best candidates for exclusion.

For example, tls-timoeut defaults to '2' when not specified, so it's not *vital* to have it specified just to change it to '5'. Or remote-crt-tls; it's *nice* to verify the remote cert, but it's not as if you *have* to, esp. if it forces you to exceed the maximum size of the openvpn config file.

ok strange. its the direct .ovpn file for asus merlin routers from perfect privacy. curious it doesnt work out of the box.
Biggest problem is, if you are not fully aware of what you need and which lines are optional its very hard to get it running.

 

[eibgrad]

ok strange. its the direct .ovpn file for asus merlin routers from perfect privacy. curious it doesnt work out of the box.
Biggest problem is, if you are not fully aware of what you need and which lines are optional its very hard to get it running.

You can't always be sure that someone hasn't configured a change to the config file and necessarily tested it to make sure the client still works, esp. third parties. Sometimes ppl just add stuff w/o such consideration (unforunately).

And yes, we're always at a disadvantage when we don't fully understand the technology we're using. In this case, I make it a habit to know more about what the VPN is actually doing w/ all these various directives by reading the documentation from time to time.

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

 

[schmiddi19xx]

Feb 2 09:02:57 ovpn-client1[2459]: TCP/UDP: Closing socket
Feb 2 09:02:57 ovpn-client1[2459]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 2 09:02:57 ovpn-client1[2459]: Restart pause, 5 second(s)
Feb 2 09:03:02 ovpn-client1[2459]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 2 09:03:02 ovpn-client1[2459]: Re-using SSL/TLS context
Feb 2 09:03:02 ovpn-client1[2459]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:03:02 ovpn-client1[2459]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:03:02 ovpn-client1[2459]: LZO compression initializing
Feb 2 09:03:02 ovpn-client1[2459]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Feb 2 09:03:02 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:03:02 ovpn-client1[2459]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Feb 2 09:03:02 ovpn-client1[2459]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Feb 2 09:03:02 ovpn-client1[2459]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Feb 2 09:03:02 ovpn-client1[2459]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Feb 2 09:03:02 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:03:02 ovpn-client1[2459]: Socket Buffers: R=[524288->262144] S=[524288->262144]
Feb 2 09:03:02 ovpn-client1[2459]: UDP link local: (not bound)
Feb 2 09:03:02 ovpn-client1[2459]: UDP link remote: [AF_INET]149.202.77.77:1151
Feb 2 09:04:02 ovpn-client1[2459]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Feb 2 09:04:02 ovpn-client1[2459]: TCP/UDP: Closing socket
Feb 2 09:04:02 ovpn-client1[2459]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 2 09:04:02 ovpn-client1[2459]: Restart pause, 5 second(s)
Feb 2 09:04:07 ovpn-client1[2459]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 2 09:04:07 ovpn-client1[2459]: Re-using SSL/TLS context
Feb 2 09:04:07 ovpn-client1[2459]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:04:07 ovpn-client1[2459]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:04:07 ovpn-client1[2459]: LZO compression initializing
Feb 2 09:04:07 ovpn-client1[2459]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Feb 2 09:04:07 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:04:07 ovpn-client1[2459]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Feb 2 09:04:07 ovpn-client1[2459]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Feb 2 09:04:07 ovpn-client1[2459]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Feb 2 09:04:07 ovpn-client1[2459]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Feb 2 09:04:07 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:04:07 ovpn-client1[2459]: Socket Buffers: R=[524288->262144] S=[524288->262144]
Feb 2 09:04:07 ovpn-client1[2459]: UDP link local: (not bound)
Feb 2 09:04:07 ovpn-client1[2459]: UDP link remote: [AF_INET]149.202.77.77:1151
Feb 2 09:04:27 wlceventd: wlceventd_proc_event(486): eth7: Disassoc 32:84:20:48:EC:3C, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Feb 2 09:04:27 wlceventd: wlceventd_proc_event(486): eth7: Disassoc 32:84:20:48:EC:3C, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Feb 2 09:04:27 hostapd: eth7: STA 32:84:20:48:ec:3c IEEE 802.11: disassociated
Feb 2 09:04:27 hostapd: eth7: STA 32:84:20:48:ec:3c IEEE 802.11: disassociated
Feb 2 09:04:32 wlceventd: wlceventd_proc_event(505): eth7: Auth 32:84:20:48:EC:3C, status: Successful (0)
Feb 2 09:04:32 wlceventd: wlceventd_proc_event(534): eth7: Assoc 32:84:20:48:EC:3C, status: Successful (0)
Feb 2 09:04:32 hostapd: eth7: STA 32:84:20:48:ec:3c IEEE 802.11: associated
Feb 2 09:04:32 kernel: CFG80211-ERROR) wl_cfg80211_change_station : WLC_SCB_AUTHORIZE sta_flags_mask not set
Feb 2 09:04:32 hostapd: eth7: STA 32:84:20:48:ec:3c RADIUS: starting accounting session 86A806EEEECCD38F
Feb 2 09:04:32 hostapd: eth7: STA 32:84:20:48:ec:3c WPA: pairwise key handshake completed (RSN)
Feb 2 09:05:07 ovpn-client1[2459]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Feb 2 09:05:07 ovpn-client1[2459]: TCP/UDP: Closing socket
Feb 2 09:05:07 ovpn-client1[2459]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 2 09:05:07 ovpn-client1[2459]: Restart pause, 5 second(s)
Feb 2 09:05:12 ovpn-client1[2459]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 2 09:05:12 ovpn-client1[2459]: Re-using SSL/TLS context
Feb 2 09:05:12 ovpn-client1[2459]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:05:12 ovpn-client1[2459]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:05:12 ovpn-client1[2459]: LZO compression initializing
Feb 2 09:05:12 ovpn-client1[2459]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Feb 2 09:05:12 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:05:12 ovpn-client1[2459]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Feb 2 09:05:12 ovpn-client1[2459]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Feb 2 09:05:12 ovpn-client1[2459]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Feb 2 09:05:12 ovpn-client1[2459]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Feb 2 09:05:12 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:05:12 ovpn-client1[2459]: Socket Buffers: R=[524288->262144] S=[524288->262144]
Feb 2 09:05:12 ovpn-client1[2459]: UDP link local: (not bound)
Feb 2 09:05:12 ovpn-client1[2459]: UDP link remote: [AF_INET]149.202.77.77:1151
Feb 2 09:06:12 ovpn-client1[2459]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Feb 2 09:06:12 ovpn-client1[2459]: TCP/UDP: Closing socket
Feb 2 09:06:12 ovpn-client1[2459]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 2 09:06:12 ovpn-client1[2459]: Restart pause, 5 second(s)
Feb 2 09:06:17 ovpn-client1[2459]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 2 09:06:17 ovpn-client1[2459]: Re-using SSL/TLS context
Feb 2 09:06:17 ovpn-client1[2459]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:06:17 ovpn-client1[2459]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 2 09:06:17 ovpn-client1[2459]: LZO compression initializing
Feb 2 09:06:17 ovpn-client1[2459]: Control Channel MTU parms [ L:1626 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Feb 2 09:06:17 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:06:17 ovpn-client1[2459]: Data Channel MTU parms [ L:1626 D:1300 EF:126 EB:407 ET:0 EL:3 ]
Feb 2 09:06:17 ovpn-client1[2459]: Fragmentation MTU parms [ L:1626 D:1300 EF:125 EB:407 ET:1 EL:3 ]
Feb 2 09:06:17 ovpn-client1[2459]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Feb 2 09:06:17 ovpn-client1[2459]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Feb 2 09:06:17 ovpn-client1[2459]: TCP/UDP: Preserving recently used remote address: [AF_INET]149.202.77.77:1151
Feb 2 09:06:17 ovpn-client1[2459]: Socket Buffers: R=[524288->262144] S=[524288->262144]
Feb 2 09:06:17 ovpn-client1[2459]: UDP link local: (not bound)
Feb 2 09:06:17 ovpn-client1[2459]: UDP link remote: [AF_INET]149.202.77.77:1151


can you see why the tunnel crashes always`?

 

[L&LD]

Please use the three vertical dots to get an 'Insert Code' box instead of pasting that into the main body of the message (hard to read).

Example
Text
Here

 

[eibgrad]

There is no indication it is crashing. It seems to be trying to reach the ip+port (149.202.77.77:1151), can't for whatever reason, times out, and tries again, over and over. Could be that particular OpenVPN server just isn't available, which isn't uncommon when dealing w/ commerical OpenVPN providers. That's why I recommend specifying more than one server, at least three (3) ideally, so the OpenVPN client has other options.

 

[schmiddi19xx]

Why is it not uncommon? im not really into VPN and all what belongs to it. i use Perfect Privacy.

so i have an ax88u and when i define another vpn client next to client 1 which is the above one , what is happening then? i cant priorize them.
is it using them both simultaneously cascading?

 

[elorimer]

If the config has more than one destination specified, it rotates through them.

 

[schmiddi19xx]

If the config has more than one destination specified, it rotates through them.

i have to assign one location to client 1 and another to client 2. i dont think they rotate. 1 went down and it didnt hop to client 2. i think its just for multiple vpn servers and not for redundancy. but it would be interesting if this would be possible

 

[elorimer]

i dont think they rotate.

I don't use it and didn't try it so I should shut up and listen to someone who has. I had read this:

–remote host [port] [proto]
Remote host name or IP address. On the client, multiple –remote options may be specified
for redundancy, each referring to a different OpenVPN server. Specifying
multiple –remote options for this purpose is a special case of the more general
connection-profile feature. See the <connection> documentation below.
The OpenVPN client will try to connect to a server at host:port in the order
specified by the list of –remote options.

I wanted more control so I specified different configs.

 

[eibgrad]

You misunderstand. I'm not talking about using multiple OpenVPN clients. I'm talking about using a *single* OpenVPN client w/ multiple servers.

ASUS RT-AC86U - ExpressVPN disconnecting

Hello guys, i have a ASUS RT-AC86U with Merlin 384.19 build. I've been struggling to get a stable connection with ExpressVPN for weeks. I setup the OpenVPN Client like with every other VPN Provider but i always getting disconnect after a few hours. Sometimes it's working for 2 hours and...

www.snbforums.com

 

[elorimer]

I'm talking about using a *single* OpenVPN client w/ multiple servers.

I was too, in a less common context: which of server1 or server2 on the router to connect to. I use four configs but I thought I could boil it into 1 or 2.

 

[Martineau]

i have to assign one location to client 1 and another to client 2. i dont think they rotate. 1 went down and it didnt hop to client 2. i think its just for multiple vpn servers and not for redundancy. but it would be interesting if this would be possible

The Selective Routing (RPDB) GUI rules are applied in the following order...(but may be overridden by using the 'openvpn-event' trigger scripts)

     GUI:    Selective Routing Source/Destination (Client 1 WAN)    <-HIGHEST priority
     GUI:    Selective Routing Source/Destination (Client 1 VPN)
     etc.
     GUI:    Selective Routing Source/Destination (Client 5 WAN)
     GUI:    Selective Routing Source/Destination (Client 5 VPN)    <-LOWEST priority

i.e.. simple static auto-failover example for one LAN device 192.168.55.111/32 0.0.0.0 VPN from VPN Client 1 to VPN Client 2 NOTE: (Do NOT enable Kill-switch for VPN Client 1)

     VPN Client 1
     192.168.55.111/32  0.0.0.0 VPN    Selective routing for a single LAN device

     VPN Client 2
     192.168.55.222/31  0.0.0.0 VPN    Selective routing for two LAN devices
     192.168.55.111/32  0.0.0.0 VPN    Failover Selective routing for a single LAN device normally routed via VPN Client 1

     VPN Client 3
     192.168.55.0/24    0.0.0.0 VPN    (default) Selective routing for ALL LAN devices
     192.168.55.99/32   0.0.0.0 WAN              except for this single LAN device which always uses the WAN

For dynamic Selective routing, you can use the openvpn-event trigger scripts 'vpnclientX-route-up'/'vpnclientX-route-pre-down' etc.

i.e. rather than have entry 192.168.55.111/32 0.0.0.0 VPN permanently defined in the Selective Routing VPN Client 2 GUI, you could use the scripts to insert 192.168.55.111/32 0.0.0.0 VPN only when VPN Client 1 goes DOWN.

NOTE: There is a crude VPNFailover script that you can try if you need to actively monitor the VPN Client instance.

 

[schmiddi19xx]

if i set client 1 (Block routed clients if tunnel goes down) to no then it will fall back to client 2 when there are same ips routed and client 1 cannot connect?

 

[Martineau]

View attachment 30348

if i set client 1 (Block routed clients if tunnel goes down) to no then it will fall back to client 2 when there are same ips routed and client 1 cannot connect?

Yes

You can confirm the RPDB rules (references to tables ovpnc1 and ovpnc2) when both VPN Client 1 and VPN Client 2 are UP by issuing the command

ip rule

then if you terminate VPN Client 1, reissue the command, and you should no longer see any RPDB rules for table ovpnc1; only rules for VPN Client 2 table ovpnc2.

EDIT: NOTE: Existing VPN Client 1 connections may stall by refusing to use the VPN Client 2 routing rules, so you may need to issue ip route flush cache

 

[Andorul]

Anyone experience problems in VPN if I have 2 ou more OpenVPNClients is ON all traffic goes to SAME vpn server!
ISP Fiber 500Mbps
AX88U (Wireless router - 386.1 : Diversion + skynet behind ISP router - Local IP)
Vpn Service Surf Shark (suport varius vpnserver to same client)

OPENVPNCLIENT1->TV
OPENVPNCLIENT2-> Smartphone
Force Internet traffic through tunnel Policy Rules (Strict)
Block routed clients if tunnel goes down YES

OpenVPNClient1 - Public IP 91.205.230.141 Local IP 10.8.8.6
OpenVPNClient2 - Public IP 66.115.166.148 Local IP 10.8.8.3

My solution:
changing the server protocol of VPNClient2 has it changed de port of server! it works
OpenVPNClient1 UDP port 11xx
OpenVPNClient1 TCP port 14xx

SpeedTest
RJ45
TV + VPN1 .PT - 70Mbps
Notebook i7 2gen NOVPN - 474Mbps

Wifi 5Ghz - far from router
Galaxy S5 + VPN2 .US - 9Mbps
Galaxy A70 NOVPN - 120Mbps

Not Bad 2 VPN Clients 4 devices testing at sometime, what do you think?

1 QUESTION HOW COME SOME USER HAVE MORE THAN 2?
change server port or port forward to another port i think

 

[eibgrad]

Anyone experience problems in VPN if I have 2 ou more OpenVPNClients is ON all traffic goes to SAME vpn server!
ISP Fiber 500Mbps
AX88U (Wireless router - 386.1 : Diversion + skynet behind ISP router - Local IP)
Vpn Service Surf Shark (suport varius vpnserver to same client)

OPENVPNCLIENT1->TV
OPENVPNCLIENT2-> Smartphone
Force Internet traffic through tunnel Policy Rules (Strict)
Block routed clients if tunnel goes down YES

OpenVPNClient1 - Public IP 91.205.230.141 Local IP 10.8.8.6
OpenVPNClient2 - Public IP 66.115.166.148 Local IP 10.8.8.3

My solution:
changing the server protocol of VPNClient2 has it changed de port of server! it works
OpenVPNClient1 UDP port 11xx
OpenVPNClient1 TCP port 14xx

SpeedTest
RJ45
TV + VPN1 .PT - 70Mbps
Notebook i7 2gen NOVPN - 474Mbps

Wifi 5Ghz - far from router
Galaxy S5 + VPN2 .US - 9Mbps
Galaxy A70 NOVPN - 120Mbps

Not Bad 2 VPN Clients 4 devices testing at sometime, what do you think?

1 QUESTION HOW COME SOME USER HAVE MORE THAN 2?
change server port or port forward to another port i think

You have to be VERY careful when using multiple, concurrent OpenVPN clients. Notice that *both* are using the same private network on the tunnel (10.8.8.x)! In a situation like this, it may be impossible to achieve what you want, esp. if using the same OpenVPN provider. The risk of this happening increases significantly.

 

[Andorul]

Right,
I only use 1 VPNClient for the SmarTv to avoid ISP shapping on IPTV. But I was trying to see if AX88U creates a new sub net or VLAN for the new VPNClient

 

[Andorul]

Right,
I real use i only use 1 VPNClient for the SmarTv to hide iptv from ISP. But I was trying to see if AX88U creates a new sub net or VLAN for the new VPNClient.
The phone or desktop can connect directly by APP or OpenVPN

Thanks, i was considering de UDM-Pro because I could run de radius server in there instead of the nas and vlan configuration for isolation of wired and wireless devices to guests clan and sister IoT devices but the AX88U is really a great peace of hardware and software thank to RMerlin