Concurrent OpenVPN Server alongside OpenVPN Client (Express VPN)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

PC Pilot

Regular Contributor
I am hoping that there is a simple answer to this question ….and ideally a simple means of implantation via webui without recourse to complicated scripts. Can an OpenVPN Server run concurrently with an enabled OpenVPN Client allowing secure remote Router/LAN/WAN access whilst that VPN Client is running??

To explain I have a OpenVPN Client (Express VPN) setup on an RT-AX88U which is always active with policy rules enabling specific applications/processes access via WAN. For reasons of security (following excellent advice here) I disabled Remote Access Config>Enable Web Access from WAN entirely, configuring instead an OpenVPN Server with the intention of subsequently securing Remote Access to the Router/LAN/WAN. Unfortunately, owing to other priorities I never actually got around to testing the OpenVPN Server access from a remote client device.

Having just changed my OpenVPN Client provider to Express VPN and successfully re-configured the setup (with the kind assistance of the folks here) it seemed a good idea to try out the OpenVPN Server. Accordingly, the OpenVPN config and current certificate files were exported to an OpenVPN Connect IOS app on my iPhone.

I have attached an obfuscated system log which may not be relevant if the answer is that concurrent operation in the circumstances outlined above is not possible??

All thoughts/observations most welcome as I am keen to develop more than my very basic understanding of networking and to implement any suggested resolution.

Thanks to all..

PC Pilot
 

Attachments

  • OpenVPN Server error log entries - 11.04.20.txt
    1.1 KB · Views: 107

Butterfly Bones

Very Senior Member
I have a VPN client running with all devices strict policy rules through the VPN except a smart TV to WAN. I also have a VPN server setup and both run with no conflict.

I have an iPhone and use an app named Passepartout that knows my home networks and disable VPN since I am behind the router. When I leave my home network it turns on the VPN and connect to my router server address using the DDNS address. I then get the benefit of Diversion ad blocking and Skynet protection while passing out of the VPN client when away from home. This works connected to other WiFi networks like an open public networks at a coffee shop or whatever.

Only disadvantage is very slow downloads with my 110/10 cable Internet. It is better to wait until I am home to install apps or download large files.
 

RMerlin

Asuswrt-Merlin dev
Untested, but try configuring a policy rule on the OpenVPN client that points the destination 192.168.1.0/24 (adjust IP to that of your LAN) to go through the WAN. Leave the Source empty (or 0.0.0.0).

Also make sure the client does not use the same subnet as the server. If it is, then change the server subnet to something other than 10.8.0.0, like 10.9.0.0.
 

mister

Regular Contributor
Untested, but try configuring a policy rule on the OpenVPN client that points the destination 192.168.1.0/24 (adjust IP to that of your LAN) to go through the WAN. Leave the Source empty (or 0.0.0.0).

Also make sure the client does not use the same subnet as the server. If it is, then change the server subnet to something other than 10.8.0.0, like 10.9.0.0.

I use exact this configuration and it is working. Please keep in mind to add extra policy rules via wan if you want to access connected clients via vpn server which are normally routed via vpn.

from ip Lan Client you want to access to openvpn server network via wan
 

PC Pilot

Regular Contributor
Thanks everyone for your helpful responses..

Untested, but try configuring a policy rule on the OpenVPN client that points the destination 192.168.1.0/24 (adjust IP to that of your LAN) to go through the WAN. Leave the Source empty (or 0.0.0.0).

RMerlin/mister I already have a policy rule set for LAN IP with Source IP as 192.168.my.ip/24 and Destination IP as 0.0.0.0 on the VPN interface (as per assistance offered here https://www.snbforums.com/threads/a...n-firmware-ddns-vpn-issues.54025/#post-456081) which it appears I have misunderstood as it also refers to "Router IP to route via WAN" which I mistakenly presumed related to the above policy rule :().

To clarify, I should create a further policy rule for LAN IP but this time with Source IP set to 0.0.0.0 and the Destination to 192.168.my.ip/24 and now on the "WAN" interface??

Also make sure the client does not use the same subnet as the server. If it is, then change the server subnet to something other than 10.8.0.0, like 10.9.0.0.

The OpenVPN Client 'Service State' reports "Connected (Local: 10.102.xx.xx Public: ...……) whereas the OpenVPN Server VPN subnet is set to 10.8.0.0 which I believe indicates that they are on different subnets?

Butterfly Bones, the Passepartout IOS App sounds interesting I will investigate and see if it meets my needs!

PC Pilot
 

RMerlin

Asuswrt-Merlin dev
To clarify, I should create a further policy rule for LAN IP but this time with Source IP set to 0.0.0.0 and the Destination to 192.168.my.ip/24 and now on the "WAN" interface??

Yes.

The OpenVPN Client 'Service State' reports "Connected (Local: 10.102.xx.xx Public: ...……) whereas the OpenVPN Server VPN subnet is set to 10.8.0.0 which I believe indicates that they are on different subnets?

Correct.
 

PC Pilot

Regular Contributor
Hi Folks,

Wanted to offer a brief update, settings applied (NB. Currently running Merlin 384.14 .....shortly to update to 384.16, in case the reported fields have changed in the update) as per RMerlin's guidance, IOS OpenVPN Connect App installed onto iPhone 8 Plus and profile imported (via email) from Server. NB. All attempts to separately import certificate (even after renaming to .ovpn12 as per advice elsewhere on these forums) fail after entering the password, the App simply reports "Error Cannot parse the file".....

The currently applied OpenVPN Server settings are as follows:

VPN Server - OpenVPN

Basic Config

Server instance Server 1
Enable OpenVPN Server [ON]
VPN Details Advanced Settings

Advanced Settings

Interface Type TUN
Protocol UDP
Server Port 1184 (Default: 1194)
Authorization Mode TLS
Keys and Certificates Edit
Username/Password Authentication
Yes Selected
No Unselected
Username/Password Auth. Only
Yes Unselected
No Selected
TLS control channel security (tls-auth/tls-crypt) Encrypt Channel
HMAC Authentication Default
VPN Subnet/Netmask 10.8.0.0 255.255.255.0
Advertise DNS to clients
Yes Selected
No Unselected
Cipher Negotiation Enable (with fallback)
Negotiable Ciphers AES-256-GCM
Legacy/fallback cipher AES-256-CBC
Compression LZ4
Log verbosity 3
Manage Client-Specific Options
Yes Selected
No Unselected
Allow Client <-> Client
Yes Unselected
No Selected
Allow only specified clients
Yes Unselected
No Selected

Allowed Clients

Common Name (CN) (1) [BLANK]
Subnet (1) [BLANK]
Mask (1) [BLANK]
Push (1) [No Selection]

Custom Configuration

[NO ENTRIES RECORDED]

** From General Settings **

Username and Password (Max Limit: 32) (For Router)
Connection Status (1) Disconnected

Username (1) XXXXXXXXXXX (NB. Displays my Router Username accurately in text form)
Password (1) -

(NB. Neither P/W as Text Entry nor as usual 'dotted' Obfuscation displayed only a "-" is this correct?
NBB. My P/W contains symbols e.g. "#" not sure if this makes a difference?
)
----------------------------------------------------
The Router system log (obfuscated) and containing the related ovpn-server entries reports as follows:

Apr 13 13:36:08 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS: Initial packet from [AF_INET]192.168.xxx.xxx:xxxxx, sid=30b81cfd b282156b
Apr 13 13:36:09 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:09 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:09 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:10 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:10 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:10 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:11 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:11 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:11 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:12 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:12 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:12 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:13 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:13 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:13 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:14 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:14 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:14 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:15 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:15 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:15 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:16 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:16 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:16 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:17 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781368) Mon Apr 13 13:36:08 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:17 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx tls-crypt unwrap error: packet replay
Apr 13 13:36:17 ovpn-server1[26078]: 192.168.xxx.xxx:xxxxx TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xxxxx
Apr 13 13:36:18 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy TLS: Initial packet from [AF_INET]192.168.xxx.xxx:xyyyy, sid=a28d9697 e41dc68e
Apr 13 13:36:19 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781378) Mon Apr 13 13:36:18 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:19 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: packet replay
Apr 13 13:36:19 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xyyyy
Apr 13 13:36:20 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781378) Mon Apr 13 13:36:18 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:20 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: packet replay
Apr 13 13:36:20 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xyyyy
Apr 13 13:36:21 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781378) Mon Apr 13 13:36:18 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:21 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: packet replay
Apr 13 13:36:21 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xyyyy
Apr 13 13:36:23 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1586781378) Mon Apr 13 13:36:18 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 13 13:36:23 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy tls-crypt unwrap error: packet replay
Apr 13 13:36:23 ovpn-server1[26078]: 192.168.xxx.xxx:xyyyy TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.xxx.xxx:xyyyy
-----------------------------------------------------

It appears (from my limited knowledge at least) to be some sort of encryption error .....possibly an incorrect setting?? Can anyone suggest what I have done wrong and point me in the right direction to achieve a resolution??

Many thanks for your continued support & advice,

PC Pilot
 

Martineau

Part of the Furniture
Username (1) XXXXXXXXXXX (NB. Displays my Router Username accurately in text form)
Password (1) -

(NB. Neither P/W as Text Entry nor as usual 'dotted' Obfuscation displayed only a "-" is this correct?
NBB. My P/W contains symbols e.g. "#" not sure if this makes a difference?)
So unless during the install you chose a different administrator name for the router, the administrator account on the router ('admin' by default) is always the first entry in the list and will look like

upload_2020-4-13_14-58-58.png


Explanation see this post EDIT: My point is that the entry is static, although clearly 'admin' can now be altered since 2016!
Server Port 1184 (Default: 1194)
Authorization Mode TLS
Keys and Certificates Edit
Username/Password Authentication
Yes Selected
No Unselected
Username/Password Auth. Only
Yes Unselected
No Selected
TLS control channel security (tls-auth/tls-crypt) Encrypt Channel
HMAC Authentication Default
VPN Subnet/Netmask 10.8.0.0 255.255.255.0
Advertise DNS to clients
Yes Selected
No Unselected
Cipher Negotiation Enable (with fallback)
Negotiable Ciphers AES-256-GCM
Legacy/fallback cipher AES-256-CBC
Compression LZ4
Log verbosity 3
Manage Client-Specific Options
Yes Selected
No Unselected
Allow Client <-> Client
Yes Unselected
No Selected
Allow only specified clients
Yes Unselected
No Selected
I would try: (Screendump/captures are soo much easier)

upload_2020-4-13_14-59-44.png


and check the client device OpenVPN config matches or export the new OpenVPN server config to the client device.
 
Last edited:

PC Pilot

Regular Contributor
Hi Martineau,

Thank you for your helpful response.

So unless during the install you chose a different administrator name for the router, the administrator account on the router ('admin' by default) is always the first entry in the list and will look like View attachment 22623 Explanation see this post EDIT: My point is that the entry is static, although clearly 'admin' can now be altered since 2016!
Yes, I opted to change the default option to a suitable and more secure name ….also changed the default Router IP address from 192.168.1.1 :)

I would try: (Screendump/captures are soo much easier)
Sorry, …...the last time I tried it didn't pick up the radio button selections so for clarity I thought the selected settings would avoid confusion!

I have tried again using the settings provided in your screengrab after saving the config and exporting the OpenVPN file (but not the certificate - see note about parse error on post #8 above)..... Still having TLS Errors connection issues :( .….see log below:
--------------------------------------------------------
The Router system log (obfuscated) and containing the reported entries upon connection attempt:

Apr 13 17:23:43 ovpn-server1[7354]:192.168.my.iPhone:xxxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 13 17:23:43 ovpn-server1[7354]: 192.168.my.iPhone:xxxxx TLS Error: TLS handshake failed
Apr 13 17:23:43 ovpn-server1[7354]: 192.168.my.iPhone:xxxxx SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 13 17:23:44 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=162.125.19.131 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=38778 DF PROTO=TCP SPT=35269 DPT=443 SEQ=1974646923 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:47 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=10.185.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=36438 PROTO=UDP SPT=64613 DPT=53 LEN=42
Apr 13 17:23:47 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=104.86.110.251 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21222 DF PROTO=TCP SPT=35272 DPT=80 SEQ=3544945353 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:56 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=185.33.221.88 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=54215 DF PROTO=TCP SPT=35281 DPT=443 SEQ=2833442 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:56 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=185.86.139.59 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=48984 DF PROTO=TCP SPT=35283 DPT=443 SEQ=519445417 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:24:00 dnsmasq-dhcp[7374]: DHCPDISCOVER(br0) 00:d1:80:xx:33:9a
Apr 13 17:24:00 dnsmasq-dhcp[7374]: DHCPOFFER(br0) 192.168.xx.xxx 00:d1:80:xx:33:9a (UNKNOWN DEVICE)
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy TLS Error: TLS handshake failed
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 13 17:24:02 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=10.185.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=36439 PROTO=UDP SPT=64614 DPT=53 LEN=42
Apr 13 17:24:02 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=104.86.110.251 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21227 DF PROTO=TCP SPT=35288 DPT=80 SEQ=3419233199 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)

I very much appreciate everyone's kind assistance,

PC Pilot
 

Martineau

Part of the Furniture
Hi Martineau,

Thank you for your helpful response.

Yes, I opted to change the default option to a suitable and more secure name ….also changed the default Router IP address from 192.168.1.1 :)

Sorry, …...the last time I tried it didn't pick up the radio button selections so for clarity I thought the selected settings would avoid confusion!

I have tried again using the settings provided in your screengrab after saving the config and exporting the OpenVPN file (but not the certificate - see note about parse error on post #8 above)..... Still having TLS Errors connection issues :( .….see log below:
--------------------------------------------------------
The Router system log (obfuscated) and containing the reported entries upon connection attempt:

Apr 13 17:23:43 ovpn-server1[7354]:192.168.my.iPhone:xxxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 13 17:23:43 ovpn-server1[7354]: 192.168.my.iPhone:xxxxx TLS Error: TLS handshake failed
Apr 13 17:23:43 ovpn-server1[7354]: 192.168.my.iPhone:xxxxx SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 13 17:23:44 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=162.125.19.131 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=38778 DF PROTO=TCP SPT=35269 DPT=443 SEQ=1974646923 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:47 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=10.185.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=36438 PROTO=UDP SPT=64613 DPT=53 LEN=42
Apr 13 17:23:47 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=104.86.110.251 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21222 DF PROTO=TCP SPT=35272 DPT=80 SEQ=3544945353 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:56 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=185.33.221.88 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=54215 DF PROTO=TCP SPT=35281 DPT=443 SEQ=2833442 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:23:56 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=185.86.139.59 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=48984 DF PROTO=TCP SPT=35283 DPT=443 SEQ=519445417 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Apr 13 17:24:00 dnsmasq-dhcp[7374]: DHCPDISCOVER(br0) 00:d1:80:xx:33:9a
Apr 13 17:24:00 dnsmasq-dhcp[7374]: DHCPOFFER(br0) 192.168.xx.xxx 00:d1:80:xx:33:9a (UNKNOWN DEVICE)
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy TLS Error: TLS handshake failed
Apr 13 17:24:01 ovpn-server1[7354]: 192.168.my.iPhone:yyyyy SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 13 17:24:02 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=10.185.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=36439 PROTO=UDP SPT=64614 DPT=53 LEN=42
Apr 13 17:24:02 kernel: ACCEPT IN=br0 OUT=tun11 MAC=My WiFi Adapter:My Ethernet Adapter A:08:00 SRC=192.168.Ethernet.Adapter DST=104.86.110.251 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21227 DF PROTO=TCP SPT=35288 DPT=80 SEQ=3419233199 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)

I very much appreciate everyone's kind assistance,

PC Pilot
Now that you state iPhone...have you tried with another device? - say Android with Arne Schwabe's infallible VPN App. It may be worth trying.
 

PC Pilot

Regular Contributor
Hi folks,

Thought I had cracked it :) experimentation reveals that IOS appears to require TCP protocol so finally connected!! .........but can’t connect to internet or send/receive email on iPhone :(:( would very much appreciate your advice/observations is it policy rule related perhaps?? NB. OpenVPN Server connected using the following settings:

VPN Server - OpenVPN

Basic Config

Server instance Server 1
Enable OpenVPN Server [ON]
VPN Details Advanced Settings

Advanced Settings

Interface Type TUN
Protocol TCP
Server Port 1184 (Default is: 1194)
Authorization Mode TLS
Keys and Certificates Edit (if necessary but certificate created by applying settings)
Username/Password Authentication
Yes Selected
No Unselected
Username/Password Auth. Only
Yes Unselected
No Selected
TLS control channel security (tls-auth/tls-crypt) Encrypt Channel
HMAC Authentication Default
VPN Subnet/Netmask 10.8.0.0 255.255.255.0
Advertise DNS to clients
Yes Selected
No Unselected
Cipher Negotiation Enable (with fallback)
Negotiable Ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
Legacy/fallback cipher AES-128-GCM
Compression LZ0 Adaptive
Log verbosity 3
Manage Client-Specific Options
Yes Selected
No Unselected
Allow Client <-> Client
Yes Unselected
No Selected
Allow only specified clients
Yes Unselected
No Selected
Allowed Clients

Common Name (CN) (1) [BLANK]
Subnet (1) [BLANK]
Mask (1) [BLANK]
Push (1) [No Selection]

Custom Configuration

[NO ENTRIES RECORDED]

** From General Settings **

Username and Password (Max Limit: 32) (For Router)
Connection Status (1) Connected

Username (1) As Router
Password (1) -
-------------------------------------------------------------------------------------------

Feel as though I am making progress at last, but keen to clear this remaining hurdle!

Thanks guys, your help is so much appreciated!!

PC Pilot

PS. Obfuscated OpenVPN Connect (IOS) log attached - various experimental settings used....
 

Attachments

  • OpenVPN Connect - Obfuscated Connection Log - 15.04.20.txt
    13.8 KB · Views: 56
Last edited:

PC Pilot

Regular Contributor
Hi to all,
Time for another update. After further diagnosis and much experimentation my iPhone finally remotely connects (via Cellular & Wi-Fi) with my VPN Server offering a working internet which for added privacy now also routes through my VPN Client!!:D:D:D

Would of course welcome comment from the forum experts as to any setting adjustments recommended for a more optimal experience and where my lack of knowledge has exposed me to any weakness of which I am not aware?

For the benefit of other users I offer the following settings which are confirmed to work on the OpenVPN Server with an RT-AX88U running Merlin 384.16 whilst also routing through an active VPN Client (Express VPN) in conjunction with an iPhone 8 Plus running IOS 13.4.1 with the OpenVPN Connect App V3.1.2 (3096) used to facilitate the secure remote connection.

VPN Client - OpenVPN via paid provider (e.g. Express VPN)

Advanced Settings

Log verbosity (0-6, default=3) 3
Compression (As required by Client)
TLS Renegotiation Time (in seconds, -1 for default) (As required by Client)
Connection Retry attempts (-1 for infinite) (As required by Client)
Verify Server Certificate
Yes (As required by Client)
No (As required by Client)
Force Internet traffic through tunnel Policy Rules
Block routed clients if tunnel goes down
Yes Unselected
No Selected

Rules for routing client traffic through the tunnel (Max Limit: 100)

Description (1) LAN IPs
Source IP (1) LAN IP Address/e.g. 192.168.1.0/24
Destination IP (1) 0.0.0.0
Iface (1) VPN

Description (2) VPN Server 1
Source IP (2) 10.8.0.0/24
Destination IP (2) 0.0.0.0
Iface (2) VPN

Description (3) VPN Server 2
Source IP (3) 10.16.0.0/24
Destination IP (3) 0.0.0.0
Iface (3) VPN

Description (4) LAN IPs
Source IP (4) 0.0.0.0
Destination IP (4) LAN IP Address/e.g. 192.168.1.0/24
Iface (4) WAN

Description (5) e.g. RT AX88U Router
Source IP (5) e.g. 192.168.1.1
Destination IP (5) 0.0.0.0
Iface (5) WAN
-----------------------------------------------------------------------
VPN Server - OpenVPN

Basic Config

Server instance Server 1 (NB. Settings below can also be used for Server 2)
Enable OpenVPN Server [ON]
VPN Details Advanced Settings

Advanced Settings

Interface Type TUN
Protocol TCP
Server Port 1184 (Default is: 1194 for Server 1, 1197 for Server 2)
Authorization Mode TLS
Keys and Certificates Edit (if necessary but certificate created by applying settings)
Username/Password Authentication
Yes Selected
No Unselected
Username/Password Auth. Only
Yes Unselected
No Selected
TLS control channel security (tls-auth/tls-crypt) Encrypt Channel
HMAC Authentication Default
VPN Subnet/Netmask 10.8.0.0 255.255.255.0 (NB. 10.16.0.0 255.255.255.0 for Server 2)
Advertise DNS to clients
Yes Selected
No Unselected
Cipher Negotiation Enable (with fallback)
Negotiable Ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
Legacy/fallback cipher AES-128-GCM
Compression Disabled
Log verbosity 3
Manage Client-Specific Options
Yes Selected
No Unselected
Allow Client <-> Client
Yes Unselected
No Selected
Allow only specified clients
Yes Unselected
No Selected
Allowed Clients

Common Name (CN) (1) [BLANK]
Subnet (1) [BLANK]
Mask (1) [BLANK]
Push (1) [No Selection]


Custom Configuration

[NO ENTRIES RECORDED]

** From General Settings **

Username and Password (Max Limit: 32) (For Router)
Connection Status (1)

Connected

Username (1) As Router
Password (1) -
---------------------------------------------------------------------------
In addition to the Router settings above in order to direct your VPN Server traffic to route through the active VPN Client it is now necessary to create a simple script file named "firewall-start.sh" which will ultimately reside within the router's directory structure at the following location /jffs/scripts

To achieve this, if not already done we first have to set up JFFS on the router (using the settings below) and so as to undertake the script file editing it will be necessary for us to connect to the Router using a terminal. For this purpose we will use the "Putty" utility ('Putty' can be downloaded from <https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html>) to establish a connection to the router. In order to facilitate these additional actions we will connect to the router using SSH which requires the following additional router settings:

Administration > System >

Persistent JFFS2 partition

Format JFFS partition at next boot > Yes (If being used for the first time, otherwise > No *)
Enable JFFS custom scripts and configs > Yes


Services

Enable SSH > LAN - WAN
Allow SSH Port Forwarding > No
SSH Port > 22
Allow Password Login > Yes
Enable SSH Brute Force Protection > Yes
Idle Timeout > 20 Minutes


Click 'Apply', then 'Reboot'. * After the router reboots, check again: “Format JFFS partition at next boot” should now be set to “No” and “Enable JFFS custom scripts and configs” should be set to “Yes”.

Now install Putty and launch (Putty - not the other utilities), and enter the router’s IP Address (or DDNS Hostname) and then ENTER. Next, in the Putty terminal window, enter your router’s admin username (note not “root”) and then enter your router password and press ENTER.

Now, in the terminal at the command prompt type:

nano -w /jffs/scripts/firewall-start.sh

...to start the Nano Editor. In the editor window type (or copy/paste using Notepad++ <https://notepad-plus-plus.org/downloads/>) the following text:.....

#!/bin/sh

# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

NB. The reference to "tun1+" above directs traffic to ANY "ACTIVE" VPN Client. This can be specifically tuned to meet your individual requirements by replacing with that for the appropriate OpenVPN Client from the following simple Router VPN Tunneling Key:

OpenVPN Client

Client 1 tun11
Client 2 tun12
Client 3 tun13
Client 4 tun14
Client 5 tun15:

OpenVPN Server

Server 1 tun21
Server 2 tun22


Now press CTRL+O to save changes in the “firewall-start.sh” file, enter to save, and you’ll see something like “Wrote 8 Lines”.

Then press CTRL-X in order to close nano-editor terminal and return to the Putty Terminal command prompt.

Now type the following command (without the quotes) to make the firewall-start.sh file executable: "chmod a+rx /jffs/scripts/firewall-start.sh"

Finally, type in Putty terminal “reboot” and your router will reboot. NB. I found it necessary to "Power Cycle" my router by removing power for 30 seconds to successfully complete the process.
---------------------------------------------------------------------------
IOS OpenVPN Connect V3.1.2 (3096) - Settings:

VPN Protocol TCP
IPv6 IPv4-Only Tunnel
Connection Timeout 30 Secs
Allow Compression (insecure) No
AES-CBC Cipher Algorithm Selected
Minimum TLS Version TLS 1.0
DNS Fallback Selected
Connect Via Any Network
Layer 2 Reachability Selected
Theme As per user preference
----------------------------------------------------------------------------
Hope it helps someone trying to establish a VPN Server concurrent with a working VPN Client with secure remote access which also redirects the VPN Server traffic to route through the VPN Client rather than via the Public (ISP) IP. (NB. Subject to amendment as and where advised by the forum experts!)

Particular thanks and all credit to forum experts RMerlin, Mister, Martineau, Jeffery Young & Butterfly Bones for your informative contributions without which I could not have succeeded in resolving this requirement.

Thanks guys for all of your help :):D!!

PC Pilot
 
Last edited:

Justice

New Around Here
Hello PC Pilot,

I am trying to configure openvpn as well on an ios iPhone. I see you ran into the error "Error Cannot parse the file" when adding your pkcs12 (ovpn12) file. I am also running into this and am hoping you'd be kind enough to share your fix for this. I also tried just importing the ca.crt as ovpn12 file so openvpn could read it and no matter what I get the "Cannot parse the file" error.

Any info would be greatly appreciated. Thanks
 

PC Pilot

Regular Contributor
Hi Justice,

Hope I can offer you some assistance to help resolve your OpenVPN Server issue on your iPhone.

The following clarifies the successful settings which currently allow my devices to sync....

Firstly, in the case of the iPhone (mine is the '8 Plus' by the way) currently operating on iOS 14.0.1 and I have installed the OpenVPN app (currently V3.2.0 (3253)) and the device connects successfully with my Asus RT-AX88U router utilising Merlin's 384.19 Firmware.

The following are the precise App settings currently used in my setup:

Battery Saver Unchecked

Seamless Tunnel Unchecked

VPN Protocol TCP

IPV6 IPV4-ONLY-TUNNEL

Connection Timeout 30 SEC

Allow Compression (insecure) NO

AES-CBC Cipher Algorithm Checked

Minimum TLS Version TLS 1.0

DNS Fallback Checked

Connect Via ANY NETWORK

Layer 2 Reachability Unchecked

Theme DEFAULT

---------------------------------------------------------------------------

So far as the Router settings are concerned the following are the current precise settings used in my router - VPN > VPN Server Tab:

VPN Server - OpenVPN

Basic Config

Server instance Server 1 (NB. Settings below can also be used for Server 2)
Enable OpenVPN Server [ON]
VPN Details Advanced Settings

Advanced Settings

Interface Type TUN
Protocol TCP
Server Port 1184 (Default is: 1194 for Server 1, 1197 for Server 2)
Authorization Mode TLS
Keys and Certificates Edit (if necessary but certificate created by applying settings)
Username/Password Authentication
Yes Selected
No Unselected
Username/Password Auth. Only
Yes Unselected
No Selected
TLS control channel security (tls-auth/tls-crypt) Encrypt Channel
HMAC Authentication Default
VPN Subnet/Netmask 10.8.0.0 255.255.255.0 (NB. 10.16.0.0 255.255.255.0 for Server 2)
Advertise DNS to clients
Yes Selected
No Unselected
Cipher Negotiation Enable (with fallback)
Negotiable Ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
Legacy/fallback cipher AES-128-GCM
Compression Disabled
Log verbosity 3
Manage Client-Specific Options
Yes Selected
No Unselected
Allow Client <-> Client
Yes Unselected
No Selected
Allow only specified clients
Yes Unselected
No Selected
Allowed Clients

Common Name (CN) (1) [BLANK]
Subnet (1) [BLANK]
Mask (1) [BLANK]
Push (1) [No Selection]

Custom Configuration

[NO ENTRIES RECORDED]

** From General Settings **

Username and Password (Max Limit: 32) (For Router)
Connection Status (1)
Connected

Username (1) As Router
Password (1) -
---------------------------------------------------------------------------

Once the router settings above have been configured in your router to the specified fields, save and reboot the router. Re-accessing the OpenVPN Server tab will show an abbreviated configuration in the 'Basic Config' area, here you will now see the option to "Export OpenVPN configuration file". Click upon 'Export' and temporarily save the resulting file to a convenient location in your PC.

Now open your PC's Email client (in my case I used Outlook 2019) and create an email to yourself (using an account received on your iPhone) attaching the .opvn file(s) previously exported to the above location. Send your email and verify that it has been received on your iPhone. Once received, go to the message and tap on the attachment(s). From the dialogue which opens look at the offered Apps and tap on "OpenVPN" (NB. select 'More' if the OpenVPN app does not appear amongst the Apps displayed in this initial list) which will then open the App.

You are now prompted as to whether you wish to 'Add' (Import) the profile(s). Tap on 'Add' and then follow the instructions to complete your router's username in the 'Username' field similarly add the router's access password in the 'Save Password' field and then check the boxes to 'Save the password' and 'Connect after import'. Finally, tap on 'Add' (located at the top right of the App) to complete the process and securely connect your iPhone with your OpenVPN Server! Don't forget to configure the App settings as specified!

I hope that these steps are helpful in establishing a working connection for you!

Best regards,

PC Pilot
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top