connecting to AWS openvpn server issues from AC-68U merlin

[craig young]

Hi,
This is my first post and I have been trying to get this working for ages so now I have decided to post to hopefully get some help.

I setup an AWS EC2 AMI instance and installed OpenVPN server using the following guide:
https://www.comparitech.com/blog/vp...-your-own-free-vpn-using-amazon-web-services/
I am able to connect using Tunnelblick on my mac without any issues and shows VPN IP, but have had issues trying to setup my router.
I did a factory reset and installed the latest merlin f/w but still face the same issue.

The problem is if I choose anything other than "disabled" on compression I get the following error on the server:
openvpn[6352]: write to TUN/TAP : Invalid argument (code=22)
VPN status shows connecting and my IP remains the same but I can browse.

If I choose disabled, VPN status shows as connected but I am unable to browse anything. (just hangs)

I tail -f the /var/log/messages on the ec2 instance so I know it is communicating.

Would love some help as I have no clue on how to get this working, I have kept the server and client openvpn.conf entries fairly basic to help with troubleshooting.

Hopefully some network guru or someone who has set this up before can help

I have tried a few other thing's and googled the issue, but I want to keep my initial post as clear and concise as I can at this point.

Thanks

 

[craig young]

*UPDATE*
I came across this after posting:
https://sourceforge.net/p/openvpn/mailman/message/26172642/

So added to the last two lines of the server openvpn.conf

port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret ovpn.key
comp-lzo
push "comp-lzo"

and to the client custom config on router I added the line:
comp-lzo no

I no longer get the error and status shows as connected but still unable to browse any help would be appreciated.

 

[RMerlin]

You probably need to push a route to that tunnel's remote LAN as well. Check Amazon's documentation for more info as to how to configure that.

 

[sfx2000]

Tunnelblick has pretty good logging, so check it and compare...

One thing to consider is turning off comp-lzo for a moment, and see if that helps...

comp-lzo no

And like what RMerlin, check what's pushed on either end for the route

 

[craig young]

thanks, yeah I tried a lot of the compression methods.
Tunnelblick was working ok yesterday now getting: Tunnelblick could not fetch IP address info before connection to myconfig was made.
(ignore the cipher errors.) I am not sure how to push the route to that tunnels remote LAN (I will try and do some searching)
Thanks

Tunnelblick logs below may provide a clue: (I know this is a forum regarding merlin fw but thought it may help find the issue)

2016-12-30 11:30:20 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 27 2016

2016-12-30 11:30:20 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09

2016-12-30 11:30:20 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

2016-12-30 11:30:20 Need hold release from management interface, waiting...

2016-12-30 11:30:21 *Tunnelblick: Established communication with OpenVPN

2016-12-30 11:30:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

2016-12-30 11:30:21 MANAGEMENT: CMD 'pid'

2016-12-30 11:30:21 MANAGEMENT: CMD 'state on'

2016-12-30 11:30:21 MANAGEMENT: CMD 'state'

2016-12-30 11:30:21 MANAGEMENT: CMD 'bytecount 1'

2016-12-30 11:30:21 MANAGEMENT: CMD 'hold release'

2016-12-30 11:30:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2016-12-30 11:30:21 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

2016-12-30 11:30:21 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

2016-12-30 11:30:21 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-12-30 11:30:21 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

2016-12-30 11:30:21 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

2016-12-30 11:30:21 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-12-30 11:30:21 Socket Buffers: R=[131072->131072] S=[131072->131072]

2016-12-30 11:30:21 Opened utun device utun0

2016-12-30 11:30:21 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

2016-12-30 11:30:21 MANAGEMENT: >STATE:1483068621,ASSIGN_IP,,10.4.0.2,

2016-12-30 11:30:21 /sbin/ifconfig utun0 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2016-12-30 11:30:21 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2016-12-30 11:30:21 /sbin/ifconfig utun0 10.4.0.2 10.4.0.1 mtu 1500 netmask 255.255.255.255 up

2016-12-30 11:30:21 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun0 1500 1546 10.4.0.2 10.4.0.1 init

**********************************************

Start of output from client.up.tunnelblick.sh

NOTE: No network configuration changes need to be made.

WARNING: Will NOT monitor for other network configuration changes.

WARNING: Will NOT disable IPv6 settings.

DNS servers '192.168.0.1' will be used for DNS queries when the VPN is active

NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

Notified mDNSResponder that the DNS cache was flushed

End of output from client.up.tunnelblick.sh

**********************************************

2016-12-30 11:30:23 /sbin/route add -net 54.203.120.91 192.168.0.1 255.255.255.255

add net 54.203.120.91: gateway 192.168.0.1

2016-12-30 11:30:23 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0

add net 0.0.0.0: gateway 10.4.0.1

2016-12-30 11:30:23 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0

add net 128.0.0.0: gateway 10.4.0.1

2016-12-30 11:30:23 Attempting to establish TCP connection with [AF_INET]54.203.120.91:1194 [nonblock]

2016-12-30 11:30:23 MANAGEMENT: >STATE:1483068623,TCP_CONNECT,,,

2016-12-30 11:30:24 TCP connection established with [AF_INET]54.203.120.91:1194

2016-12-30 11:30:24 TCPv4_CLIENT link local: [undef]

2016-12-30 11:30:24 TCPv4_CLIENT link remote: [AF_INET]54.203.120.91:1194

2016-12-30 11:30:34 Peer Connection Initiated with [AF_INET]54.203.120.91:1194

2016-12-30 11:30:35 *Tunnelblick: No 'connected.sh' script to execute

2016-12-30 11:30:35 *Tunnelblick: Could not determine this computer's apparent public IP address before the connection was completed

2016-12-30 11:30:35 Initialization Sequence Completed

2016-12-30 11:30:35 MANAGEMENT: >STATE:1483068635,CONNECTED,SUCCESS,10.4.0.2,54.203.120.91