Help with Asus RT-AC66U and OpenVPN

[skarz]

Hello all,

I installed the OpenVPN server on a VPS in hopes of using OpenVPN on my Asus AC1750 wireless router. I noticed the OpenVPN connection was failing on my router and I noticed this in the logs:

Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)

Well after learning how to telnet in to my router, I found the referenced 'config.ovpn'. No matter how many times I delete tls-version-min 1.2 it comes back. Is it being regenerated when I attempt to connect the VPN? I do not suspect my router as the issue as I just set up ProtonVPN and had no issues enabling it on my router.

Contents of /tmp/etc/openvpn/client4/config.ovpn:

# Automatically generated configuration

# Tunnel options
remote 45.43.21.166
resolv-retry infinite
nobind
proto udp
port 1194
dev tun14
sndbuf 0
rcvbuf 0
persist-tun
persist-key
daemon vpnclient4
verb 3
status-version 2
status status 10

# Client Mode
client

# Data Channel Encryption Options
auth SHA256
cipher AES-128-GCM

# TLS Mode Options
ca ca.crt
cert client.crt
key client.key

# Custom Configuration
remote-cert-tls server
verify-x509-name server_SKvKmECMQAb7es2t name
auth-nocache
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
tls-crypt [[INLINE]] "#
# 2048 bit OpenVPN static key
#

 

[RMerlin]

As the first line says, "Automatically generated". You cannot edit that file, it gets re-generated whenever the client restarts.

I don't think Asus's stock firmware lets you edit existing settings (that parameter is part of the Custom settings), so you will have to:

1) Edit the ovpn file to remove the tls-version-min
2) Re-import the ovpn client file

Keep in mind stock Asuswrt still runs a very old (2.3.2) OpenVPN version.

 

[skarz]

Yeah I've deleted the specific line several times and it appears that file is generated when the client connects. Do you think I could upgrade OpenVPN on the router to 2.3.3 or would that undoubtedly brick it?

 

[RMerlin]

Yeah I've deleted the specific line several times and it appears that file is generated when the client connects. Do you think I could upgrade OpenVPN on the router to 2.3.3 or would that undoubtedly brick it?

You cannot upgrade OpenVPN, unless you compile your own firmware.

You must delete it in the ovpn file that you import, NOT on the router. That file in /etc/ is automatically generated out of nvram content.

 

[skarz]

You cannot upgrade OpenVPN, unless you compile your own firmware.

You must delete it in the ovpn file that you import, NOT on the router. That file in /etc/ is automatically generated out of nvram content.

Oh wow, interesting. I am learning so much! So I deleted the line from the provided .ovpn file and tried again. The warning I got this time was

Options error: No closing quotation (") in config.ovpn:38

If I go to line 38 in the generated .ovpn file, it's this:

# Custom Configuration
remote-cert-tls server
verify-x509-name server_SKvKmECMQAb7es2t name
auth-nocache
tls-client
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
tls-crypt [[INLINE]] "#

What did I do wrong this time? lol...

 

[skarz]

FWIW - I installed AsusWRT-Merlin and no longer have any issues (well, other than extremely slow speed, but that's a different story...)