Solved Import an .ovpn file into RT-AX88U (Merlin 386.2.4) ...

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Leguar

Occasional Visitor
Have changed to another VPN provider. Created a new .ovpn file and tried to import it.
This new file have an extention - "tls-crypt", but it seems not to be imported. The usual
CA, CERT and Key are ok. Any hints ??
 

Attachments

  • Static Key.JPG
    Static Key.JPG
    27 KB · Views: 51
  • Static Key.txt
    183 bytes · Views: 69

Hazel

Senior Member
I think the answer is in the text in the header of your first screenshot.

Furthermore: doesn’t your VPN provider provide ready-made .ovpn config files? I can just download them from the website of my VPN provider, I’ve never had to ‘create’ my own .ovpn config file.
 

Leguar

Occasional Visitor
I think the answer is in the text in the header of your first screenshot.

Furthermore: doesn’t your VPN provider provide ready-made .ovpn config files? I can just download them from the website of my VPN provider, I’ve never had to ‘create’ my own .ovpn config file.
My bad, not to explain it very well :)
The .ovpn file has been created by my new VPN provider.
The first screenshot just shows nothing, whereas I thought my "tls-crypt" would have been placed there,
as shown in the "Static Key.txt".
 

Tech9

Very Senior Member
Did you reset the VPN client before uploading the new configuration file? Default button at the bottom of the page.
 

Leguar

Occasional Visitor
Did you reset the VPN client before uploading the new configuration file? Default button at the bottom of the page.
Yes, but it seems that my former VPN provider was still there after the reset.
Thinking that a reset would kill data - both in CA, CERT and Key
 

Hazel

Senior Member
The first screenshot just shows nothing, whereas I thought my "tls-crypt" would have been placed there,
as shown in the "Static Key.txt".

I meant, the header says:

Only paste the content of the ----- BEGIN xxx ----- / ----- END xxx ----- block (including those two lines)

So I guess the key should be pasted without the proceeding <tls-crypt> and the ending </tls-crypt>, so like

Code:
-----BEGIN OpenVPN Static key V1-----
....
a1198ef649f1c23861a2a19f2c6b27aa
5e43be761e0c71e9c2e8d33b75af289e
....
-----END OpenVPN Static key V1-----
 

Leguar

Occasional Visitor
I meant, the header says:



So I guess the key should be pasted without the proceeding <tls-crypt> and the ending </tls-crypt>, so like

Code:
-----BEGIN OpenVPN Static key V1-----
....
a1198ef649f1c23861a2a19f2c6b27aa
5e43be761e0c71e9c2e8d33b75af289e
....
-----END OpenVPN Static key V1-----
Yes, you're right.

I have tried to copy/paste all four certs and then save all of them, but it seem that data in the Static Key
always disapear (removed=blanks). Seems strange to me !! Maybe a bug ??
 

Hazel

Senior Member
Yes, you're right.

I have tried to copy/paste all four certs and then save all of them, but it seem that data in the Static Key
always disapear (removed=blanks). Seems strange to me !! Maybe a bug ??

Have you tried to paste the keys without the surrounding <tls-crypt> tags as the header suggests, just from ----- BEGIN xxx ----- (contents of static key / certificates with BEGIN and END tags included ----- END xxx ----- ?

Haven't heard anyone else reporting this, so a bug seems unlikely to me. When I import and .ovpn config the certificates are included, I don't have to paste them manually. They are imported with the .ovpn config (and present in the config file). Most of the time I don't even look at it, as I know they're imported with the rest of the config. Have you opened the .ovpn config with a text editor like Notepad++ and checked whether the certificates aren't already included in the config? Or else, maybe your VPN provider has a step by step guide how to configure their VPN on Asuswrt(-Merlin), like my VPN Provider has? There are also several general guides on how to configure a VPN client on Asuswrt-Merlin.

I was wondering about tls-crypt and as far as I'm aware it should be supported by the included version of OpenVPN (I read it was included in 2.4.x and if I'm not mistaking 2.5.2 is the current version) and as your VPN-provider provides these configs, they should support it too (why else include it, instead of only tls-auth).

Question for @RMerlin: is the use of tls-crypt fully supported on 386.2_4?

Otherwise, I'm out of ideas. Maybe @eibgrad can help you out, he knows an awful lot about VPNs, way more compared to my rookie knowledge.
 
Last edited:

Tech9

Very Senior Member
I have tried to copy/paste all four certs and then save all of them

I'm not following you, sorry. You have one configuration .ovpn file to import. The file you have downloaded from your new VPN provider.
 

Leguar

Occasional Visitor
Have you tried to paste the keys without the surrounding <tls-crypt> tags as the header suggests, just from ----- BEGIN xxx ----- (contents of static key / certificates with BEGIN and END tags included ----- END xxx ----- ?

Haven't heard anyone else reporting this, so a bug seems unlikely to me. When I import and .ovpn config the certificates are included, I don't have to paste them manually. They are imported with the .ovpn config (and present in the config file). Most of the time I don't even look at it, as I know they're imported with the rest of the config. Have you opened the .ovpn config with a text editor like Notepad++ and checked whether the certificates aren't already included in the config? Or else, maybe your VPN provider has a step by step guide how to configure their VPN on Asuswrt(-Merlin), like my VPN Provider has? There are also several general guides on how to configure a VPN client on Asuswrt-Merlin.

I was wondering about tls-crypt and as far as I'm aware it should be supported by the included version of OpenVPN (I read it was included in 2.4.x and if I'm not mistaking 2.5.2 is the current version) and as your VPN-provider provides these configs, they should support it too (why else include it, instead of only tls-auth).

Question for @RMerlin: is the use of tls-crypt fully supported on 386.2_4?

Otherwise, I'm out of ideas. Maybe @eibgrad can help you out, he knows an awful lot about VPNs, way more compared to my rookie knowledge.
First I appriciate your help, thanks.
Next, my copy/paste was just a try to do something else than just import the .ovpn file, but to no avail.
It seems that the "tls-crypt" gets erased.
I have attached my .ovpn file (anonymised). All certs gets updated, except the "tld-crypt".
Btw. I have tested both Udp and Tcp scripts.
 

Attachments

  • VPN Anonymised ovpn.txt
    1 KB · Views: 28

Hazel

Senior Member
So, it's just the last key in your .ovpn config that doesn't 'stick'? That one doesn't get saved?
Any clues in your system logfile why it refuses to save that tls-crypt key?
 

Leguar

Occasional Visitor
I'm not following you, sorry. You have one configuration .ovpn file to import. The file you have downloaded from your new VPN provider.
Right. Downloaded from my VPN provider. The script includes "tld-crypt" (and CA, CERT and Key). When I import the script, the "tld-crypt" doesn't get imported. After the import I try to start VPN in the router, but the router gets stuck, with a yellow msg. "Connection ...." and never starts.
 

Hazel

Senior Member
Right. Downloaded from my VPN provider. The script includes "tld-crypt" (and CA, CERT and Key). When I import the script, the "tld-crypt" doesn't get imported. After the import I try to start VPN in the router, but the router gets stuck, with a yellow msg. "Connection ...." and never starts.
If you look in your logfiles (System Log > General Log) you will most like see a TLS authentication error, while it tries to connect, because the last key doesn't get imported, so it can't establish a secure control channel. Please post your syslog (without any private info) to a site like pastebin or an alternative so we can see if we can find clues why a. the key won't get accepted and b. your connection can't be established (which is most likely answered by a.)
 
Last edited:

Leguar

Occasional Visitor
So, it's just the last key in your .ovpn config that doesn't 'stick'? That one doesn't get saved?
Any clues in your system logfile why it refuses to save that tls-crypt key?
Attached is the log file from the router (RT-AX88U) Merlin 368.2_4 ...
 

Attachments

  • VPN Log anominized.txt
    2.6 KB · Views: 34

Hazel

Senior Member
This is only from the attempt to connect. Here's the error I expected:

Code:
ovpn-client1[14946]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ovpn-client1[14946]: TLS Error: TLS handshake failed
ovpn-client1[14946]: SIGUSR1[soft,tls-error] received, process restarting
ovpn-client1[14946]: Restart pause, 5 second(s)
ovpn-client1[14946]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

which means there is a misconfiguration regarding TLS (ie. your missing key) why it can't setup a secure connection.

Is there anything in your logfile when importing this config, that helps us understand why it doesn't accept the tls-crypt static key? If you can't find it, delete the current config and re-configure it and keep an eye on your logfiles.
 

Leguar

Occasional Visitor
This is only from the attempt to connect. Here's the error I expected:

Code:
ovpn-client1[14946]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ovpn-client1[14946]: TLS Error: TLS handshake failed
ovpn-client1[14946]: SIGUSR1[soft,tls-error] received, process restarting
ovpn-client1[14946]: Restart pause, 5 second(s)
ovpn-client1[14946]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

which means there is a misconfiguration regarding TLS (ie. your missing key) why it can't setup a secure connection.

Is there anything in your logfile when importing this config, that helps us understand why it doesn't accept the tls-crypt static key? If you can't find it, delete the current config and re-configure it and keep an eye on your logfiles.
Ok, here are some errors. Seems that jfss2 (GC) is full. Could that be my problem ??
If so, how do I clean up the GC ?? I have nothing connected to the router, and I dont
have any scripts (as I'm concerned of) running.
 

Attachments

  • Log from importing a VPN script.txt
    1.2 KB · Views: 39
  • Internal Storage.JPG
    Internal Storage.JPG
    24 KB · Views: 17
  • Backup JFFS.JPG
    Backup JFFS.JPG
    6.4 KB · Views: 35

Leguar

Occasional Visitor
Hazel and Followers (?).
Pls. forget my older mails. After researcing here, there and everywhere, I decided to reformat my JFFS
(Administration, System, JFFS partition). After that, I could import the usual CA, CERT and User Key, BUT
also (the problem) my tls-crypt Key.

After that, a new (but more precise) problem arised. Pls. look at the log, who is anominized (hopefully) :cool:
 

Attachments

  • Log after cleaning JFFS.txt
    4.2 KB · Views: 35

ColinTaylor

Part of the Furniture
AirVPN is pushing an IPv6 config to your router but the router doesn't support IPv6 VPNs. Does AirVPN have an IPv4 profile you can use?

P.S. You don't need to anonymize the AirVPN address as that is one of their public addresses.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top