No VPN with Asuswrt-Merlin Firmware:3.0.0.4.374.35_4

[Rassal]

Hi,

I was just wondering if i did something wrong, but it seems that i did not...

Been using the Merlin build for a while, but never really tampered with VPN. Now, i upgraded like 2 weeks ago to the firmware 3.0.0.4.374.35_4 and ever since, VPN doesn`t connect anymore. Nothing changed in my configuration.

I downgraded to Asus 3.0.0.4.374.979 and VPN works without a glitch. Re-updated to the Merlin build, and VPN doesn`t work.

Have i done something wrong, or there is still problem with the latest Merlin build with VPN?

Am i the only one with this problem?

 

[RMerlin]

What do you mean exactly by "VPN doesn't connect anymore"? Are you talking about a VPN client on your LAN? VPN client on your router? VPN server on the router? PPTP? openVPN? IPSEC?

Need more details.

 

[Rassal]

Ok... i setup the VPN Server in the VPN configuration Tab.

I used default settings there (PPTP)

Slammed in a username and password...

Specified a range of IP that is logical per my configuration in my home network.

Pretty much, exactly the same configuration i used with the latest ASUS firmware.

Once enabled (The PPTP VPN Server)

When i get to my friend house, of from my work office, or even my smartphone, when i try to connect to my Asus router, either with the direct IP it gets or from my DDNS Setup (which works) from the ASUSCOMM DDNS, i get an hourglass forever, and a failed connection...

If i revert back to the original ASUS version stated in my prior post, everything works, i can connect to my Router PPTP VPN Server, i get an IP assigned in the range that i configured, and can access my home network from the internet...

Now, since i upgraded to the Asus WRT Merlin build, it doesn`t work, it never connects... if i flash back to the Latest official Asus firmware, it works... i am using the same exact settings... i also power cycle the Router to make sure, and it still not working...

is this a better explaination?

 

[RMerlin]

Now, we have something we can work with.

Can you confirm that the PPTP server was properly started? Connect to the router using ssh or telnet, and check the output of this command:

ps w | grep pptp

If there is no pptpd service running then it means the PPTP server wasn't started.

Note that Asus and I are handling VPN service start slightly differently. It's possible it's only properly enabled for stock FW, but wasn't set enabled on Asuswrt-Merlin.

 

[Rassal]

Here is the result:

ASUSWRT-Merlin RT-AC66U_3.0.0.4 Sat Nov 30 23:02:55 UTC 2013
admin@RT-AC66U:/tmp/home/root# ps w | grep pptp
19475 admin      640 S    pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.p
ptpd
19512 admin     1424 S    grep pptp
admin@RT-AC66U:/tmp/home/root#

 

[RMerlin]

The server is properly running, so I don't see any reason why it wouldn't work, unless you have manually modified the firewall rules, preventing it from working properly.

 

[Rassal]

I would like to know if there is any way i can have access to a log file of connections to the VPN side? Is PPTP logged in any way?

Because, i am flashing the latest Asus firmware and import my settings i saved, and with the SAME EXACT settings, the Asus firmware works... but not the Merlin firmware...

So i wonder why the same exact configuration works with the real Asus firmware but not the Merlin firmware.

 

[Rassal]

Happy to see i am NOT the only one with this problem...

Posted here, same forum, same version... that guy is doing the same as i am, reverting to the Asus firmware and it works...

You didn't see this post? It's older than mine...

http://forums.smallnetbuilder.com/showthread.php?t=14094

 

[RMerlin]

It was working fine when I tested it here last week.

The PPTP logfile is in /var/log/pptpd-pppd.log, in addition to what gets logged to syslog itself.

Because, i am flashing the latest Asus firmware and import my settings i saved

If you are switching back and forth between firmwares, do not restore your saved settings after doing a factory default reset, or you will simply be reverting to the same potentially incorrect settings. You have to manually reconfigure everything after a factory default reset.

 

[RMerlin]

To validate that your firewall is correctly configured, post the output of the following command:

iptables -L INPUT -v

 

[Rassal]

Here you go:

ASUSWRT-Merlin RT-AC66U_3.0.0.4 Sat Nov 30 23:02:55 UTC 2013
admin@RT-AC66U:/tmp/home/root# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

  198  7993 logdrop    all  --  any    any     anywhere             anywhere
        state INVALID
12856 1720K ACCEPT     all  --  any    any     anywhere             anywhere
        state RELATED,ESTABLISHED
   61  9388 ACCEPT     all  --  lo     any     anywhere             anywhere
        state NEW
16463 3824K ACCEPT     all  --  br0    any     anywhere             anywhere
        state NEW
 1609  535K ACCEPT     udp  --  any    any     anywhere             anywhere
        udp spt:bootps dpt:bootpc
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
        tcp dpt:1723
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere

 1223 44028 logdrop    all  --  any    any     anywhere             anywhere

admin@RT-AC66U:/tmp/home/root#

 

[RMerlin]

Here you go:

ASUSWRT-Merlin RT-AC66U_3.0.0.4 Sat Nov 30 23:02:55 UTC 2013
admin@RT-AC66U:/tmp/home/root# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

  198  7993 logdrop    all  --  any    any     anywhere             anywhere
        state INVALID
12856 1720K ACCEPT     all  --  any    any     anywhere             anywhere
        state RELATED,ESTABLISHED
   61  9388 ACCEPT     all  --  lo     any     anywhere             anywhere
        state NEW
16463 3824K ACCEPT     all  --  br0    any     anywhere             anywhere
        state NEW
 1609  535K ACCEPT     udp  --  any    any     anywhere             anywhere
        udp spt:bootps dpt:bootpc
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
        tcp dpt:1723
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere

 1223 44028 logdrop    all  --  any    any     anywhere             anywhere

admin@RT-AC66U:/tmp/home/root#

The firewall is also properly configured, with both TCP1723 and GRE being allowed in. There is nothing on the router side that could explain your failure to connect to its PPTP server, it must be something else in your environment.

 

[Rassal]

Nothing else... like i said... if i install the Asus firmware, it works...

SO i will just toss the Merlin firmware then, and revert to use the Asus firmware, because the ASUS one works.

Thanks for your "attempt" at helping me out.

 

[Rassal]

Hi again,

Ok, i decided to redo everything, from scratch... not use the save file.

What i did is in that order:

1- Reset the router (power cycle)
2- Flash Asus firmware and test it works
3- Reset the router (power cycle)
4- Flash the latest beta version of Merlin firmware:3.0.0.4.374.36_beta1 (Merlin build)
5- Test the router.
6- Reset the router (power cycle)
7 - Manually reconfigure the whole router.
8 - Reset the router (power cycle)
9 - Change the WAN Mac address, so i can get a new IP from my ISP
10 - Power off router, power cycle cable modem
11 - Wait for modem to link with ISP.
12 - Power on router
13 - Test that the router works, and that it should be working with VPN.

Same exact result.

I didn't tamper in any way with the router, i only configure it with the GUI, and everything i configured works, except the VPN.

I also tried the 2 commands you asked me to test, and the result is the same.

I am also testing that the VPN is going through, with an outside network, and doing a telnet to my WAN Router IP on port 1723 is not working.

I am getting a could not enable connection.

I tested the 2 manual port forwarding rules i have, and they both work through telnet.

I know my ISP doesn't block port 1723, because it works with the Asus firmware, not with the Merlin firmware.

Now, the only way i could test that would be to plug the WAN port directly to a laptop i have, and try to connect to the router using port 1723... but i have no DHCP server enabled laptop that could assign an IP address to the wan port...

Is there anything we can try or do with this?

 

[Beakerzor]

I also have this issue, and am interested to hear what the solution is

 

[RMerlin]

but ps shows only

5173 admin      640 S    pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options

so no pptpd with pids 5160, 5162, 5171 present.
Is it a normal sequence for pptpd startup?

A lot of services get restarted multiple times during the boot sequence as the WAN interface comes up. That would explain why it got restarted later on - the last instance was running on pid 5173.

Also option for mppe-56 is explicitly removed from "vpn details" tab. Means that a mppe-56 is not supported by router?

This was done by Asus. No idea why.

 

[Rassal]

I tested the 2 manual port forwarding rules i have, and they both work through telnet.

I know my ISP doesn't block port 1723, because it works with the Asus firmware, not with the Merlin firmware.

Now, the only way i could test that would be to plug the WAN port directly to a laptop i have, and try to connect to the router using port 1723... but i have no DHCP server enabled laptop that could assign an IP address to the wan port...

Is there anything we can try or do with this?

Hi again, so like i said... if i do manual port forwarding to my internal LAN computers, doing a telnet on the WAN interface opens up and shows up as connected (screen blanks up in telnet, awaiting for the next command to proceed).

But doing a telnet on 1723 result in a connection error... so i really think that the router isn't listening on the WAN port on port 1723, Is there a way to test this bypassing the ISP? But like i said, it's working with Asus firmware with same ISP, so i know they don't block the port, and i also checked with on DSL REports regarding Videotron Ltee (my ISP here) and they don't block that port at all, they only block port 80 (to prevent people from hosting web pages on their own).

Need some help.

 

[calculon]

You can set a static WAN IP
IE: 192.168.1.3

And set a static IP on a wired computer connected to the wan port with IP:
192.168.1.2

And then just try to connect directly via IP versus anything else.

Then test everything, also, you can check to the site canyouseeme.org and see if your port is actually open from the outside and connectable.

 

[Rassal]

You can set a static WAN IP
IE: 192.168.1.3

And set a static IP on a wired computer connected to the wan port with IP:
192.168.1.2

And then just try to connect directly via IP versus anything else.

Then test everything, also, you can check to the site canyouseeme.org and see if your port is actually open from the outside and connectable.

Thanks for the pointer.

I configured the router to use a static IP (192.168.2.1) and configured one of my laptop with 192.168.2.2.

Once done, i did the telnet to my 2 ports i forward internally, and i can connect to them without problem, as expected. (with my laptop ethernet port plugged directly in the wAN port of the router)

Once i tried to connect to 1723, again, connection not working, so this confirms that the router doesn't listen on port 1723 on the WAN interface with VPN all configured correctly.

There is something wrong, which obviously i can't find, i am sure there is something in the firmware, but i have no knowledge about firmware or troubleshooting it.

Any help, anyone?

 

[clvk07]

I had a similar problem and the solution was to set encryption manually.... Did you try to set VPN server encryption to none and see if it does work?