What's new

OpenVPN client connects, but not working (2x RT-AC68U as server&client)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

naabo

New Around Here
Hi,
I have a strange problem with OpenVPN client on RT-AC68U. On a remote location I have another RT-AC68U running OpenVPN server (both Merlin 384.13). I can connect to the server and the log shows nothing unusual, but I can't reach any remote devices including router (server is set for LAN only, if i set for internet that stops working as well). But if I use a client (same configuration file) on win10 computer and all my mobile devices (smartphone, tablet) everything works according to configuration. I've tried different settings on a client side (web GUI) which didn't seem to have an effect on my problem. Since I'm getting a new router (AC86U) on a remote location in a couple of days I might start fresh with factory restore (but I have done that when flashing from 380 to 384). Did anyone have similar issues?
 

dave14305

Part of the Furniture
OpenVPN client firewall handling changed in 384.12. Not sure it applies to your situation, but worth a shot. I’m not a VPN user myself.
- CHANGED: Inbound traffic sent to you through an OpenVPN client
will now be dropped by default. This can be changed
through the new "Inbound Firewall" parameter found
on the OpenVPN client page. You should only change
this to "Allow" if running a site2site tunnel with
a trusted remote server, or if you do expect
traffic to be forwarded to you through the tunnel.
 

naabo

New Around Here
Thanks, but changing the parameter to "allow" does not help.

Log (remote link modified):

Code:
Aug 13 07:30:00 ovpn-client1[22858]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Aug 13 07:30:00 ovpn-client1[22858]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Aug 13 07:30:00 ovpn-client1[22877]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 13 07:30:00 ovpn-client1[22877]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.142.x.x:1195
Aug 13 07:30:00 ovpn-client1[22877]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Aug 13 07:30:00 ovpn-client1[22877]: UDP link local: (not bound)
Aug 13 07:30:00 ovpn-client1[22877]: UDP link remote: [AF_INET]89.142.x.x:1195
Aug 13 07:30:02 ovpn-client1[22877]: TLS: Initial packet from [AF_INET]89.142.x.x:1195, sid=848bc32b fd82e04e
Aug 13 07:30:02 ovpn-client1[22877]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Aug 13 07:30:02 ovpn-client1[22877]: VERIFY KU OK
Aug 13 07:30:02 ovpn-client1[22877]: Validating certificate extended key usage
Aug 13 07:30:02 ovpn-client1[22877]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 13 07:30:02 ovpn-client1[22877]: VERIFY EKU OK
Aug 13 07:30:02 ovpn-client1[22877]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Aug 13 07:30:02 ovpn-client1[22877]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA
Aug 13 07:30:02 ovpn-client1[22877]: [RT-AC68U] Peer Connection Initiated with [AF_INET]89.142x.x:1195
Aug 13 07:30:03 ovpn-client1[22877]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Aug 13 07:30:03 ovpn-client1[22877]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.3 255.255.255.0,peer-id 1,cipher AES-128-GCM'
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: route options modified
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: route-related options modified
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: peer-id set
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: adjusting link_mtu to 1624
Aug 13 07:30:03 ovpn-client1[22877]: OPTIONS IMPORT: data channel crypto options modified
Aug 13 07:30:03 ovpn-client1[22877]: Data Channel: using negotiated cipher 'AES-128-GCM'
Aug 13 07:30:03 ovpn-client1[22877]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug 13 07:30:03 ovpn-client1[22877]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug 13 07:30:03 ovpn-client1[22877]: TUN/TAP device tun11 opened
Aug 13 07:30:03 ovpn-client1[22877]: TUN/TAP TX queue length set to 1000
Aug 13 07:30:03 ovpn-client1[22877]: /usr/sbin/ip link set dev tun11 up mtu 1500
Aug 13 07:30:04 ovpn-client1[22877]: /usr/sbin/ip addr add dev tun11 10.16.0.3/24 broadcast 10.16.0.255
Aug 13 07:30:04 ovpn-client1[22877]: updown.sh tun11 1500 1552 10.16.0.3 255.255.255.0 init
Aug 13 07:30:06 ovpn-client1[22877]: /usr/sbin/ip route add 192.168.2.0/24 metric 500 via 10.16.0.1
Aug 13 07:30:06 ovpn-client1[22877]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 13 07:30:06 ovpn-client1[22877]: Initialization Sequence Completed

One thing I have changed recently on remote location router was adding tagged vlan so my IPTV STB works through router lan port. Anyway I'm starting from scratch when I receive new router and try to setup OpenVPN before any other configuration. Not sure though if it's server side problem, as I can connect with my mobile devices&pc without problem.
 

naabo

New Around Here
Factory restoring remote router did not help either.

With windows client I can connect and access remote network.
Log from remote router when connecting:
Code:
Aug 16 10:50:48 ovpn-server2[5408]: TCP connection established with [AF_INET6]::ffff:89.212.x.x:62777
Aug 16 10:50:49 ovpn-server2[5408]: 89.212.x.x:62777 TLS: Initial packet from [AF_INET6]::ffff:89.212.x.x:62777, sid=cb8b9660 f8c010f8
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_VER=2.4.6
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_PLAT=win
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_PROTO=2
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_NCP=2
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_LZ4=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_LZ4v2=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_LZO=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_COMP_STUB=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_COMP_STUBv2=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_TCPNL=1
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 peer info: IV_GUI_VER=OpenVPN_GUI_11
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 1024 bit RSA
Aug 16 10:50:50 ovpn-server2[5408]: 89.212.x.x:62777 [client] Peer Connection Initiated with [AF_INET6]::ffff:89.212.x.x:62777
Aug 16 10:50:50 ovpn-server2[5408]: client/89.212.x.x:62777 MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
Aug 16 10:50:50 ovpn-server2[5408]: client/89.212.x.x:62777 MULTI: Learn: 10.16.0.2 -> client/89.212.x.x:62777
Aug 16 10:50:50 ovpn-server2[5408]: client/89.212.x.x:62777 MULTI: primary virtual IP for client/89.212.x.x:62777: 10.16.0.2
Aug 16 10:50:51 ovpn-server2[5408]: client/89.212.x.x:62777 PUSH: Received control message: 'PUSH_REQUEST'
Aug 16 10:50:51 ovpn-server2[5408]: client/89.212.x.x:62777 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.2.1,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Aug 16 10:50:51 ovpn-server2[5408]: client/89.212.x.x:62777 Data Channel: using negotiated cipher 'AES-128-GCM'
Aug 16 10:50:51 ovpn-server2[5408]: client/89.212.x.x:62777 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug 16 10:50:51 ovpn-server2[5408]: client/89.212.x.x:62777 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

Connected with router I can't access anything.
Log:
Code:
Aug 16 10:57:39 ovpn-server2[5408]: TCP connection established with [AF_INET6]::ffff:89.212.x.x:51493
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 TLS: Initial packet from [AF_INET6]::ffff:89.212.x.x:51493, sid=d4f7b1db 89956d6c
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_VER=2.4.7
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_PLAT=linux
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_PROTO=2
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_NCP=2
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_LZ4=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_LZ4v2=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_LZO=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_COMP_STUB=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_COMP_STUBv2=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 peer info: IV_TCPNL=1
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 1024 bit RSA
Aug 16 10:57:40 ovpn-server2[5408]: 89.212.x.x:51493 [client] Peer Connection Initiated with [AF_INET6]::ffff:89.212.x.x:51493
Aug 16 10:57:40 ovpn-server2[5408]: client/89.212.x.x:51493 MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
Aug 16 10:57:40 ovpn-server2[5408]: client/89.212.x.x:51493 MULTI: Learn: 10.16.0.2 -> client/89.212.x.x:51493
Aug 16 10:57:40 ovpn-server2[5408]: client/89.212.x.x:51493 MULTI: primary virtual IP for client/89.212.x.x:51493: 10.16.0.2
Aug 16 10:57:41 ovpn-server2[5408]: client/89.212.x.x:51493 PUSH: Received control message: 'PUSH_REQUEST'
Aug 16 10:57:41 ovpn-server2[5408]: client/89.212.x.x:51493 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.2.1,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Aug 16 10:57:41 ovpn-server2[5408]: client/89.212.x.x:51493 Data Channel: using negotiated cipher 'AES-128-GCM'
Aug 16 10:57:41 ovpn-server2[5408]: client/89.212.x.x:51493 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug 16 10:57:41 ovpn-server2[5408]: client/89.212.x.x:51493 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

Not sure if this is of any help understanding what's going on.
 

naabo

New Around Here
Just to let you know that I solved my problem by downgrading both routers to 384.9 (just because it is known to work) and factory reset/initialize. My guess would be that something was not right with the client side router, so it might have worked even If I just factory restored that one (without downgrading).
 

naabo

New Around Here
A few more observations on this - fw version does not really matter, I now have the latest version, but apparently It only works the first time the client gets configured. If I change any setting on client (eg. forgot to set innbound firewall to "allow" for site-to-site configuration) and even changing it back results in not working anymore (connected but nothing reachable). It doesn't help if you reboot router (soft or hard, one or both) or defaulting client and loading configuration file again or setting server again. The only thing that works is initializing the router. Reading other posts (https://www.snbforums.com/threads/solved-rt-ac68u-how-to-reset-openvpn-server.25806/) the router might have stored openvpn info that causes the client to stop functioning if any setting is changed and does not get deleted with reboot or any other re-configuration. The solution would probably be to SSH router.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top