OpenVPN for IPTV

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

tuanity

New Around Here
Hi Everyone!

First time posting here, but longtime lurker. Really love this community and it's been incredibly ressourceful.

As an intro, I am currently using a single RT-AC68U on AsusWRT-Merlin 384.19.

So I have an IPTV service with my local ISP provider. It requires that I be connected to the Internet on the ISP's IP Address in order to have access to the IPTV app on an Amazon Firestick 4K. I have setup OpenVPN client on the firestick, and was able to connect to the OpenVPN Profile using the Configuration File provided in Asus Merlin Interface. OpenVPN indicates on the Firestick that it is connected, and shows the correct IP address. However, whenever I open the IPTV app (Android TV), it attempts for several seconds to connect to the Internet(ISP server), but then fails, and says "No network connection".

What could be causing this? Thanks in advance for your help!

Here's what I've done:

- Enabled OpenVPN Server" and chosen "Both" for "Client will use VPN to access".
- Created Username and Password in the VPN Server page.
- Exported OpenVPN configuration file, imported ovpn profile file in the OpenVPN Client on the Firestick. (Connects successfully)
- Port 1194, UDP, TUN, Subnet 10.8.0.0

I have not used DDNS or any of the certifications. Could that be the issue?

TLDR: I would like to use my IPTV service when im outside my home network. It requires that I use my ISP's IP Address. How do I solve this using OpenVPN on AsusWRT Merlin?
 
Last edited:

elorimer

Very Senior Member
Haven't used a firestick, but a couple of things come to mind. First would be to look at whatever log there might be on the firestick to see if you get a hint at what is failing. My first thought was that the route might not be added. My second was some kind of compression mismatch, which would mean you made a successful connection but no traffic flowed. My third was that the firestick ovpn client needs to be 2.4 or higher.

I didn't quite follow what "the correct IP address" was.

If you have a static WAN IP for the router, you don't need ddns. But if the WAN IP might change, you should add the Asus DDNS and stick that in your .opvn config file.

You could also set the client access from "Both" to "Internet" and it should work. A lurking issue with your setup is that without certificates you have a vulnerable access to your home network. But first you can get it working, and then you can harden it.
 

tuanity

New Around Here
Hi, thanks for your reply!

I am not able to gain access to an event log on the firestick. However, I did find some interesting logs on the router. My firestick ovpn is also on the latest version 3.2.1.
This does not only happen on the IPTV app, but also on youtube for example. Once the OpenVPN profile is connected, the bandwidth is so low that it's unable to load anything.

This is a snippet on the error event log in the Router Interface.

Code:
Jan 22 12:20:24 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 22:96:83:D2:6B:AC, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 22 12:20:24 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 22:96:83:D2:6B:AC, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jan 22 12:20:26 ovpn-server1[14824]: TLS: Initial packet from [AF_INET], sid=b185bd22 31e7ea62
Jan 22 12:20:36 ovpn-server1[14824]: TLS: Initial packet from [AF_INET], sid=c53252a6 658b7efa
Jan 22 12:20:38 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind C8:6C:3D:5F:0F:8F, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 22 12:20:44 ovpn-server1[14824]: TLS: Initial packet from [AF_INET], sid=d5e2ceca bc2e77c3
Jan 22 12:20:45 ovpn-server1[14824]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, [email protected]
Jan 22 12:20:45 ovpn-server1[14824]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, [email protected]
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_VER=3.git:released:a290b87d:Release
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_PLAT=android
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_NCP=2
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_TCPNL=1
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_PROTO=2
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_LZO_STUB=1
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_COMP_STUB=1
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_COMP_STUBv2=1
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.1-4961
Jan 22 12:20:45 ovpn-server1[14824]: peer info: IV_SSO=openurl
Jan 22 12:20:45 ovpn-server1[14824]: PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jan 22 12:20:45 ovpn-server1[14824]: TLS: Username/Password authentication succeeded for username ''
Jan 22 12:20:45 ovpn-server1[14824]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1559'
Jan 22 12:20:45 ovpn-server1[14824]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Jan 22 12:20:45 ovpn-server1[14824]: [client] Peer Connection Initiated with [AF_INET]
Jan 22 12:20:45 ovpn-server1[14824]: client/ MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 22 12:20:45 ovpn-server1[14824]: client/ MULTI: Learn: 10.8.0.2 -> client/
Jan 22 12:20:45 ovpn-server1[14824]: client/ MULTI: primary virtual IP for client/: 10.8.0.2
Jan 22 12:20:45 ovpn-server1[14824]: client/ PUSH: Received control message: 'PUSH_REQUEST'
Jan 22 12:20:45 ovpn-server1[14824]: client/ SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 3,cipher AES-128-GCM' (status=1)
Jan 22 12:20:45 ovpn-server1[14824]: client/ Data Channel: using negotiated cipher 'AES-128-GCM'
Jan 22 12:20:45 ovpn-server1[14824]: client/ Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jan 22 12:20:45 ovpn-server1[14824]: client/ Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jan 22 12:21:16 ovpn-server1[14824]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 22 12:21:16 ovpn-server1[14824]: TLS Error: TLS handshake failed
Jan 22 12:21:16 ovpn-server1[14824]: SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 22 12:21:27 ovpn-server1[14824]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 22 12:21:27 ovpn-server1[14824]: TLS Error: TLS handshake failed
Jan 22 12:21:27 ovpn-server1[14824]: SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 22 12:21:36 ovpn-server1[14824]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 22 12:21:36 ovpn-server1[14824]: TLS Error: TLS handshake failed
Jan 22 12:21:36 ovpn-server1[14824]: SIGUSR1[soft,tls-error] received, client-instance restarting

I receive 100mbps/30mbps directly from the modem.
 

Attachments

  • capt.PNG
    capt.PNG
    17.2 KB · Views: 10

bluzfanmr1

Senior Member
If your ISP requires you to be on their IP address, and you are using a VPN, isn't that masking the true IP address you are connecting from? Or am I misunderstanding something?

Does it work without the VPN connection?
 

tuanity

New Around Here
If your ISP requires you to be on their IP address, and you are using a VPN, isn't that masking the true IP address you are connecting from? Or am I misunderstanding something?

Does it work without the VPN connection?

So this works without any issues within my home network, since it's always on the ISP's IP Address from the Modem's Wan IP. I am looking to have access to this IPTV service from outside my home network, whenever I'm at a different location that's using a different ISP.

I am unsure if an openvpn server is the solution to my problem. I don't really now about other options. I am basically trying to bridge my home internet connection to another location that's on a different provider.
 
Last edited:

bluzfanmr1

Senior Member
So this works without any issues within my home network, since it's always on the ISP's IP Address from the Modem's Wan IP. I am looking to have access to this IPTV service from outside my home network, whenever I'm at a different location that's using a different ISP.

I am unsure if an openvpn server is the solution to my problem. I don't really now about other options. I am basically trying to bridge my home internet connection to another location that's on a different provider.

Have you tried connecting to the openvpn server via another client i.e. phone or laptop? That might tell you whether its just the firestick or something with the server setup. I use the openvpn server on my router when I'm away but I think the IP I get on the client device is an IP of the local network (hotel etc), which could explain the no network connection response.
 

elorimer

Very Senior Member
I think the IP I get on the client device is an IP of the local network (hotel etc),
Yes and no. You have at least 3. But as far as the ISP is concerned they shouldn't know anything but that the traffic is coming from the router.
 

elorimer

Very Senior Member
Jan 22 12:21:16 ovpn-server1[14824]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 22 12:21:16 ovpn-server1[14824]: TLS Error: TLS handshake failed Jan 22 12:21:16 ovpn-server1[14824]: SIGUSR1[soft,tls-error] received, client-instance restarting
You aren't getting connected all the way. Check to be sure your exported .ovpn file has the keys--sometimes the export doesn't contain the keys.
 

netware5

Very Senior Member
You may wish to try OpenVPN server with TAP interface.
 

elorimer

Very Senior Member
You may wish to try OpenVPN server with TAP interface.
I don't think that should be necessary here and has its own problems.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top