OpenVPN issues and questions

[Koguma]

Hi All,
I use a decent VPN on my windows box and decided to setup the Merlin OpenVPN client on my Asus AC-3200 with the latest 384.6 that just came out.

The config went well, and there's no errors in the logs, except, it doesn't actually relay any traffic via the VPN. When I try to send ALL traffic via the vpn, I don't get any connection at all. When I choose specific routing, and blocking non-vpn traffic for a specific IP, neither of those things happen.

When I ssh into the router, I notice that one VPN route gets added, but no route for the specific IP I specified in the web interface gets added.

I'm not sure exactly why it's not working, but my suspicion is that it's a routing or iptables rule that's missing somewhere.

If anyone has any suggestions, that would be great.

 

[Darryl]

You're not giving us anything to work with. No logs. Not even a mention of the VPN provider. Config obviously did not go well!

 

[Koguma]

You're not giving us anything to work with. No logs. Not even a mention of the VPN provider. Config obviously did not go well!

Pardon the omission, I was hoping that this was a known issue and there would be a quick fix. Apparently not.
The VPN provider is BolehVPN. (bolehvpn.net) . I've been using them for a number of years with no issues. Currently, I'm using their Netflix profile (without encryption).

Jul 29 17:27:42 rc_service: httpd 290:notify_rc start_vpnclient1
Jul 29 17:27:44 ovpn-client1[27718]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 25 2018
Jul 29 17:27:44 ovpn-client1[27718]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.08
Jul 29 17:27:44 ovpn-client1[27719]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 29 17:27:44 ovpn-client1[27719]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Jul 29 17:27:44 ovpn-client1[27719]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:27:44 ovpn-client1[27719]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:27:44 ovpn-client1[27719]: TCP/UDP: Preserving recently used remote address: [AF_INET]43.249.39.232:8080
Jul 29 17:27:44 ovpn-client1[27719]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jul 29 17:27:44 ovpn-client1[27719]: UDP link local: (not bound)
Jul 29 17:27:44 ovpn-client1[27719]: UDP link remote: [AF_INET]43.249.39.232:8080
Jul 29 17:27:44 ovpn-client1[27719]: TLS: Initial packet from [AF_INET]43.249.39.232:8080, sid=846ddd6b 7b878a11
Jul 29 17:27:44 ovpn-client1[27719]: VERIFY OK: depth=2, CN=BVInternet RSA ROOT CA
Jul 29 17:27:44 ovpn-client1[27719]: VERIFY OK: depth=1, CN=BVInternet Secure-VPN-Server CA
Jul 29 17:27:44 ovpn-client1[27719]: VERIFY X509NAME OK: CN=bviserver
Jul 29 17:27:44 ovpn-client1[27719]: VERIFY OK: depth=0, CN=bviserver
Jul 29 17:27:47 ovpn-client1[27719]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1526', remote='link-mtu 1525'
Jul 29 17:27:47 ovpn-client1[27719]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jul 29 17:27:47 ovpn-client1[27719]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA256, 4096 bit RSA
Jul 29 17:27:47 ovpn-client1[27719]: [bviserver] Peer Connection Initiated with [AF_INET]43.249.39.232:8080
Jul 29 17:27:48 ovpn-client1[27719]: SENT CONTROL [bviserver]: 'PUSH_REQUEST' (status=1)
Jul 29 17:27:50 ovpn-client1[27719]: PUSH: Received control message: 'PUSH_REPLY,persist-tun,persist-key,sndbuf 256000,rcvbuf 256000,dhcp-option DNS 163.182.172.123,route-gateway 172.16.21.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.21.218 255.255.255.0,peer-id 0'
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jul 29 17:27:50 ovpn-client1[27719]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: --persist options modified
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: route-related options modified
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: peer-id set
Jul 29 17:27:50 ovpn-client1[27719]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jul 29 17:27:50 ovpn-client1[27719]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Jul 29 17:27:50 ovpn-client1[27719]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:27:50 ovpn-client1[27719]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:27:50 ovpn-client1[27719]: TUN/TAP device tun11 opened
Jul 29 17:27:50 ovpn-client1[27719]: TUN/TAP TX queue length set to 100
Jul 29 17:27:50 ovpn-client1[27719]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jul 29 17:27:50 ovpn-client1[27719]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jul 29 17:27:50 ovpn-client1[27719]: /usr/sbin/ip addr add dev tun11 172.16.21.218/24 broadcast 172.16.21.255
Jul 29 17:27:50 ovpn-client1[27719]: updown.sh tun11 1500 1529 172.16.21.218 255.255.255.0 init
Jul 29 17:27:50 rc_service: service 27777:notify_rc updateresolv
Jul 29 17:27:51 dnsmasq[27783]: warning: no upstream servers configured
Jul 29 17:27:53 openvpn-routing: Configuring policy rules for client 1
Jul 29 17:27:54 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Jul 29 17:27:54 openvpn-routing: WARNING: no VPN gateway provided, routing might not work properly!
Jul 29 17:27:54 ovpn-client1[27719]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 29 17:27:54 ovpn-client1[27719]: Initialization Sequence Completed
Jul 29 17:28:51 ovpn-client1[27719]: [bviserver] Inactivity timeout (--ping-restart), restarting
Jul 29 17:28:51 ovpn-client1[27719]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 29 17:28:51 ovpn-client1[27719]: Restart pause, 5 second(s)
Jul 29 17:28:56 ovpn-client1[27719]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 29 17:28:56 ovpn-client1[27719]: TCP/UDP: Preserving recently used remote address: [AF_INET]43.249.39.232:8080
Jul 29 17:28:56 ovpn-client1[27719]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Jul 29 17:28:56 ovpn-client1[27719]: UDP link local: (not bound)
Jul 29 17:28:56 ovpn-client1[27719]: UDP link remote: [AF_INET]43.249.39.232:8080
Jul 29 17:28:56 ovpn-client1[27719]: TLS: Initial packet from [AF_INET]43.249.39.232:8080, sid=b181c67d 7ac6d758
Jul 29 17:28:56 ovpn-client1[27719]: VERIFY OK: depth=2, CN=BVInternet RSA ROOT CA
Jul 29 17:28:56 ovpn-client1[27719]: VERIFY OK: depth=1, CN=BVInternet Secure-VPN-Server CA
Jul 29 17:28:56 ovpn-client1[27719]: VERIFY X509NAME OK: CN=bviserver
Jul 29 17:28:56 ovpn-client1[27719]: VERIFY OK: depth=0, CN=bviserver
Jul 29 17:28:58 ovpn-client1[27719]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1526', remote='link-mtu 1525'
Jul 29 17:28:58 ovpn-client1[27719]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jul 29 17:28:58 ovpn-client1[27719]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-SHA256, 4096 bit RSA
Jul 29 17:28:58 ovpn-client1[27719]: [bviserver] Peer Connection Initiated with [AF_INET]43.249.39.232:8080
Jul 29 17:28:59 ovpn-client1[27719]: SENT CONTROL [bviserver]: 'PUSH_REQUEST' (status=1)
Jul 29 17:29:05 ovpn-client1[27719]: SENT CONTROL [bviserver]: 'PUSH_REQUEST' (status=1)
Jul 29 17:29:10 ovpn-client1[27719]: SENT CONTROL [bviserver]: 'PUSH_REQUEST' (status=1)
Jul 29 17:29:11 ovpn-client1[27719]: PUSH: Received control message: 'PUSH_REPLY,persist-tun,persist-key,sndbuf 256000,rcvbuf 256000,dhcp-option DNS 163.182.172.123,route-gateway 172.16.21.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.21.218 255.255.255.0,peer-id 3'
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jul 29 17:29:11 ovpn-client1[27719]: Socket Buffers: R=[245760->245760] S=[245760->245760]
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: --persist options modified
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: route-related options modified
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: peer-id set
Jul 29 17:29:11 ovpn-client1[27719]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jul 29 17:29:11 ovpn-client1[27719]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Jul 29 17:29:11 ovpn-client1[27719]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:29:11 ovpn-client1[27719]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 29 17:29:11 ovpn-client1[27719]: Preserving previous TUN/TAP instance: tun11
Jul 29 17:29:11 ovpn-client1[27719]: Initialization Sequence Completed

On the VPN Status page, I see: OpenVPN Boleh_Netflix - Connected (43.249.39.232 udp:8080)
One concerning thing though, under VPN Client, I see: Connected (Local: 172.16.21.218 - Public: unknown)

Any ideas?

 

[Darryl]

I had a quick look at Boleh VPN and they have a fairly comprehensive guide for setting up in Merlin.

https://www.bolehvpn.net/clients-installations/#1487691248224-0c435dba-d612

Did you setup your configuration by following that guide rigorously? If not, clear and redo the whole process. Looking at your log file these lines stand out.

Jul 29 17:27:50 ovpn-client1[27719]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!

That line makes me wonder whether you have followed your providers setup guide properly. I can't imagine why a provider or a customer would want this.

Jul 29 17:27:51 dnsmasq[27783]: warning: no upstream servers configured
Jul 29 17:27:53 openvpn-routing: Configuring policy rules for client 1
Jul 29 17:27:54 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Jul 29 17:27:54 openvpn-routing: WARNING: no VPN gateway provided, routing might not work properly!

No upstream DNS and no VPN gateway? Better start again on the config. I notice your providers guide for Merlin invites you to contact their help desk with problems. Start again, follow instructions to the letter and if you get similar problems talk with their help desk.

 

[Koguma]

I had a quick look at Boleh VPN and they have a fairly comprehensive guide for setting up in Merlin.

https://www.bolehvpn.net/clients-installations/#1487691248224-0c435dba-d612

Did you setup your configuration by following that guide rigorously? If not, clear and redo the whole process. Looking at your log file these lines stand out.

Jul 29 17:27:50 ovpn-client1[27719]: ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!

That line makes me wonder whether you have followed your providers setup guide properly. I can't imagine why a provider or a customer would want this.

Yes, this is the guide I followed. Encryption isn't necessary for Netflix streaming. I confirmed it with their support, this is intended behavior.

Jul 29 17:27:51 dnsmasq[27783]: warning: no upstream servers configured
Jul 29 17:27:53 openvpn-routing: Configuring policy rules for client 1
Jul 29 17:27:54 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Jul 29 17:27:54 openvpn-routing: WARNING: no VPN gateway provided, routing might not work properly!

No upstream DNS and no VPN gateway? Better start again on the config. I notice your providers guide for Merlin invites you to contact their help desk with problems. Start again, follow instructions to the letter and if you get similar problems talk with their help desk.

The darndest thing... it suddenly picked up an ip today and started to work. Go figure...

 

[Koguma]

Looks like I was over optimistic. The OpenVPN part seems to be working. I see "Connected (Local: 172.16.21.XXX - Public: 43.249.39.XXX)"

Unfortunately, nothing is routing. Is there some special way OpenVPN routes on Merlin? I only see tun11 via ifconfig, a route to it. But nothing specific for clients. Nothing in iptables either...

 

[Darryl]

Did routing ever work? Are you still getting the same errors in your logs? Also, what settings do you have for policy based routing. The log implies that you are using it. Does routing work if you put everything through the tunnel?

 

[Koguma]

Did routing ever work? Are you still getting the same errors in your logs? Also, what settings do you have for policy based routing. The log implies that you are using it. Does routing work if you put everything through the tunnel?

Nope, still not working. The "WARNING: no VPN gateway provided, routing might not work properly!" is a red herring. It comes up because I have Policy based routing turned on. You can see the code here on line 238
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/others/vpnrouting.sh

I tried adding the route manually, but no go:
route add -host 10.1.1.233 gw 172.16.21.218

I can ping the gw just fine. I' m going to touch base with their support again, because it should be working....

 

[Koguma]

I got it working using an IPV4 only profile, and disabled my IPv6 support on the router. Not great, but what to do. Does OpenVPN not work well with ipv6?

 

[Darryl]

Congratulations. Step d on your VPN Providers Merlin configuration instructions is as follows:

Click on OpenVPN Clients to open the OpenVPN configuration page. Before you can activate the VPN connection, you will need to import BolehVPN configuration files that you downloaded earlier. It must be noted that Asus routers DO NOT SUPPORT IPv6 in the VPN and as such you will need to select one of the files that has IPv4 prefix to import.

I'm not having a go at you. I've done the same thing myself too many times. But Computers are still unforgiving creations. One of the first things I usually check if I have problems is that I have followed the instructions rigorously and that where I have not I have good reason for it and my change is not causing the problems.

I would not have thought it necessary for you to diable IPV6 in the router settings if you are using an IPV4 profile though I don't have the config files to look at and am not a Boleh customer so couldn't check even if I wanted to.

OpenVPN does work with IPV6, though according to your VPN provider not on ASUS routers. I'm not sure that we couldn't get IPV6 working on Merlin as is but I'm not interested enough to try. Here's a link to the relevant page in the OpenVPN Wiki:

https://community.openvpn.net/openvpn/wiki/IPv6

Once again, I'm glad you got it working.

 

[Koguma]

Well, unfortunately, it didn't actually work for streaming. Yes, I got it working, but their VPN's are blocked anyway, so it was a huge waste of time.
I did see the IPv6 note,, although I admit, I skimmed through the instructions. I assumed since I'm running a newer version then the docs, that it would be ok. The VPN provider doesn't offer an IPv4 profile for Netflix, so you can see why I would keep trying to get it working with IPv6 enabled.

Long story short, I went to another VPN provider. Had a 5 minute chat with the new provider's support on which ovpn profile was best for Netflix, and was streaming in 10 minutes.

Anyway, thanks for your input!