OpenVPN problems

[nikkoaki]

First of all, forgive my english.. it's not my primary language and it's very rusty.

I bought an AC66U yesterday and i'm having trouble making an ovpn server. I don't know much about the subject so it's most definitely my fault.
I tried both the default certificates it creates and custom ones i made with easyrsa. I'm going to show the key's but i don't mind since i'll create new ones.

First the default ones
These are the default settings: http://i.imgur.com/KWo8dtK.png
These are the keys it makes: http://i.imgur.com/xfeeauU.png
It doesn't create a static key. Exporting the ovpn file and trying it on my phone leads to this in the logs:

May 16 14:19:38 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:52386, sid=d2ab236b e3042be3[/SIZE][/SIZE]
[SIZE=3][SIZE=4]
May 16 14:19:48 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:45844, sid=ff821a1d 42a79b30
May 16 14:19:58 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:52247, sid=0190c28c ef54c8ba
May 16 14:20:08 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:34454, sid=e61a6134 077cec14

Enabeling tls (bidirectional if i recall) creates a static key: http://i.imgur.com/O7D1Yo6.png
Exporting the ovpn file and trying it, leads to this:

May 16 14:27:11 openvpn[2063]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:35993, sid=f02f6a57 ac62e609
May 16 14:27:13 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:27:13 openvpn[2063]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:35993
May 16 14:27:15 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:27:15 openvpn[2063]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:35993
May 16 14:27:17 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Ok, so.. trying the certificates and keys i made with easyrsa: http://i.imgur.com/ahKDCKm.png
"asus" is the name of the client.. i also used that name in the common field as advised.

This is what i get: http://i.imgur.com/DnwXjfi.png
The problem is.. i don't know what to put in the static key.. i don't even know if it's needed or not so i just let that default one.
The ovpn file it creates looks like this:

client
dev tun
proto udp
remote ##removed## 1194
float
ncp-ciphers AES-128-GCM
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIIDezCCAuSgAwIBAgIJALDvwSzdpHq0MA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD
VQQGEwJQVDEQMA4GA1UECBMHU2V0dWJhbDEPMA0GA1UEBxMGQWxtYWRhMQ4wDAYD
VQQKEwVOaWtrbzEOMAwGA1UECxMFTmlra28xDTALBgNVBAMTBGFzdXMxEDAOBgNV
BCkTB0Vhc3lSU0ExEzARBgkqhkiG9w0BCQEWBE5vbmUwHhcNMTcwNTE1MjE1OTU5
WhcNMjcwNTEzMjE1OTU5WjCBhjELMAkGA1UEBhMCUFQxEDAOBgNVBAgTB1NldHVi
YWwxDzANBgNVBAcTBkFsbWFkYTEOMAwGA1UEChMFTmlra28xDjAMBgNVBAsTBU5p
a2tvMQ0wCwYDVQQDEwRhc3VzMRAwDgYDVQQpEwdFYXN5UlNBMRMwEQYJKoZIhvcN
AQkBFgROb25lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC89XRoxUpbkhLW
SEaJQh7no1wWXWjMGFsm3xOAM2aJsB2cBSSgKeQpA3+dVlDL5yfHjm877SRdRaFj
jQOm9SSNs3CpyrytENiI88isYlFCIVlJdTijHzR3zyF3uAaKI1mT5+JujcYv7yMk
uFZiDJJCZHnSZ3S8CWBns6F99fNEZwIDAQABo4HuMIHrMB0GA1UdDgQWBBTsdgF2
C7qpWnm1wIBHjnA2J9FEXTCBuwYDVR0jBIGzMIGwgBTsdgF2C7qpWnm1wIBHjnA2
J9FEXaGBjKSBiTCBhjELMAkGA1UEBhMCUFQxEDAOBgNVBAgTB1NldHViYWwxDzAN
BgNVBAcTBkFsbWFkYTEOMAwGA1UEChMFTmlra28xDjAMBgNVBAsTBU5pa2tvMQ0w
CwYDVQQDEwRhc3VzMRAwDgYDVQQpEwdFYXN5UlNBMRMwEQYJKoZIhvcNAQkBFgRO
b25lggkAsO/BLN2kerQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQAN
xc3zdLve7uzXMXxOMoAKfQtT30oW5rSJBEZJqwrHXv8f7qcfAxumPQ8JznbZJb5F
OSNf48YmtELpBCiVE/D1jdnfBSBej+ryePMSPXIbKgYQO2Hf2YRoPgpeTRWFSO4+
aHcMAoKFyxqWx4Ma7DK91UWpxth3ylxvwHaEOUgDqA==
-----END CERTIFICATE-----
</ca>
<cert>
    paste client certificate data here
</cert>
<key>
    paste client key data here
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
c0ba6380e98528507070190e50585f5d
8b38dcaa23e789e028c298224d44381b
b45e240a5ac40b053514a0e608e037fb
8e143dd3811aaafdc0b034682484251b
3aa4c0e685431489c6973adfd1d58bf4
558fb750740759214c767b2da9962116
70b8681073f5ae570f517435ec28af34
82e6c28d041fb2fcdbd6d322d8a2e6a3
d30a2b993d8d79348b9d95786191768e
0ae257d84fb51fefdd281eb0b72fb866
752a10c34b1deaddd33191fa309e4775
2faa49e0cf8921657d6d50d9f80310f6
d5c4eb70924700a782a874f874fc46a6
b747d151d1835eed327d7097fb13cc32
2ef59fcc13c85779c58e6042fba49f9b
9dee452f585c7c801c15ef6cb1dcb1e2
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

In the "paste client certificate data here" i put the asus.crt data
In the "paste client key data here" i paste the asus.key data.

It still can't connect. The logs shows again:

May 16 14:44:31 openvpn[2748]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:40962, sid=2c8c5bc6 60a583ef
May 16 14:44:33 openvpn[2748]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494942281) Tue May 16 14:44:41 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:44:33 openvpn[2748]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:40962
May 16 14:44:35 openvpn[2748]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494942281) Tue May 16 14:44:41 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I clearly don't know what i'm doing.. although i configured an openvpn server on my orange pi and had no problems. Anyone can give a hand?

Another 2 "problems" i found:
Yesterday i put the router to reset itself everyday at 5am, today when i woke up i had no internet. The front page of the router said there was a problem with my isp DHCP (docsis3 cable modem). I have no problems with my old router.
I noticed that every time i hit the "reboot" button, the router couldn't connect online. As soon as i disconnected the cable connecting it to the modem, it immediately connected. Changing some wan options did nothing.
Doing a factory reset worked.. i can reboot the router and it connects to my isp with no problems.. importing the settings and jffs file brings back the problem.
Doing a factory reset and going to the trouble of manually setting my own preferences, works.. at least until now. I didn't do everything i did yesterday (like creating a pptp server, messing with qos and messing with statistics logging to usb), so i dont know if that was the problem...(disabling qos didn't fix the problem with the old settings) is this normal? Seems like a bug.

Another thing i want to ask since i'm here.
I don't have this page with these nice graphs.. : https://www.snbforums.com/attachments/screen1-jpg.4186/
Does my model lacks it? I thought it was a global merlin "thing".

Thanks in advance

 

[Xentrk]

First of all, forgive my english.. it's not my primary language and it's very rusty.

I bought an AC66U yesterday and i'm having troubles making an ovpn server. I don't know much about the subject so it's most definitely my fault.
I tried both the default certificates it creates and custom ones i made with easyrsa. I'm going to show the key's but i don't mind since i'll create new ones.

First the default ones
These are the default settings: http://i.imgur.com/KWo8dtK.png
These are the keys it makes: http://i.imgur.com/xfeeauU.png
It doesn't create a static key. Exporting the ovpn file and trying it on my phone leads to this in the logs:

May 16 14:19:38 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:52386, sid=d2ab236b e3042be3[/SIZE][/SIZE][/SIZE][/SIZE]
[SIZE=3][SIZE=4][SIZE=3][SIZE=4]
May 16 14:19:48 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:45844, sid=ff821a1d 42a79b30
May 16 14:19:58 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:52247, sid=0190c28c ef54c8ba
May 16 14:20:08 openvpn[1251]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:34454, sid=e61a6134 077cec14

Enabeling tls (bidirectional if i recall) creates a static key: http://i.imgur.com/O7D1Yo6.png
Exporting the ovpn file and trying it, leads to this:

May 16 14:27:11 openvpn[2063]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:35993, sid=f02f6a57 ac62e609
May 16 14:27:13 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:27:13 openvpn[2063]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:35993
May 16 14:27:15 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:27:15 openvpn[2063]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:35993
May 16 14:27:17 openvpn[2063]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494941241) Tue May 16 14:27:21 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Ok, so.. trying the certificates and keys i made with easyrsa: http://i.imgur.com/ahKDCKm.png
"asus" is the name of the client.. i also used that name in the common field as advised.

This is what i get: http://i.imgur.com/DnwXjfi.png
The problem is.. i don't know what to put in the static key.. i don't even know if it's needed or not so i just let that default one.
The ovpn file it creates looks like this:

client
dev tun
proto udp
remote ##removed## 1194
float
ncp-ciphers AES-128-GCM
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIIDezCCAuSgAwIBAgIJALDvwSzdpHq0MA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD
VQQGEwJQVDEQMA4GA1UECBMHU2V0dWJhbDEPMA0GA1UEBxMGQWxtYWRhMQ4wDAYD
VQQKEwVOaWtrbzEOMAwGA1UECxMFTmlra28xDTALBgNVBAMTBGFzdXMxEDAOBgNV
BCkTB0Vhc3lSU0ExEzARBgkqhkiG9w0BCQEWBE5vbmUwHhcNMTcwNTE1MjE1OTU5
WhcNMjcwNTEzMjE1OTU5WjCBhjELMAkGA1UEBhMCUFQxEDAOBgNVBAgTB1NldHVi
YWwxDzANBgNVBAcTBkFsbWFkYTEOMAwGA1UEChMFTmlra28xDjAMBgNVBAsTBU5p
a2tvMQ0wCwYDVQQDEwRhc3VzMRAwDgYDVQQpEwdFYXN5UlNBMRMwEQYJKoZIhvcN
AQkBFgROb25lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC89XRoxUpbkhLW
SEaJQh7no1wWXWjMGFsm3xOAM2aJsB2cBSSgKeQpA3+dVlDL5yfHjm877SRdRaFj
jQOm9SSNs3CpyrytENiI88isYlFCIVlJdTijHzR3zyF3uAaKI1mT5+JujcYv7yMk
uFZiDJJCZHnSZ3S8CWBns6F99fNEZwIDAQABo4HuMIHrMB0GA1UdDgQWBBTsdgF2
C7qpWnm1wIBHjnA2J9FEXTCBuwYDVR0jBIGzMIGwgBTsdgF2C7qpWnm1wIBHjnA2
J9FEXaGBjKSBiTCBhjELMAkGA1UEBhMCUFQxEDAOBgNVBAgTB1NldHViYWwxDzAN
BgNVBAcTBkFsbWFkYTEOMAwGA1UEChMFTmlra28xDjAMBgNVBAsTBU5pa2tvMQ0w
CwYDVQQDEwRhc3VzMRAwDgYDVQQpEwdFYXN5UlNBMRMwEQYJKoZIhvcNAQkBFgRO
b25lggkAsO/BLN2kerQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQAN
xc3zdLve7uzXMXxOMoAKfQtT30oW5rSJBEZJqwrHXv8f7qcfAxumPQ8JznbZJb5F
OSNf48YmtELpBCiVE/D1jdnfBSBej+ryePMSPXIbKgYQO2Hf2YRoPgpeTRWFSO4+
aHcMAoKFyxqWx4Ma7DK91UWpxth3ylxvwHaEOUgDqA==
-----END CERTIFICATE-----
</ca>
<cert>
    paste client certificate data here
</cert>
<key>
    paste client key data here
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
c0ba6380e98528507070190e50585f5d
8b38dcaa23e789e028c298224d44381b
b45e240a5ac40b053514a0e608e037fb
8e143dd3811aaafdc0b034682484251b
3aa4c0e685431489c6973adfd1d58bf4
558fb750740759214c767b2da9962116
70b8681073f5ae570f517435ec28af34
82e6c28d041fb2fcdbd6d322d8a2e6a3
d30a2b993d8d79348b9d95786191768e
0ae257d84fb51fefdd281eb0b72fb866
752a10c34b1deaddd33191fa309e4775
2faa49e0cf8921657d6d50d9f80310f6
d5c4eb70924700a782a874f874fc46a6
b747d151d1835eed327d7097fb13cc32
2ef59fcc13c85779c58e6042fba49f9b
9dee452f585c7c801c15ef6cb1dcb1e2
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

In the "paste client certificate data here" i put the asus.crt data
In the "paste client key data here" i paste the asus.key data.

It still can't connect. The logs shows again:

May 16 14:44:31 openvpn[2748]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:40962, sid=2c8c5bc6 60a583ef
May 16 14:44:33 openvpn[2748]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494942281) Tue May 16 14:44:41 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 16 14:44:33 openvpn[2748]: 192.168.2.118 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.2.118:40962
May 16 14:44:35 openvpn[2748]: 192.168.2.118 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1494942281) Tue May 16 14:44:41 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I clearly don't know what i'm doing.. although i configured an openvpn server on my orange pi and had no problems. Anyone can give a hand?

Another 2 "problems" i found:
Yesterday i put the router to reset itself everyday at 5am, today when i woke up i had no internet. The front page of the router said there was a problem with my isp DHCP (docsis3 cable modem). I have no problems with my old router.
I noticed that every time i hit the "reboot" button, the router couldn't connect online. As soon as i disconnected the cable connecting it to the modem, it immediately connected. Changing some wan options did nothing.
Doing a factory reset worked.. i can reboot the router and it connects to my isp with no problems.. importing the settings and jffs file brings back the problem.
Doing a factory reset and going to the trouble of manually setting my own preferences, works.. at least until now. I didn't do everything i did yesterday (like creating a pptp server, messing with qos and messing with statistics logging to usb), so i dont know if that was the problem...(disabling qos didn't fix the problem with the old settings) is this normal? Seems like a bug.

Another thing i want to ask since i'm here.
I don't have this page with these nice graphs.. : https://www.snbforums.com/attachments/screen1-jpg.4186/
Does my model lacks it? I thought it was a global merlin "thing".

Thanks in advance

For the VPN Server setup issue, try the instructions here: https://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

With 380.65, I had to specify some level of compression. None no longer worked. I ended up choosing LZ4 Adaptive. But LZ0 Adaptive will work too.

 

[nikkoaki]

For the VPN Server setup issue, try the instructions here: https://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

With 380.65, I had to specify some level of compression. None no longer worked. I ended up choosing LZ4 Adaptive. But LZ0 Adaptive will work too.

Thanks.
I already had LZO adaptive, changed to LZ4 and it was the same.. disabling tls-auth (which i don't want to do but for the sake of testing) also doesn't work.

May 16 18:00:04 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:44579, sid=71deff3d 6388516b
May 16 18:00:14 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:60797, sid=25016f67 00612c60
May 16 18:00:24 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:34773, sid=198827da ca7bab18
May 16 18:00:34 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:53224, sid=292cae5b 9da99caf
May 16 18:00:44 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:33377, sid=0e02850a 38aa98a9
May 16 18:00:54 openvpn[5713]: 192.168.2.118 TLS: Initial packet from [AF_INET6]::ffff:192.168.2.118:60723, sid=f02c02f9 45ad07e5
May 16 18:01:05 openvpn[5713]: 192.168.2.118 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 16 18:01:05 openvpn[5713]: 192.168.2.118 TLS Error: TLS handshake failed
May 16 18:01:05 openvpn[5713]: 192.168.2.118 SIGUSR1[soft,tls-error] received, client-instance restarting
May 16 18:01:14 openvpn[5713]: 192.168.2.118 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 16 18:01:14 openvpn[5713]: 192.168.2.118 TLS Error: TLS handshake failed
May 16 18:01:14 openvpn[5713]: 192.168.2.118 SIGUSR1[soft,tls-error] received, client-instance restarting
May 16 18:01:24 openvpn[5713]: 192.168.2.118 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 16 18:01:24 openvpn[5713]: 192.168.2.118 TLS Error: TLS handshake failed

I also just tried Static Key instead of tls.. i thought it would be simpler.
Settings were the following: http://i.imgur.com/VYtctA6.png
ovpn file:

mode p2p
dev tun
ifconfig 10.8.0.2 10.8.0.1
proto udp
remote ##removed## 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
<secret>
-----BEGIN OpenVPN Static key V1-----
6a29606cb1d81294d3153e5c2eb64aab
886ca16948dd66705c0983b2b5e075fc
912a9c0401f5f40f42df1c2531f58f7e
bb94d3638ffa582ea932e63932494312
4417ccdaee4ede41070d2a2322f5d800
2414229997dfad78edb801141dfdf280
bf064432272bcbc2cec159e379b54a61
17a5631c30db2a4332e9a8999c66a7ad
8f8e47634522765dd306fedd516f5bc4
c9ccd21239edce65ea8539b937b10d1a
7083bfda66deecec344bdda403802f95
3c67832531a3f3478829ebf20af515a6
868d48b9604b06386bb7113f64cfc994
2b82087fd4c6f8a6867371137ac50619
ad1e13b84ea8879820f5fde94a6df895
de9722aeb88b0f58b8124ab02f118b3f
-----END OpenVPN Static key V1-----
</secret>
resolv-retry infinite
nobind

i really don't understand how this mode works because it asks me for a certificate on my phone when i try to connect to it and it fails if i select none.
I already installed the ca.crt certificate on my phone but it's not the one that it's looking for, which makes sense
Some screenshots:

http://i.imgur.com/95mPOUK.png
http://i.imgur.com/cIkFTuY.png

Again, i know it makes no sense adding the

<ca>
insert ca here
</ca>

inside the ovpn file because the ca i made with easyrsa has nothing to do with that static key, but i still did. It doesn't ask me for a certificate anymore but shows the same error as the second pic.
Shouldn't the static key method of authenticating be easier like, make it, download the ovpn file and use it?
By the way, in the configuration screenshot you can see i chose "No" for "Username/pass auth only".. i also tried with yes and the problem persists.
Oh and although i'm using DDNS for convenience, i already tried using the IP.. it's also the same.

 

[martinr]

Because you say that you are new to OpenVPN, may I suggest you try starting again completely afresh but with username and password auth only = YES (i.e. no keys and certificates) and get that working. Once you are happy everything is working and you feel confident, you could then advance to public key infrastructure (username/password auth only equals NO); of course, you'll need to export a new .ovpn config file to your client device.

I'm not sure, though, what is the best or most efficient way to flush out all the OpenVPN settings in order to start afresh. (Before the keys and certs were moved to jffs, a reset to factory default settings was one way of starting afresh, albeit a time-consuming one.)

But you really should have no need to create any keys or certificates: OpenVPN does everything for you. Once you have made all your settings on the Advanced page, you return to the General page where you then export the .ovpn file to your client device. That file has, or should have, everything you need in it according to the settings you have set. It's hard to believe but it really is that simple.

 

[nikkoaki]

Because you say that you are new to OpenVPN, may I suggest you try starting again completely afresh but with username and password auth only = YES (i.e. no keys and certificates) and get that working. Once you are happy everything is working and you feel confident, you could then advance to public key infrastructure (username/password auth only equals NO); of course, you'll need to export a new .ovpn config file to your client device.

I'm not sure, though, what is the best or most efficient way to flush out all the OpenVPN settings in order to start afresh. (Before the keys and certs were moved to jffs, a reset to factory default settings was one way of starting afresh, albeit a time-consuming one.)

But you really should have no need to create any keys or certificates: OpenVPN does everything for you. Once you have made all your settings on the Advanced page, you return to the General page where you then export the .ovpn file to your client device. That file has, or should have, everything you need in it according to the settings you have set. It's hard to believe but it really is that simple.

"It's hard to believe but it really is that simple"
Indeed it should be.. but it's not working for me.
Yes, i'm kind of new-ish to openvpn.. but i configured it both on an orangepi running ubuntu server and on a VPS running centos and the harder thing for me was finding out the firewall rules to make it accessible to the outside and route internal data. Creating the server itself and clients is straightforward, there are lot's of good tutorials online.

I'm going to do what you proposed one more time (i'm not going to do a factory reset because i did it in the morning and it didn't help)

1st: Delete everything:

2nd: create a test user with a very strong password

3rd: Create a server with default values recommended by you

4th: Export the ovpn file to the phone

ovpn default config:

mode p2p
dev tun
ifconfig 10.8.0.2 10.8.0.1
proto udp
remote *removed my personal ip* 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
<secret>
-----BEGIN OpenVPN Static key V1-----
ed6ae9784183b781374723c1b6290233
e364c4c9c79d7239d5d853ab6f580bf2
b8ebc754be36cc76818df08de992cd55
0f9c9075d90b9f814561d28ecc028f74
07aa73b8b8edbab6455ff15823a5e12b
b776fd9164f2f378b3b87647ae5b2e7b
58886ffbfd91d6dfeceffb75937a8a44
89c83c0dbde7b63f22c3e4c4473ffaec
544ba4f9daa50e9c907ddc8ebe716ec8
f501ebb77ec5fceb3b8d7b7314975285
ab96e9d7a0753eeda9be0ddbb0b4e2f5
b1e484bb4377b40611826aa1cbf03b9c
75e6ef96e47341b713830d2e6e9c09da
0b7ec10b0fb6bda49a54f3a900137baa
9cb0f5bb0a30b8b4415e4efdccee266e
76ed6f3a3e34a62ba9224558a3db0c91
-----END OpenVPN Static key V1-----
</secret>
resolv-retry infinite
nobind

5th: try to connect with the phone and fail miserable because it asks me for a certificate

So, either i'm doing something wrong (most likely) or something IS wrong

 

[nikkoaki]

WAIT.. i tested with this app: https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn
instead of the official one and i got a connection. It wasn't routing data through the vpn but that's because it's not configured for that, but it did connect..
Is this because the oficial app uses polarSSL instead of openSSL?
Does it even matter?

EDIT: https://forums.openvpn.net/viewtopic.php?t=22136
This guy seems to have the same problem and the only fix for it is to include the ca.crt.. but where can i get it? I'm guessing it won't work with any ca.. maybe the one that was used to make the static key, but where is it? (am i making sense or just talking nonsense?)

EDIT 2: it's late, i'll browse more about the subject tomorrow

 

[martinr]

Good to hear you have made some sort of progress. It makes me wonder: do you have another device, such as a Windows PC/laptop on which you could install the OpenVPN client software so you can then test whether the problems are being caused by the Android device?

 

[Xentrk]

And to add what @martinr said, you must be connected to another internet source before trying to make an OpenVPN connection to the router that has the OpenVPN Server installed on it. It is easy for my testing as I have several routers in my home. So, I can connect to one, then initiate the vpn connection to another to test any updates.

Last month, I connected one of my routers, and then tried to open up a VPN connection to the same router using my android phone. It did not work. Nor would I expect it to. So with your testing, make sure you are connected to another internet source before testing the VPN connection to the OpenVPN server.

 

[nikkoaki]

make sure you are connected to another internet source before testing the VPN connection to the OpenVPN server.

I did, i tried with 4g cellular data.

Ok so, since it worked yesterday with a static key and using a different app, i thought of trying making a new server with tls auth and my own keys.
Guess what, with that app, it works perfectly.. i checked my ip to be sure i was being routed trough my home net and it was fine. With the official app, it doesn't work (The official program for windows works fine btw)

I googled a bit and there are lot's of people online complaining for the same reason, mostly ios users. Not related to asus routers, just that the app spits errors related to polarSSL and fails to connect with some kinds of ovpn files.
I use the official android app with other vpn's.. i guess i'm going to have to migrate them to a different one.. The one i tested first costs $7 to remove the ads and it's not very pretty but there is an open source alternative (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) that also works fine..

I guess it's solved then. It still sucks that these kinds of things aren't 100% compatible with each other.
Today i received a notification of a new FW version but the changelog doesn't seem to mention anything related to openvpn and/or polarSSL.

Anyway guys i really appreciate your help.
Just one last thing, i wrote in my first post

Another thing i want to ask since i'm here.
I don't have this page with these nice graphs.. : https://www.snbforums.com/attachments/screen1-jpg.4186/
Does my model lack it? I thought it was a global merlin "thing".

Do any of you know the answer?
Again, thanks a lot.

 

[Xentrk]

I did, i tried with 4g cellular data.

Ok so, since it worked yesterday with a static key and using a different app, i thought of trying making a new server with tls auth and my own keys.
Guess what, with that app, it works perfectly.. i checked my ip to be sure i was being routed trough my home net and it was fine. With the official app, it doesn't work (The official program for windows works fine btw)

I googled a bit and there are lot's of people online complaining for the same reason, mostly ios users. Not related to asus routers, just that the app spits errors related to polarSSL and fails to connect with some kinds of ovpn files.
I use the official android app with other vpn's.. i guess i'm going to have to migrate them to a different one.. The one i tested first costs $7 to remove the ads and it's not very pretty but there is an open source alternative (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) that also works fine..

I guess it's solved then. It still sucks that these kinds of things aren't 100% compatible with each other.
Today i received a notification of a new FW version but the changelog doesn't seem to mention anything related to openvpn and/or polarSSL.

Anyway guys i really appreciate your help.
Just one last thing, i wrote in my first post

Does any of you know the answer?
Again, thanks a lot.

Thanks for reporting the solution. Glad to see you got it working. I use the client app developed by OpenVPN. on my android and ipad. I also use the windows OpenVPPN client software on my Win 10 laptop. No cost!

Welcome to the forums BTW.

 

[martinr]

​

Just one last thing, i wrote in my first post ......



Does any of you know the answer?
Again, thanks a lot.

I don't know the answer but your router is an AC66U, and which version of Merlin's firmware are you running?

By the way, I thought you said your English was very rusty; you could have fooled me.

 

[Jack Yaz]

I did, i tried with 4g cellular data.

Ok so, since it worked yesterday with a static key and using a different app, i thought of trying making a new server with tls auth and my own keys.
Guess what, with that app, it works perfectly.. i checked my ip to be sure i was being routed trough my home net and it was fine. With the official app, it doesn't work (The official program for windows works fine btw)

I googled a bit and there are lot's of people online complaining for the same reason, mostly ios users. Not related to asus routers, just that the app spits errors related to polarSSL and fails to connect with some kinds of ovpn files.
I use the official android app with other vpn's.. i guess i'm going to have to migrate them to a different one.. The one i tested first costs $7 to remove the ads and it's not very pretty but there is an open source alternative (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) that also works fine..

I guess it's solved then. It still sucks that these kinds of things aren't 100% compatible with each other.
Today i received a notification of a new FW version but the changelog doesn't seem to mention anything related to openvpn and/or polarSSL.

Anyway guys i really appreciate your help.
Just one last thing, i wrote in my first post



Does any of you know the answer?
Again, thanks a lot.

The official OpenVPN app is trash and doesn't support the latest 2.4 features, whereas the de.blinkt app does. Source: I use it!

 

[nikkoaki]

Thanks for reporting the solution. Glad to see you got it working. I use the client app developed by OpenVPN. on my android and ipad. I also use the windows OpenVPPN client software on my Win 10 laptop. No cost!

Welcome to the forums BTW.

It's strange that it works for you and not for me.. maybe you created the ovpn files with an older firmware and they were compatible with polarSSL/the official app at that time?

Welcome to the forums BTW

Thanks

​

I don't know the answer but your router is an AC66U, and which version of Merlin's firmware are you running?

By the way, I thought you said your English was very rusty; you could have fooled me.

Firmware 380.66.. I know a new FW came out yesterday but i doubt that's the problem.
I know that some features are restricted to just some models but since this is is only stats, graphs/charts and is posted in the home page as a merlin feature, i thought it was for every router.

you could have fooled me

Really? You didn't find a single mistake or notice any difference in the way i express myself?

The official OpenVPN app is trash and doesn't support the latest 2.4 features, whereas the de.blinkt app does. Source: I use it!

I learned the hard way and you are right, the app does seem much better.