OpenVPN Server connection issues RT-AC86U

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

cocozozo

New Around Here
Hello,

I am using this wonderful Asuswrt-Merlin firmware for my RT-AC86U but having some issues with OpenVPN Server.
Firmware Version:384.19
Also using the addon YazFi.

I am able to successfully setup VPN Server - OpenVPN on the router, export my OpenVPN configuration file and import it on my android mobile and connect to my router remotely.
I have able to connect to my home network successfully at least several times a day but after less than a week I fail to connect using the OpenVPN Connect app on my phone.
If I export a new configuration file and import it again, I am able to reconnect.
I can't figure out why the configuration fails however.

Other points of note.
I have a HFC cable modem (NBN in Australia) connected to the WAN port of the ASUS RT-AC86U.
I am using pi-hole on my network (using a raspberry pi).

Here is some info from my logs:
Code:
Oct 28 18:35:26 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:27 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:28 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:29 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:30 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:31 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:33 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:36 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:50 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:50 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS handshake failed
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:23 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:27 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:36 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:51 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d

Oct 28 18:36:53 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d


Oct 28 18:37:08 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:37:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 28 18:37:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS handshake failed
Oct 28 18:37:22 ovpn-server1[2238]: client/14.201.92.222:40042 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 28 18:37:22 ovpn-server1[2238]: client/14.201.92.222:40042 SIGUSR1[soft,ping-restart] received, client-instance restarting
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 TLS: Initial packet from [AF_INET]14.201.92.222:42503, sid=14ddcd85 fb3d2326
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC86U, [email protected]
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, [email protected]
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_VER=3.git:released:b08a6c37:Release
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_PLAT=android
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_NCP=2
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_TCPNL=1
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_PROTO=2
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_IPv6=0
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.3-5597
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_SSO=openurl
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 TLS: Username/Password authentication succeeded for username 'homeassistant'
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 [client] Peer Connection Initiated with [AF_INET]14.201.92.222:42503
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI: Learn: 10.8.0.2 -> client/14.201.92.222:42503
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI: primary virtual IP for client/14.201.92.222:42503: 10.8.0.2
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 PUSH: Received control message: 'PUSH_REQUEST'
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.75,dhcp-option DNS 192.168.1.150,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Even though there are those errors I was able to connect yesterday.

I tried connecting today but I could not connect and there are no errors in the log regarding OpenVPN.

Also not sure if this is important but I noticed my external IP has changed in last night.

Code:
Oct 28 21:48:29 dhcp_client: bound 203.123.109.178/255.255.255.128 via 203.123.109.129 for 600 seconds.
Oct 28 21:48:30 WAN_Connection: WAN was restored.
Could this be the issue, and the reason why why I export the configuration again it works?
I have also tried a clean reset of the router but the problem keeps returning.

Many thanks in advance.
 

bbunge

Very Senior Member
Hello,

I am using this wonderful Asuswrt-Merlin firmware for my RT-AC86U but having some issues with OpenVPN Server.
Firmware Version:384.19
Also using the addon YazFi.

I am able to successfully setup VPN Server - OpenVPN on the router, export my OpenVPN configuration file and import it on my android mobile and connect to my router remotely.
I have able to connect to my home network successfully at least several times a day but after less than a week I fail to connect using the OpenVPN Connect app on my phone.
If I export a new configuration file and import it again, I am able to reconnect.
I can't figure out why the configuration fails however.

Other points of note.
I have a HFC cable modem (NBN in Australia) connected to the WAN port of the ASUS RT-AC86U.
I am using pi-hole on my network (using a raspberry pi).

Here is some info from my logs:
Code:
Oct 28 18:35:26 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:27 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:28 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:29 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:30 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:31 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:33 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:36 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:50 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:35:50 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS handshake failed
Oct 28 18:36:05 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:23 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:27 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:36 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:36:51 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d

Oct 28 18:36:53 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d


Oct 28 18:37:08 ovpn-server1[2238]: client/14.201.92.222:40042 TLS ERROR: received control packet with stale session-id=f5312fd8 fba54c9d
Oct 28 18:37:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 28 18:37:20 ovpn-server1[2238]: client/14.201.92.222:40042 TLS Error: TLS handshake failed
Oct 28 18:37:22 ovpn-server1[2238]: client/14.201.92.222:40042 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 28 18:37:22 ovpn-server1[2238]: client/14.201.92.222:40042 SIGUSR1[soft,ping-restart] received, client-instance restarting
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 TLS: Initial packet from [AF_INET]14.201.92.222:42503, sid=14ddcd85 fb3d2326
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC86U, [email protected]
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, [email protected]
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_VER=3.git:released:b08a6c37:Release
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_PLAT=android
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_NCP=2
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_TCPNL=1
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_PROTO=2
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_IPv6=0
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.3-5597
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 peer info: IV_SSO=openurl
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 TLS: Username/Password authentication succeeded for username 'homeassistant'
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Oct 28 18:39:02 ovpn-server1[2238]: 14.201.92.222:42503 [client] Peer Connection Initiated with [AF_INET]14.201.92.222:42503
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI: Learn: 10.8.0.2 -> client/14.201.92.222:42503
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 MULTI: primary virtual IP for client/14.201.92.222:42503: 10.8.0.2
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 PUSH: Received control message: 'PUSH_REQUEST'
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.75,dhcp-option DNS 192.168.1.150,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 28 18:39:02 ovpn-server1[2238]: client/14.201.92.222:42503 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Even though there are those errors I was able to connect yesterday.

I tried connecting today but I could not connect and there are no errors in the log regarding OpenVPN.

Also not sure if this is important but I noticed my external IP has changed in last night.

Code:
Oct 28 21:48:29 dhcp_client: bound 203.123.109.178/255.255.255.128 via 203.123.109.129 for 600 seconds.
Oct 28 21:48:30 WAN_Connection: WAN was restored.
Could this be the issue, and the reason why why I export the configuration again it works?
I have also tried a clean reset of the router but the problem keeps returning.

Many thanks in advance.
You need to use DDNS on the router. I n Android use the Arne Schawbe OpenVPN app.
 

cocozozo

New Around Here
Hi there bbunge,
Thanks so much for your help.
I have never used DDNS before. I will have try to set this up and let you know.
 

cocozozo

New Around Here
You need to use DDNS on the router. I n Android use the Arne Schawbe OpenVPN app.
I have just setup DDNS as you have suggested using the asus.com and it is working (hopefully this sticks).

Just one other question. There is a message about let's encrypt certificate renewal.
Do I need to follow this guide from asus for automatic renewal (method 2) or will the default settings work for automatic let encrypt certificate renewal?

The asus guide suggests enabling HTTPS and enabling WEB access from the WAN but the merlin firmware states it is a security risk?
 

barutchiev

Occasional Visitor
The asus guide suggests enabling HTTPS and enabling WEB access from the WAN but the merlin firmware states it is a security risk?
The authentication method must be open through both http and https, but access must be denied. You should be able to enter only through the local network, through the open vpn.
In this case, I use a certificate from Pixelserv CA.

IMG_20201029_085506.jpg
 

bbunge

Very Senior Member
I have just setup DDNS as you have suggested using the asus.com and it is working (hopefully this sticks).

Just one other question. There is a message about let's encrypt certificate renewal.
Do I need to follow this guide from asus for automatic renewal (method 2) or will the default settings work for automatic let encrypt certificate renewal?

The asus guide suggests enabling HTTPS and enabling WEB access from the WAN but the merlin firmware states it is a security risk?
You do not need it with just OpenVPN.
 

khagberg

New Around Here
I have had issues with 384.19 on my ac86u also. I could not get it to connect at all with nordvpn. it worked fine on .18 . I downgraded to .18 and everything works fine now.
 

cocozozo

New Around Here
I have had issues with 384.19 on my ac86u also. I could not get it to connect at all with nordvpn. it worked fine on .18 . I downgraded to .18 and everything works fine now.
Everything seems stable for me now and DDNS is working well with openvpn.
 

khagberg

New Around Here
I had DDNS set up and still had issues. The problem I saw was that after I imported the config and look at the keys, there was nothing there. I opened the config files and manually copy and pasted the static key and the Cert Auth and saved them and still failed. When I went back in to look the the keys, it was not saving them.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top