What's new

OpenVPN server not starting on Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

matejdro

New Around Here
I have RT-AC86U running Merlin 384.10_2. I've been trying to set up VPN according to the github page.

The issue is that server does not start. When I press "Apply", applying settings dialog will show up for about 15 seconds and then vanish, without any effects. VPN Status page still shows OpenVPN server 1 as "Stopped".

But the biggest problem is that there appears to be no logs that could help me diagnose the issue. System log is set to display "all" messages and yet these are only messages printed into console:

Code:
Apr  7 20:57:04 rc_service: httpd 3748:notify_rc restart_chpass;restart_vpnserver1
Apr  7 20:57:04 rc_service: waitting "restart_chpass;restart_vpnserver1" via httpd ...
Apr  7 20:57:19 rc_service: skip the event: restart_chpass;restart_vpnserver1.

My settings:
  • TAP
  • UDP
  • Default port
  • TLS authorization
  • All keys and certificates entered, except for Static Key, Revocation List and Extra Chain Certificates
  • NO password auth
  • Disable TLS control
  • Default HMAC
  • Yes DHCP
  • Yes DNS advertising
  • Disabled cipher negotiation
  • AES-128-CBC cipher
  • Disable compression
  • Log verbosity 6 (which is maximum and yet no logs in System Log)
  • No Client-specific options
  • Custom configuration empty
Any idea what could I do to diagnose this? Are there logs anywhere inside router that I could find with SSH?

P.S.: One thing I noticed that Default button does not seem to reset Advance Settings subpage, nor does it delete any keys and certificates even though before-deletion warning states that they will be deleted. Could these two be related somehow?
 
Does this help?

RMerlin said:
384.10 Beta 3 is now available. This release contains a couple of changes surrounding OpenVPN key/certs management, which should notably reduce nvram usage. The issue where key/certs would sometimes be left in nvram is fixed, and the unused key/cert var names are no longer wasting nvram space either, saving a few hundred bytes of nvram. Please make sure no new issue was introduced surrounding management of key/certs.

It is also now possible to remove a key/certs by clearing its field, rather than having to remove the file in /jffs/openvpn/ .

The following script will clear up your nvram:

Code:
#!/bin/sh

echo "Removing unused cert/key from nvram..."

for i in 1 2 3 4 5
do
nvram unset vpn_crt_client$i\_ca
nvram unset vpn_crt_client$i\_extra
nvram unset vpn_crt_client$i\_crt
nvram unset vpn_crt_client$i\_key
nvram unset vpn_crt_client$i\_crl
nvram unset vpn_crt_client$i\_static
done

for i in 1 2
do
nvram unset vpn_crt_server$i\_ca
nvram unset vpn_crt_server$i\_dh
nvram unset vpn_crt_server$i\_ca_key
nvram unset vpn_crt_server$i\_extra
nvram unset vpn_crt_server$i\_client_crt
nvram unset vpn_crt_server$i\_crl
nvram unset vpn_crt_server$i\_crt
nvram unset vpn_crt_server$i\_key
nvram unset vpn_crt_server$i\_static
nvram unset vpn_crt_server$i\_client_key
done

nvram commit

echo "done."

The Firefox stalls when using https with a router-generated certificate should also be resolved now (looks like an old Firefox bug came back when they added TLS 1.3 support), a workaround has been implemented - you might need to re-generate your router certificate.
 
It looks like this script cleans OpenVPN settings leftover by pre-384.10 versions? 384.10 is the first Merlin firmware on the router (and it was brand new before that).

Anyway, running the script seems to have no effect at all.
 
It looks like this script cleans OpenVPN settings leftover by pre-384.10 versions? 384.10 is the first Merlin firmware on the router (and it was brand new before that).

Anyway, running the script seems to have no effect at all.

Okay, ignoring the manual settings, for now, does the OpenVPN server using the defaults work?
 
As I said, I had issues reverting to default (default button does not appear to reset advanced settings). But now I have just tried starting Server 2 which I have not touched before (settings appear to be default).

There appears to be no effect (server is 2 is shown as stopped even after waiting suggested several minutes and system log also states that `resart_vpnserver2` event was skipped).

Thanks for the help, by the way.
 
As I said, I had issues reverting to default (default button does not appear to reset advanced settings). But now I have just tried starting Server 2 which I have not touched before (settings appear to be default).

There appears to be no effect (server is 2 is shown as stopped even after waiting suggested several minutes and system log also states that `resart_vpnserver2` event was skipped).

Thanks for the help, by the way.

You're welcome, I wish I could help more to solve this.

Unless someone else has further suggestions, I would be considering a full M&M Config at this point (please see my signature for links and further details below).

Maybe @RMerlin has a suggestion for you to try?
 
I did factory reset and problem was resolved. Not sure what exactly was the issue.

Also one worrisome thing is that even after FULL factory reset (I held reset key on the router until it did complete wipe), OpenVPN certificates still stayed in. I think this is quite a big security problem and can be dangerous if somebody for example sells his router to somebody else and thinks factory reset would wipe all his data.
 
Just came here to say that I had the exakt same problem, and the same solution (factory reset) worked for me. Have no idea what the actual problem was.
 
I did factory reset and problem was resolved. Not sure what exactly was the issue.

Also one worrisome thing is that even after FULL factory reset (I held reset key on the router until it did complete wipe), OpenVPN certificates still stayed in. I think this is quite a big security problem and can be dangerous if somebody for example sells his router to somebody else and thinks factory reset would wipe all his data.

That's because these are not stored in nvram, but in flash, in the JFFS partition.

When you do a reset through the webui, you get a checkbox to also erase the content of the JFFS partition that stores larger pieces of data such as certificates:

upload_2019-8-9_10-0-13.png
 
That's because these are not stored in nvram, but in flash, in the JFFS partition.

When you do a reset through the webui, you get a checkbox to also erase the content of the JFFS partition that stores larger pieces of data such as certificates:

View attachment 18948

Is there a place (path) to hand delete these files (list of files?), rather than setting everything to factory default? And is it safe to do so? I found the openvpn folder in the /jffs path, is it safe to delete it or the files inside?

Screen Shot 2020-07-22 at 4.50.02 PM.png


UPDATE: I think I just realized these are for my client vpn, not the server. Haven't found those yet...
 
Last edited:
It was a very strange thing, the restore buttons in the admin would NOT erase my router. I had to use the trick of holding the wps button for 20 seconds on startup to really reset it. Then I restored my config file. Then I was able to start my openvpn server. Then I restored my JFFS partition. And now, everything seems to be working normally.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top