OVPN DNS issues

[Jammie]

I'm trying to redirect all traffic over VPN via my RT-AC3200. I can connect to the VPN correctly, but DNS doesn't work. I've searched around a bit, but I can't find a working solution to this issue.

I've attached screenshots of all relevant settings. Is anyone able to help me?

 

[cybrnook]

Accept DNS configuration needs to be set to strict on your OpenVPN client page.

 

[Jammie]

I'm still getting DNS errors. Here's the relevant part from the logs http://pastebin.com/pZTWXv9t

 

[RMerlin]

Nov 22 22:45:17 openvpn[7981]: Authenticate/Decrypt packet error: cipher final failed

Your OpenVPN config is incorrect. Double check your cipher settings, this isn't a DNS issue.

 

[Jammie]

Nov 22 22:45:17 openvpn[7981]: Authenticate/Decrypt packet error: cipher final failed

Your OpenVPN config is incorrect. Double check your cipher settings, this isn't a DNS issue.

That was the issue. Apparently leaving "Encryption Cipher" as default wasn't enough.

 

[RMerlin]

That was the issue. Apparently leaving "Encryption Cipher" as default wasn't enough.

Default means Blowfish (that's the default hardcoded cipher in OpenVPN). It's not an auto-negotiate (that's something OpenVPN devs are going to add in 2.4.0), so if you don't have it set to Default at both end, it won't work indeed.

BTW, Blowfish is not a good idea anymore (that's why you had those log entries about 64-bit block size). Personally, I recommend going with AES-128-CBC if you control both client and server. If you're dealing with very sensitive data or are likely to be the target of a state-powered hacker, then go to the slower AES-256-CBC.

 

[Jammie]

Default means Blowfish (that's the default hardcoded cipher in OpenVPN). It's not an auto-negotiate (that's something OpenVPN devs are going to add in 2.4.0), so if you don't have it set to Default at both end, it won't work indeed.

BTW, Blowfish is not a good idea anymore (that's why you had those log entries about 64-bit block size). Personally, I recommend going with AES-128-CBC if you control both client and server. If you're dealing with very sensitive data or are likely to be the target of a state-powered hacker, then go to the slower AES-256-CBC.

Thanks for all the help. I've decided to go with AES-128-CBC for now, but I think I'll experiment with my settings. with the VPN on I'm getting 4 Mbps down and 7 Mbps up, compared with 100 Mbps down and 25 Mbps up without it.

 

[RMerlin]

Thanks for all the help. I've decided to go with AES-128-CBC for now, but I think I'll experiment with my settings. with the VPN on I'm getting 4 Mbps down and 7 Mbps up, compared with 100 Mbps down and 25 Mbps up without it.

An RT-AC3200 should be able to give you up to around 50 Mbps without any problem with AES-128-CBC, SHA1 and a 2048-bit key (I never really tested with different key sizes however). Might need to do some tuning on both ends afterward, also experiment with both tcp and udp. I've often had better results with tcp personally, but that's network-specific.

 

[cybrnook]

future reference, a quick google search turns up a guide Private internet access wrote for Asus Merlin:

https://helpdesk.privateinternetacc...ing-up-an-Asus-Router-running-Merlin-Firmware