Problem connecting to OpenVPN server on RT-AX88U

[TheLyppardMan]

I'm setting up my router from scratch as I was having problems with internet dropouts after updating the firmware to the latest version. I've got everything working except the OpenVPN feature. The router is showing the server as running and I've exported a new configuation file, but when I try to connect with my Android mobile, the switch to turn it on immediately turns off again. I noticed from a previous post I made about a connection problem, that it seems to be fixed when I changed something about obtaining an IP address from "internal" to "external" but I can't find that setting to see if that would fix this. Can anyone help please?

 

[TheLyppardMan]

I've found the missing setting mentioned above (it was under DDNS) so I've changed that to external, as I did before. I can now connect to my network via the VPN if I'm using my laptop, but I can't connect to my router. My mobile phone still can't connect, but I'll try restarting it to see if that makes any difference. Update: Unfortunately, restarting my Galaxy mobile didn't solve the problem, so back to square 1.

 

[GSpock]

what do you mean by "but I can't connect to my router" ? via gui ? via ssh ? what is the IP of your router ? did you performed the laptop test from within the LAN or from "outside" ?
what android app are you using ? any chances to get a log file ?

 

[TheLyppardMan]

what do you mean by "but I can't connect to my router" ? via gui ? via ssh ? what is the IP of your router ? did you performed the laptop test from within the LAN or from "outside" ?
what android app are you using ? any chances to get a log file ?

To answer your questions: I couldn't connect to my router via the GUI; the IP of the router is 192.168.1.254; I used mobile data tethering to simulate connecting from outside the LAN; I can't provide any logs at the moment.

I've downgraded the firmware to the previous version for the moment, to see if that restores full connectivity and also to see if it cures the other problem of intermittent internet dropouts that I've been having. I'll update this thread when I know more.

 

[TheLyppardMan]

The VPN is now allowing me access to the router's GUI and local network files on my NAS, but I can't test it on my mobile because for some reason, the OpenVPN app can't see any configuration files. I'm not too bothered about no VPN access on my phone anyway, so I can say that reverting back to 386.5_2 has resolved my problem.

Regarding the intermittent dropouts, I have another thred open on that issue, but I can confirm that I was mistaken in that it's not the internet that's losing connectivity but the Wi-Fi. I need to investigate that further to see if it's affecting both bands, which I suspect at the moment.

 

[TheLyppardMan]

OK, I've upgraded the firmware again, carried out two resets using the button on the router (the WPS method wouldn't work) and set up a minimal configuration (no scripts, no Trend Micro, etc). I am now back to the situation where I can't access the router's GUI if using OpenVPN. Also, I noted that unlike the last time I exported the configuration file (several months ago), the one I exported today didn't have the DDNS information at the top. I added it manually, just in case that had anything to do with this problem, but it still wouldn't let me access the router's GUI. I can however, as before, access the network shares on my Synology NAS. Very frustrating.

Here's part of my last attempt to connect to the router (at exactly 16:44):-

Jun 28 16:40:00 rc_service: service 8166:notify_rc restart_letsencrypt
Jun 28 16:40:00 Let's_Encrypt: Err, DDNS update failed.
Jun 28 16:40:59 wlceventd: wlceventd_proc_event(469): eth7: Deauth_ind 34:CF:F6:E2:BF:76, status: 0, reason: Unspecified reason (1)
Jun 28 16:40:59 hostapd: eth7: STA 34:cf:f6:e2:bf:76 IEEE 802.11: disassociated
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 TLS: Initial packet from [AF_INET]109.249.181.125:65457 (via [AF_INET]86.151.218.133%ppp0), sid=3c703275 7a7c0af9
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress=me@asusrouter.lan
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_VER=2.5.7
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_PLAT=win
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_PROTO=6
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_NCP=2
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_LZ4=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_LZ4v2=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_LZO=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_COMP_STUB=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_COMP_STUBv2=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_TCPNL=1
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_GUI_VER=OpenVPN_GUI_11
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 peer info: IV_SSO=openurl,crtext
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 TLS: Username/Password authentication succeeded for username 'Brian'
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1541'
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
Jun 28 16:42:13 ovpn-server1[4903]: 109.249.181.125:65457 [client] Peer Connection Initiated with [AF_INET]109.249.181.125:65457 (via [AF_INET]86.151.218.133%ppp0)
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 MULTI: Learn: 10.8.0.2 -> client/109.249.181.125:65457
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 MULTI: primary virtual IP for client/109.249.181.125:65457: 10.8.0.2
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 28 16:42:13 ovpn-server1[4903]: client/109.249.181.125:65457 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jun 28 16:45:00 rc_service: service 8915:notify_rc restart_letsencrypt
Jun 28 16:45:00 Let's_Encrypt: Err, DDNS update failed.
Jun 28 16:45:23 wlceventd: wlceventd_proc_event(505): eth7: Auth 82:C0:FA:28:67:C9, status: Successful (0)
Jun 28 16:45:23 wlceventd: wlceventd_proc_event(534): eth7: Assoc 82:C0:FA:28:67:C9, status: Successful (0)
Jun 28 16:45:23 hostapd: eth7: STA 82:c0:fa:28:67:c9 IEEE 802.11: associated
Jun 28 16:45:23 kernel: CFG80211-ERROR) wl_cfg80211_change_station : WLC_SCB_AUTHORIZE sta_flags_mask not set
Jun 28 16:45:23 hostapd: eth7: STA 82:c0:fa:28:67:c9 RADIUS: starting accounting session B4A1B9A5C1585942
Jun 28 16:45:23 hostapd: eth7: STA 82:c0:fa:28:67:c9 WPA: pairwise key handshake completed (RSN)
Jun 28 16:45:23 dnsmasq-dhcp[2614]: DHCPREQUEST(br0) 192.168.1.194 82:c0:fa:28:67:c9
Jun 28 16:45:23 dnsmasq-dhcp[2614]: DHCPACK(br0) 192.168.1.194 82:c0:fa:28:67:c9 Brian-s-A22
Jun 28 16:46:25 wlceventd: wlceventd_proc_event(505): eth7: Auth 34:CF:F6:E2:BF:76, status: Successful (0)
Jun 28 16:46:25 wlceventd: wlceventd_proc_event(534): eth7: Assoc 34:CF:F6:E2:BF:76, status: Successful (0)

 

[GSpock]

presumably, you try to access the router GUI via its IP address, what about http://router.asus.com and what is the error message you get ?

PS: there seems to be an issue as well with your Let's encrypt certificate ... or with its updating

 

[eibgrad]

Under NO CIRCUMSTANCES should you ever be using, let alone testing, your own OpenVPN server except from the internet side of the WAN! And no "faux" WAN side connections either. Doing so will only lead to problems, including misleading results.

Also, how you configure the OpenVPN server can dramatically change what is and isn't possible. For example, if you do NOT advertise your home DNS to the OpenVPN clients, then you can't reference DNSMasq for local name resolution. And as such, if you're referencing the router by name (e.g., router.asus.com), it won't work. Only an explicit reference (e.g., 192.168.1.1) will work.

It would therefore help to see exactly how you configured the OpenVPN server.

And while you're at it, you might as well dump iptables on the server to see if there's some issue there.

iptables -vnL

 

[TheLyppardMan]

I'm trying to access the router GUI in exactly the same way I did with build 386.5 (whcih worked without any problems). I access the router at this address: http://192.168.1.254/Main_Login.asp. Regarding testing, I switch off the Wi-Fi on my mobile and use tethering to provide my internet connection on my laptop (after turning off the Wi-Fi on that as well of course). I'll try to upload a screenshot of the error message, plus a screenshot of the advanced VPN settings. I don't know how to do the iptables thingy, so I'll need some instructions for that. Do you also want me to upload my VPN configuation files (original, new and modified new with the DDNS data added)?

 

[eibgrad]

According to the above, you did exactly as I suspected. You referenced router.asus.com (at least according to the error message), but did NOT advertise your own DNS server (DNSMasq) to the OpenVPN clients! Your own home name resolution is simply NOT going to work unless you give your OpenVPN clients access to DNSMasq.

 

[TheLyppardMan]

Sorry, but I don't understand what you mean, and also, why would it work OK with the previous firmware but not with the latest firmware? Also, why is it that I can access the NAS shares on my LAN?

 

[eibgrad]

Sorry, but I don't understand what you mean, and also, why would it work OK with the previous firmware but not with the latest firmware?

You're asking me to evaluate your prior configuration, of which I can't do. I can only look at the current circumstances and work from there.

If you want to reference a domain name like router.asus.com, that is ONLY known to your home router's DNS server (DNSMasq). But because you've configured "Advertise DNS to clients" as NO, the server is NOT pushing its own DNS server (DNSMasq) to your OpenVPN clients. Instead, they continue to use whatever DNS servers were configured before connecting to the OpenVPN server (e.g., 8.8.8.8 and 8.8.4.4). And those *public* DNS servers can NOT resolve router.asus.com, or any other local domain names on your home network.

 

[TheLyppardMan]

I've found the setting you mentioned and turned it on and it's working now. I didn't have to do this before so could it be that the default has changed from yes to no since the last build? Also, there's still the mystery of why tha ASUS DDNS info was missing in the new VPN configuation file (see the changes I made in the second screenshot for comparison).

 

[ColinTaylor]

There's no DDNS info in the config file because the router's DDNS client isn't working.

 

[eibgrad]

Also, there's still the mystery of why tha ASUS DDNS info was missing in the new VPN configuation file (see the changes I made in the second screenshot for comparison).View attachment 42256View attachment 42257

I'm NOT really surprised. All I can assume is the developer considered it too presumptuous to include your DDNS instead of the public IP. It's really not all that uncommon to have to "massage" that config file on occasion. For example, you might want to include the auth-user-pass directive as well to automatically login to the server. But the exported config file never includes that option by default.

 

[TheLyppardMan]

There's no DDNS info in the config file because the router's DDNS client isn't working.

It seems to be working to me.

 

[ColinTaylor]

It seems to be working to me.

Not according to your log:

Jun 28 16:40:00 rc_service: service 8166:notify_rc restart_letsencrypt
Jun 28 16:40:00 Let's_Encrypt: Err, DDNS update failed.

Jun 28 16:45:00 rc_service: service 8915:notify_rc restart_letsencrypt
Jun 28 16:45:00 Let's_Encrypt: Err, DDNS update failed.

 

[TheLyppardMan]

I was hoping that now that you've solved the main problem (many thanks for that), it would also work from my new Smasung Galaxy A22 mobile, but it won't. Even importing the configuration file was much harder (it wouldn't do from the phone's internal memory of the micro SD card, so I had to import it from a folder on my NAS). But even with that task finally accomplished, I cannot turn the VPN on. I'm not going to look into that any more tonight as it's not that important and I'm getting tired now. At least I can use the VPN on my laptop now and access the router's GUI if necessary. Thank you all so much for helping me with this. It really is appreciated.

 

[TheLyppardMan]

Not according to your log:

Yes, that's a mystery. I'll test it again tomorrow at an exact time and see what the log says then.

 

[GSpock]

I don't know how to do the iptables thingy, so I'll need some instructions for that.

With putty (putty) issue a ssh connection to your router. Log in with the admin user and password and at prompt issue the iptable command provided by @eibgrad