Problems running VPN server...

[ZakM]

Please check your OpenVPN logs when you have 'proto udp4' option enabled and check to make sure the tunnel connection is using an IPV4 route..

According to the logs, it now is:

Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI: Learn: 10.8.0.2 -> client/XXX.XXX.XXX.XXX:50521
Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI: primary virtual IP for client/XXX.XXX.XXX.XXX:50521: 10.8.0.2

You say currently you have compression off. Tour screenshot shows compression is LZ4.

Yeah I turned it off after posting that screenshot. as I said it is currently off.

Advertise DNS to client = YES
Client will use VPN to access = BOTH

But I do *not* want the client to connect to the internet via the VPN, I want it to only connect to the LAN.
Anyway, I tried this and same story. Can't connect. No internet access, no LAN access.

I'm pulling my hair here. No idea what is going on. Is it something I need to add to PORT FORWARDING or PORT TRIGGER ? How about the firewall?
I do have a VPN client concurrently running at the same time. Should I change ports?

The logs show nothing wrong. This is insane.

 

[CaptainSTX]

According to the logs, it now is:

Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI: Learn: 10.8.0.2 -> client/XXX.XXX.XXX.XXX:50521
Feb 14 09:32:06 ovpn-server1[10710]: client/XXX.XXX.XXX.XXX:50521 MULTI: primary virtual IP for client/XXX.XXX.XXX.XXX:50521: 10.8.0.2

Yeah I turned it off after posting that screenshot. as I said it is currently off.

But I do *not* want the client to connect to the internet via the VPN, I want it to only connect to the LAN.
Anyway, I tried this and same story. Can't connect. No internet access, no LAN access.

I'm pulling my hair here. No idea what is going on. Is it something I need to add to PORT FORWARDING or PORT TRIGGER ? How about the firewall?
I do have a VPN client concurrently running at the same time. Should I change ports?

The logs show nothing wrong. This is insane.

I have three VPN clients running and an VPN server running. All straight forward no custom settings entered.

Just for grins and help try and isolate the problem if you have the time and your family has the patience try this:

1 Back up your current configuration.
2 Do a factory reset then power cycle your router.
3 Do a minimal setup and before changing anything besides username/password and basic WiFi setup a VPN client and download a new configuration file for your phone. Then see if you can get the server working and connect using your Iphone. If it works then you know one of your settings was the problem. You then can start adding other features and find out what breaks your VPN server.
4 If you can't connect you can just restore your saved configuration file and you are no worse off than before.

You shouldn't be having this hard of a time connecting. For most people it just works from the get go like most features using Merlin's firmware.

 

[ZakM]

You shouldn't be having this hard of a time connecting. For most people it just works from the get go like most features using Merlin's firmware.

I know I never have this problem with anything else but VPN server is just something that never worked for me.

I just feel like something somewhere is blocking teh access, this is why I asked about port forwarding and the firewall.

I hate having to erase everything to try and see what happens but I'll try this out when I will not bother anyone's internet access. Thanks!

 

[Zastoff]

Could test:
Protocol=TCP
Port=443
and even
TLS control channel security = Encrypt channel
(tls-auth / tls-crypt)

 

[martinr]

I know I never have this problem with anything else but VPN server is just something that never worked for me.......
!

Then all the more reason to take seriously CaptainSTX’s suggestion about a Manual and Minimal factory reset.

...try this:

2 Do a factory reset then power cycle your router...
....You shouldn't be having this hard of a time connecting. For most people it just works from the get go like most features using Merlin's firmware.

And if you follow L&LD’s Manual and Minimal guide, you won’t go wrong. CaptainSTX is dead right: “For most people it just works from the get go like most features using Merlin's firmware.”

 

[ZakM]

I'm tired of this. I cannot reset the router to its default config now or any time soon.
I tried everything. Despite what the logs say, the iOS client still shows UDPv6 as a connection. I am forcing both, supposedly, to not use UDP v6 but it is doing so.

I tried on a Mac and I couldn't connect either.
This is as far as I go now. I don't have any more time to waste in this nonsense. Might as well set up a Raspberry Pi as a VPN server and open that to the internet.

 

[Xentrk]

I have been unable to make the OpenVPN Server connection work properly for some devices when setting Compression to None or Disabled on the OpenVPN Server. Try setting Compression to LZ4 (LZ0 is deprecated in OpenVPN 2.4 and will be removed in OpenVPN 2.5). LZ4 generally provides the best performance with the least CPU usage.

 

[ZakM]

Try setting Compression to LZ4 (LZ0 is deprecated in OpenVPN 2.4 and will be removed in OpenVPN 2.5). LZ4 generally provides the best performance with the least CPU usage.

I already did that. I started with LZ4 compression. It didn't work either.
When any of you say "did not worK" I don't understand in which way.

I can connect to the server. The server spouts out no errors whatsoever. But there's ZERO transfer of data between client and server after that point.
Messed with all server options. None work.
Tried different clients on different machines. None work.

 

[Xentrk]

I already did that. I started with LZ4 compression. It didn't work either.
When any of you say "did not worK" I don't understand in which way.

I can't recall if it was an Android or iOS device. I found I needed to specify some level of compression in order to connect. Setting compression to None made the connection not work. I ended up going with LZ4 Adaptive.

 

[AurelM]

I've just enabled the second OpenVPN server on RT-AC68U running 384.15 to test with my iPhone 6 running iOS 12.4.5 (latest) and OpenVPN 3.1.0(2771) (not the latest; the latest in App Store shows version 3.1.1).

I've used the exact settings shown in the first post. The connection is successful, but it fails to access the router's WebUI using it's lan ip address (not it's vpn ip address, as that will fail). I have to mention that I use only HTTPS access and was prompted to accept the certificate, but after, the page never loads.

I've switched the compression to None and tested again (after deleting the previous profile from Open VPN app on the phone, exporting the new profile from WebUI on pc, transfer it to the phone using iTunes's File Sharing option, importing it in the app and connecting again). The connection was also successful, but it also failed to access the router's WebUI, this time without even prompting to accept the certificate.

I've switched the compression to Disable and tested again (doing the same steps as above). The connection is successful and I can access the router's WebUI.

I'll mention than the differences between the exported configuration files is that compression set to LZ4 has compress lz4 line and compression set to None has comp-lzo no line in addition to when compression is set to Disable.

So, @ZakM, try to do this and tell us your results.

Edit: Retested again and LZ4 compression works, but None still won't, see next post for details.

 

[elorimer]

If a configuration file has comp-lzo no or compress lz4, then the traffic is framed for compression. When compression is disabled those lines are not present in the config file. If the traffic is framed for compression on one side and not on the other, then a connection will be made and no traffic will flow.

@Xentrk's comment is a little different: it might be that one side or the other doesn't support traffic being framed for compression without a compression method being specified.

Also, this: https://forums.openvpn.net/viewtopic.php?f=36&t=27195. I don't know where they ended up on compression and Voracle, but it sounded like just importing the config wasn't enough; a setting change in the app was required.

So again, you might try passepartout instead of the official client.

 

[AurelM]

So, it seems that the OpenVPN app on the phone has Allow Compression (insecure) setting set to NO and that with it set to FULL, LZ4 compression also works, thanks @elorimer for the hint to look in the app settings and also reminding me of the voracle vulnerability (which is one of the reasons that I don't use compression). However compression set to None will still not work.

Given this @ZakM, set your compressin to Disabled, apply the setting, export the client config, add it to the phone, import the profile in the OpenVPN app, connect to it and try accessing your router's WebUI using it's lan ip (as if you were doing it from within the lan).

Other lan devices may require additional settings in their firewall rules so that you can access them from a device using vpn as this device is outside of the lan subnet when using a tun vpn interface type (you can test this by temporarily disabling the firewall on the device you want to access).

 

[ZakM]

Other lan devices may require additional settings in their firewall rules so that you can access them from a device using vpn as this device is outside of the lan subnet when using a tun vpn interface type (you can test this by temporarily disabling the firewall on the device you want to access).

OK so what are you supposed to do here then? I'm a bit confused now. I thought that as long as I was in the VPN connection I can access all the LAN.

Also while going through the router UI, I found these settings under WAN:

Are any of these relevant?

 

[ColinTaylor]

Also while going through the router UI, I found these settings under WAN:

Are any of these relevant?

Ignore all of those, they're not relevant.

 

[Volfi]

Manage Client-Specific Options - Yes
Allow Client <-> Client - Yes

Try this.

 

[AurelM]

First thing first, can you access the router's WebUI from the phone using vpn?

OK so what are you supposed to do here then? I'm a bit confused now. I thought that as long as I was in the VPN connection I can access all the LAN.
[...]

Yes, the vpn device can definitely access the lan devices, but the lan devices may not want to allow devices on other subnets than their local one.

For example, for me to be able to access windows shares, I have to add the vpn subnet to the allowed remote addresses in the firewall rule. The default rule allows only Local subnet access in either Private or Public firewall profiles and only the Domain profile allows Any subnet access (see the attached file).

 

[elorimer]

Manage Client-Specific Options - Yes
Allow Client <-> Client - Yes

Try this.

I think these allow remote client #1 to reach remote client #2, and don't affect whether remote client #1 can reach places on the LAN. The LAN or Both setting pushes a route to the LAN.

 

[ZakM]

First thing first, can you access the router's WebUI from the phone using vpn?

I went and tried this whole thing again. No I cannot access absolutely anything in the local network, not even 10.0.0.1 which is where the router is.
A problem I find with the iPhone OpenVPN app is that I already told it to use IPv4 only, I made the server config with "proto udp4" as an option, and it still somehow wants to connect via UDPv6. I now downloaded Passepartout, and it's teh same story. As I said before, every client on every system has given me the same result, so I don't feel it's the client, rather, some misconfiguration in my setup.

So yeah, still pulling my hair out.
Also this: why is the server status showing 32780, a weird butt port, as the one my client is connected to? I configured the server to respond at 1194. Is this some uPNP crap?

Yes, the vpn device can definitely access the lan devices, but the lan devices may not want to allow devices on other subnets that their local one.

OK I understand now. The main reason I want to do this is to access my media server remotely. There're no firewall rules on the media server, it's all pretty much open. Also main reason why I want to access it via a VPN tunnel instead of exposing it to the internet as is.

 

[AurelM]

It seems that not all replies are here anymore, maybe a roll back on the database of the forum.

@ZakM do you have an IPv6 address on your mobile phone using the mobile data? For me, accessing https://whatismyipaddress.com/ says IPv6:Not detected.

I'll quote the one before last post on this thread, OVPN connects via UDPv6 if hostname is used, UDPv4 if IP used:

the fix for this is to force T-Mobile to use an ipv4 profile using a custom carrier configuration within Apple Configurator. Once a user does this, ip4 is used again, fixing the brokenness with OpenVPN and T-Mobile ip6

As I don't have IPv6 from my carrier, I cannot get openvpn connected through UDPv6.
Also I see that Apple Configurator is only for MacOS.

When connecting from the windows pc, did it have the same problem of connecting using UDPv6? If you didn't check, can you try it again? If it doesn't work, please post the log.

Regarding the mentioned port on the vpn status page, all I have there (/Advanced_VPNStatus.asp) is the socket (ip : port) of the connected client, nothing about the server. Please post a print screen of the page where the port is shown (edited for sensitive content).

Please also post the server config file from /etc/openvpn/server1/config.ovpn (or server2 you that is what you are connecting to).

 

[ZakM]

do you have an IPv6 address on your mobile phone using the mobile data?

Yes I actually do. But I connect via IP , I don't have a hostname.
But yesterday I tried logging in to the VPN server via my intranet (by pointing the server address to my router) and that wouldn't connect either, so again it feels like something is blocking the connection on the router.

When connecting from the windows pc, did it have the same problem of connecting using UDPv6?

No

Regarding the mentioned port on the vpn status page, all I have there (/Advanced_VPNStatus.asp) is the socket (ip : port) of the connected client, nothing about the server.

Yes. It is the client that shows that port. Is that correct?

Please also post the server config file from /etc/openvpn/server1/config.ovpn (or server2 you that is what you are connecting to).

OK here it is:

# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
txqueuelen 1000
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
verb 3
push "route 10.0.0.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
verify-client-cert none
username-as-common-name
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 5

# Custom Configuration
proto udp4

I noticed the OVPN I exported did NOT have UDP4 as an option, so I edited that by hand.

Then this is the latest log:

Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:51264, sid=7942b744 c96fc7ea
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_VER=2.4
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_PLAT=mac
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_UI_VER=com.algoritmico.TunnelKit_2.2.1
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_PROTO=2
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_NCP=2
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_SSL=OpenSSL_1.1.1d__10_Sep_2019
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_LZO_STUB=1
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 peer info: IV_LZO=1
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn-plugin-auth-pam.so
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 TLS Auth Error: Auth Username/Password verification failed for peer
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:51264
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 PUSH: Received control message: 'PUSH_REQUEST'
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 Delayed exit in 5 seconds
Feb 19 11:24:27 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Feb 19 11:24:32 ovpn-server1[3345]: XXX.XXX.XXX.XXX:27503 SIGTERM[soft,delayed-exit] received, client-instance exiting
Feb 19 11:24:32 ovpn-server1[3345]: XXX.XXX.XXX.XXX:51264 SIGTERM[soft,delayed-exit] received, client-instance exiting
Feb 19 11:24:46 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:29336, sid=d881ec43 b1f17bbf
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_VER=2.4
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_PLAT=mac
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_UI_VER=com.algoritmico.TunnelKit_2.2.1
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_PROTO=2
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_NCP=2
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_SSL=OpenSSL_1.1.1d__10_Sep_2019
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_LZO_STUB=1
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 peer info: IV_LZO=1
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 TLS: Username/Password authentication succeeded for username 'USER' [CN SET]
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1557'
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
Feb 19 11:24:47 ovpn-server1[3345]: XXX.XXX.XXX.XXX:29336 [USER] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:29336
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 MULTI: Learn: 10.8.0.2 -> USER/XXX.XXX.XXX.XXX:29336
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 MULTI: primary virtual IP for USER/XXX.XXX.XXX.XXX:29336: 10.8.0.2
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 PUSH: Received control message: 'PUSH_REQUEST'
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 SENT CONTROL [USER]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0 vpn_gateway 500,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 Data Channel: using negotiated cipher 'AES-128-GCM'
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Feb 19 11:24:47 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Feb 19 11:26:01 ovpn-server1[3345]: USER/XXX.XXX.XXX.XXX:29336 SIGTERM[soft,remote-exit] received, client-instance exiting