Menu
What's new
By:
Filters Better Search

[Release] Asuswrt-Merlin 380.65 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

With same settings i connect on 380,64_2 with BF-CBC, above 380,65 and also on 380,66 alpha 3 with openssl 2.4.1 only aes 256 possible.... (same on cipher negotiation disbabled) ....
Server side is unchanged ...

380,65 ... log

pr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:38:08 openvpn[1626]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:38:09 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: route options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: peer-id set
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: data channel crypto options modified
Apr 5 18:38:14 openvpn[1626]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 5 18:38:14 openvpn[1626]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

380,64_2

Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:47:36 openvpn[793]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPREQUEST(br0) 192.168.1.152 9c:b7:0d:69:a3:dc
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPACK(br0) 192.168.1.152 9c:b7:0d:69:a3:dc HP
Apr 5 18:47:38 openvpn[793]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: route options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: peer-id set
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: adjusting link_mtu to 1549
 

Attachments

  • 87u.JPG
    87u.JPG
    65.7 KB · Views: 724
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.

380.65
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'

380.64_2
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'

try adding

pull-filter ignore "cipher"

to your custom config

Not sure if you are also going to need to do something with the peer-id change.....

EDIT: Corrected command
 
Last edited:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
 
john9527 said:
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.
Click to expand...
Same here: Also my VPN provider forces cipher 'AES-256-CBC' to my OpenVPN 2.4.1 client!
Code: 
Apr  5 19:22:40 openvpn[4777]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Using peer cipher 'AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
 
Last edited:
netguru said:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
Click to expand...
My fault....it's

pull-filter ignore "cipher"
 
Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: pull-filter (2.3.14)

"cipher" ??

""?
 
You're on OpenVPN 2.3.14.....need to load up 380.65

EDIT: I verified it's accepted on OpenVPN 2.4.1
 
Disable NCP, it should disable the automatic cipher negotation, and revert to what is hardcoded in the legacy "cipher" field, unless the provider specifically does NOT support that cipher. Note for instance that BF-CBC is now deprecated as considered to be too weak.

We'd still need to see your current configuration to help you troubleshoot this.
 
"Disable NCP" , how to do this ...
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?

client
dev tun
auth-user-pass
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
mute-replay-warnings
verb 3
fragment 1300
mssfix 1300
reneg-sec 0
tun-mtu 1500
 
Pushed option removed by filter: 'cipher AES-256-GCM'
NICE!

BUT:
Authenticate/Decrypt packet error: packet HMAC authentication failed
???
 
netguru said:
Ive posted my settings or what do you mean?
Click to expand...
He may not have seen your screen shot attachment in your previous post. If you have a windows client, perhaps you can use the snipping tool to copy and past the screen instead. Not sure if my OpenVPN 2.4 Client/ASUS Merlin 380.65 setup guide will help you. It is TorGuard centric but has helped some PIA customers.

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-iii.38283/
 
Last edited:
netguru said:
.... x
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?
Click to expand...


Maybe re-post just the screenshot of the webui page? When you posted it before it was at the end of a very long list of log entries. Merlin must be a very busy fellow and possibly never made made it as far as the bottom of the page. I similarly only saw it by chance.
 
I admit, I missed your screen shot.....first thing to do is to change Cipher Negotiation to Disable and remove the pull-filter. Then post another syslog.
 
Apr 6 13:34:29 openvpn[856]: TLS: Initial packet from [AF_INET]xxx:1194, sid=8eff86ef 9010a66b
Apr 6 13:34:29 openvpn[856]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 13:34:29 openvpn[856]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 13:34:30 openvpn[856]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 13:34:31 openvpn[856]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 1xx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: route options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: peer-id set
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 13:34:31 openvpn[856]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: TUN/TAP device tun12 opened
Apr 6 13:34:31 openvpn[856]: TUN/TAP TX queue length set to 100
Apr 6 13:34:31 openvpn[856]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 6 13:34:31 openvpn[856]: /usr/sbin/ip link set dev tun12 up mtu 1500
 

Attachments

  • 87Udisabled.JPG
    87Udisabled.JPG
    60.1 KB · Views: 786
no change

pr 6 14:38:06 openvpn[2371]: TLS: Initial packet from [AF_INET]xxx:1194, sid=d7d7890c f674bce2
Apr 6 14:38:06 openvpn[2371]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 14:38:06 openvpn[2371]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 14:38:08 openvpn[2371]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 14:38:09 openvpn[2371]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 0,cipher AES-256-GCM'
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: route options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: peer-id set
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 14:38:09 openvpn[2371]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: TUN/TAP device tun12 opened
Apr 6 14:38:09 openvpn[2371]: TUN/TAP TX queue length set to 100
Apr 6 14:38:09 openvpn[2371]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 
The server has AES-256-GCM hardcoded in its push rather than handled through automatic negotiation. Check with your provider, you might need to use a different port or server if you wish to use a pre-2.4 cipher.

Ultimately, the cipher is decided by the provider, not by the user.

Filtering the cipher parameter might work, depending on how the server is set at their end, but once again, you cannot arbitrarily decide which cipher to use - they're the one that decide.
 
sry, but this is not correct, if i put "pull-filter ignore "cipher"" in my config, i am connecting with blowfish already, but there is no data possible, because i get the mentioned "HMAC" error ;-(
 
You must log in or register to reply here.

Similar threads

RMerlin
Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models
2 3
Replies
47
Views
7K
heysoundude
heysoundude
RMerlin
  • Locked
Beta Asuswrt-Merlin 386.13 beta is now available for AC models
2
Replies
32
Views
4K
RMerlin
RMerlin
RMerlin
Release Asuswrt-Merlin 3004.388.6 is now available
36 37 38
Replies
758
Views
93K
azuza
A
RMerlin
  • Locked
Release Asuswrt-Merlin 3004.388.5 is now available
12 13 14
Replies
260
Views
34K
RMerlin
RMerlin
RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.6 Beta is now available
12 13 14
Replies
279
Views
36K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
H Suggestion/Idea: AI scan of release threads/forum Asuswrt-Merlin 5
fafot Network Map View List doesn't refresh itself on RT-AX88U since Merlin 388.4_0 release. Asuswrt-Merlin 2
K Asus-Merlin beta release for 9.0.0.x.y.z official beta releases? (like for GT-AXE16000) Asuswrt-Merlin 4
RMerlin Release Asuswrt-Merlin 3004.388.7 is now available Asuswrt-Merlin 92
TwoWheels CT8/AC3000 and ASUSWRT? Asuswrt-Merlin 6
RMerlin Beta Asuswrt-Merlin 3004.388.7 beta is now available Asuswrt-Merlin 123
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
RMerlin Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models Asuswrt-Merlin 47
RMerlin Beta Asuswrt-Merlin 386.13 beta is now available for AC models Asuswrt-Merlin 32
visortgw asuswrt-merlin.net Website Site Down? Asuswrt-Merlin 18

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,062 (members: 30, guests: 1,032)
Top