Following update to the current Merlin (388.2_2 - 05.05.23) Firmware on 22.05.23 neither VPN Client (Express VPN & NordVPN) made a successful connection reporting "Error - Authentication failure!"
Inspecting the System Logs indicated a 'keysize' issue in respect of the Express VPN and this was successfully resolved by removal of the line "keysize 256" from the Custom Configuration entry.
However the NordVPN is clearly a different issue and with my rudimentary skillset I have not as yet been able to isolate the problem despite:
1: Reviewing the System logs
2: Replacing the OpenVPN Client Config File with a new and entirely different one as before configured to the previously working standard. <see attached txt files>
3: Added a fall back Cipher line (data-ciphers-fallback BF-CBC) as suggested as a resolution.
4: Added a Push line (push "route 192.168.x.1 255.255.255.0" ...where x is my LAN IP) also suggested as a resolution.
This is the original working setup as advised here. Service state as reported when working: [ON] Connected (Local 10.8.1.7 - Public 152.89.207.235)
This is an extract from the System Log from earlier in the day
Can anyone identify the problem and suggest a working remedy??
Your help and advice much appreciated. Thanks in advance..
PC Pilot
Inspecting the System Logs indicated a 'keysize' issue in respect of the Express VPN and this was successfully resolved by removal of the line "keysize 256" from the Custom Configuration entry.
However the NordVPN is clearly a different issue and with my rudimentary skillset I have not as yet been able to isolate the problem despite:
1: Reviewing the System logs
2: Replacing the OpenVPN Client Config File with a new and entirely different one as before configured to the previously working standard. <see attached txt files>
3: Added a fall back Cipher line (data-ciphers-fallback BF-CBC) as suggested as a resolution.
4: Added a Push line (push "route 192.168.x.1 255.255.255.0" ...where x is my LAN IP) also suggested as a resolution.
This is the original working setup as advised here. Service state as reported when working: [ON] Connected (Local 10.8.1.7 - Public 152.89.207.235)
Code:
Select client instance (2) 2: UK2238 - NordVPN
Service state (2) [OFF] Error - Authentication failure!
Automatic start at boot time (2)
Yes Selected
No Unselected
Description (2) UK2238 - NordVPN
Import .ovpn file (2) [uk2238.nordvpn.com.udp.ovpn]
Network Settings
Interface Type (2) TUN
Protocol (2) UDP
Server Address and Port (2) Address: 178.239.162.171 Port 1194
Create NAT on tunnel (2)
Yes Selected
No Unselected
Inbound Firewall (2)
Block Selected
Allow Unselected
Accept DNS Configuration (2) Disabled
Redirect Internet traffic through tunnel (2) VPN Director (policy rules)
Killswitch - Block routed clients if tunnel goes down
Yes Unselected
No Selected
Authentication Settings
Authorization Mode TLS
Username/Password Authentication
Yes Selected
No Unselected
Username MYEMAILADDRESS
Password MYPASSWORD
Username / Password Auth. Only
Yes Unselected
No Selected
Keys & Certificates: As provided in current NordVPN OpenVPN Client Config file <uk2238.nordvpn.com.udp.ovpn> NB. NordVPN has now replaced "udp1194.com" with "udp.vpn" original file was <uk2508.nordvpn.com.udp1194.ovpn> see attached .txt files
Data ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
TLS control channel security (tls-auth / tls-crypt) Outgoing Auth (1)
Auth digest SHA512
Advanced Settings
Log verbosity (0-6, default=3) 3
Compression Disabled
TLS Renegotiation Time (in seconds, -1 for default) 0
Connection Retry attempts (0 for infinite) 0
Verify Server Certificate Name No
Custom Configuration:
remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
This is an extract from the System Log from earlier in the day
Code:
Jul 10 15:05:57 ovpn-client2[5961]: OpenVPN 2.6.3 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 10 15:05:57 ovpn-client2[5961]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.08
Jul 10 15:05:57 ovpn-client2[5962]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jul 10 15:05:57 ovpn-client2[5962]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 10 15:05:57 ovpn-client2[5962]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Jul 10 15:05:57 ovpn-client2[5962]: TCP/UDP: Preserving recently used remote address: [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Jul 10 15:05:57 ovpn-client2[5962]: UDPv4 link local: (not bound)
Jul 10 15:05:57 ovpn-client2[5962]: UDPv4 link remote: [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: TLS: Initial packet from [AF_INET]178.239.162.171:1194, sid=7758f20c 9aac4229
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA8
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY KU OK
Jul 10 15:05:57 ovpn-client2[5962]: Validating certificate extended key usage
Jul 10 15:05:57 ovpn-client2[5962]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY EKU OK
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=0, CN=uk2238.nordvpn.com
Jul 10 15:05:57 ovpn-client2[5962]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Jul 10 15:05:57 ovpn-client2[5962]: [uk2238.nordvpn.com] Peer Connection Initiated with [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 10 15:05:57 ovpn-client2[5962]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 10 15:05:58 ovpn-client2[5962]: SENT CONTROL [uk2238.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jul 10 15:06:03 ovpn-client2[5962]: SENT CONTROL [uk2238.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jul 10 15:06:03 ovpn-client2[5962]: AUTH: Received control message: AUTH_FAILED
Jul 10 15:06:03 ovpn-client2[5962]: SIGTERM received, sending exit notification to peer
Jul 10 15:06:06 ovpn-client2[5962]: SIGTERM[soft,exit-with-notification] received, process exiting
Can anyone identify the problem and suggest a working remedy??
Your help and advice much appreciated. Thanks in advance..
PC Pilot