Storage for Multiple VPN Clients not Successful

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dayoldy

New Around Here
Greeting SNBers,

Thanks to Merlin 384,18, I was successful at configuring my 1st VPN!
I was able to create one client, which pointed to my VPN profile of choice.
I was able assign it my own policy rules for selective behaviour.
Plus my assigned name/description for it began to appear as the top option in the Client selection drop-down menu!
I love it!

BUT...
after testing the performance for a few days, I wanted to add 4 more profiles that my provider offered. Unfortunately that hasn't worked.
For this next client, I simply duplicated Client 1's successful settings, and uploaded a different .ovpn.
But then when I clicked "Apply", the progress indicator whirled for a second and quit.
The profile info instantly disappeared from where it was entered ( "Import .ovpn file").
And it didn't show up on the option "Service state", like the first one had.
Plus, my Username and Password disappeared.
Configuration for Client 2 failed and I don't know what I did wrong.

This behavior is frustratingly familiar to me, because the same thing happened while configuring Client 1.
I had prepared by reading Eric's document "Configuring OpenVPN", which advised clicking "Yes" on "Enable JFFS custom scripts and configs".
But I found that after doing that, I couldn't get my settings to "Apply".
So I next tried enabling "Format JFFS partition at next boot", and then rebooted.
That worked. After that, my settings got saved when I hit "Apply". And the VPN connected successfully!

I'm still quite naive about how JFFS and VPN client functionality are programmed to work together.
So here are my questions. I'd be happy if someone could answer... or point me to something educational:

Q1) Is the JFFS partition programmed to act like "write-once, read-many" or is this behavior I'm seeing abnormal?
In other words, do I need to initialize/enable JFFS, then in one session configure ALL of the clients that I'll be using, then commit them all to storage at the same time?

Q2) I jumped on board with Merlin toward the end of v384.17, without looking at any change docs. I then upgraded to v384.18 right before messing with VPN. In discovering & reading the change doc, I came to understand that I was supposed to do a "factory reset" after installing 384.17. That's quite un-intuiticve for me. And I've seen some discussion about the concept of "dirty upgrades" elsewhere. So was my latest upgrade "dirty", and is it possibly the cause of the behavior I'm experiencing?

Q3) Just as a general question, I'm wondering why the router's NVRAM isn't adequte for storing these VPN settings. Is using the JFFS2 partition a workaround to store Merlin's multiple VPN client functionality?

Q4) How do I go forward with my 5-client setup?

Thanks so much Merlin wizards!
 

RMerlin

Asuswrt-Merlin dev
Check how much nvram space you have left, on the Tools -> Sysinfo page. The RT-AC68U for instance will rarely have enough free nvram to setup five separate clients.
 

dayoldy

New Around Here
"NVRAM : 68,546 /131,072 bytes
"JFFS" : 3.18 / 64.00 MB

Yeah, I see what you're drivin' at...
not much in the way of NVRAM... one might say it's downright piddly... paltry even.
Not even enough for one client on my RT-AC88U.
Thanks.
 

RMerlin

Asuswrt-Merlin dev
"NVRAM : 68,546 /131,072 bytes
"JFFS" : 3.18 / 64.00 MB

Yeah, I see what you're drivin' at...
not much in the way of NVRAM... one might say it's downright piddly... paltry even.
Not even enough for one client on my RT-AC88U.
Thanks.
You have way more than enough nvram for multiple VPN client. Your issue lies elsewhere. It could have been a filled JFFS partition if the issue disappeared after you reformated the JFFS partition.
 

dayoldy

New Around Here
Thanks much RMerlin,
I really appreciate your patience.
Equipped with very minimal knowledge of any of this, I have to rely on my general technical ability & a hefty dose of assumption.

So JFFS storage cant be the issue...

Since you didn't respond to my comment about "dirty upgrades" (that I didn't do the recommended reset after flashing to 384.17 & then following that with a reflash to 384.18)... are you ruling that out as a possibility as well?
Because if the "dirty upgrade" notion doesn't hold any possibilities for me, then it seems logical that my issue is likely about an authentication problem with my chosen VPN profile.

That would explain something about this process... that Merlin's storage of a client profile to JFFS only happens if there has been a valid VPN connection established.
It would follow that the behavior I observed (progress indicator spinning for a few seconds after I clicked "Apply") was simply about the authentication trying, then failing.
 

RMerlin

Asuswrt-Merlin dev

dayoldy

New Around Here
Well, I said that my issue disappeared after formatting (for the very first time)... I never said that I re-formatted.

I saw this behavior when first trying to set up the VPN. I had enabled it only... without formatting.
Then I formatted and enabled it. That's when the behavior disappeared
 

dayoldy

New Around Here
I just now reformatted JFFS and enabled it.
With Client 2 selected I browsed for the 2nd ovpn file, selected it and clicked okay.
Just to the right of the browse button, the filename appeared in orange letters.
Then I clicked the Upload button.
The progress indicator spun for a second, and the word "Complete" appeared
Then a few seconds later, the filename was replaced by "No file selected", and the word "Complete" disappeared.
This is actually a little better description of the behavior I'm having issue with.

I decided to go back to check if my first client survived the re-format. I observed that the name I gave it hadn't been deleted & the only obvious things missing were the username and password. After entering them and hitting "Apply", I was able to turn it back on.

I tried setting up Client 2 again. I shut off the first client. Then as soon as I selected Client 2 from the drop-down, the word "Connecting" appeared with the progress indicator (even though there was no indicators that any ovpn sfile was selected or uploaded). There was no username or password either...
So to investigate this behavior, I went to "Keys and Certificates > Edit". Sure enough, I could see all of the previously-entered certificates... still there from unsuccessful attempt(s). That explained the attempt at connecting. I cleared the certs out of each pane and clicked "Save". This time I went directly to selecting Client 2, and tried to upload the ovpn., But once again I couldn't get past the upload process.
 

RMerlin

Asuswrt-Merlin dev
The progress indicator spun for a second, and the word "Complete" appeared
Then a few seconds later, the filename was replaced by "No file selected", and the word "Complete" disappeared.
This is actually a little better description of the behavior I'm having issue with.
All of this is perfectly normal, this is how it's intended to work. After the file is uploaded it gets imported into the router's storage (converting content into corresponding settings, and adding anything unsupported in the Custom section), then the file is discarded. Notice how after uploading the file, fields like the server address are now filled up.

There was no username or password either...
These do not get imported (as they aren't stored in an ovpn file), they have to be manually entered.
 

dayoldy

New Around Here
Once again I really appreciate you sticking with me on this.
Your recent post providing insight into the subtleties of how this works was really valuable.
It helped me see the light... that my efforts at connecting Client 2 to a particular VPN, were being hindered in two areas:
1) I didn't understand fully the programmed behavior and it's subtleties, and 2) there was a problem with the particular ovpn I had been working with - throwing some of my assumptions off....

I have still not been able to get that particular ovpn to connect, and therefore, to turn it on.. but...

I WAS however able to skip Client 2 and successfully configure clients 3 through 5.
Armed with that validation (that the procedure I was following was indeed correct), I was no longer shooting in the dark.
It was then much easier to troubleshoot Client 2.

Here's what I did.
  1. I cleared the certificate data in all of Client 2's fields, and saved/applied that configuration
  2. I uploaded a different ovpn. (this one pointed to the same server; but this one didn't feature a DNS Sinkhole like the first had)
  3. I entered my credentials
  4. I clicked "Apply"
  5. Same overall behavior... no connection

  6. Again I cleared the certificate data in all of the fields - saving/applying that configuration
  7. I uploaded another ovpn. (this one pointed to an entirely different server)
  8. Boom! It connected immediately!... easy peasy
  9. I was able to turn this VPN on! Total success!
So it seems pretty clear that the bane of my existence has mostly been the ovpn/server.

Thanks again for helping me work through this!

Your product is impressive, and oh so valuable for helping me achieve what I wanted to do in my network!
Best regards RMerlin!
 
Last edited:

dayoldy

New Around Here
News flash... It seems that this particular VPN server requires additional authentication- a key phrase. Non of the others had that requirement.
I stumbled upon that critical detail in an obscure chat. It wasn't divulged in the instructions...
It was very sweet getting this realization; however... I'm still kinda stuck.

How would one include a key phrase in the Merlin authentication process?
I tried unsuccessfully:

a) appending the string "privatekey phrase XXX" to the commands already listed in the "Custom Configuration" field (at the bottom of the VPN page).
b) placing the key phrase into the optional pane "Extra Chain Certificates (Optional)".

Any suggestions?
 

RMerlin

Asuswrt-Merlin dev
How would one include a key phrase in the Merlin authentication process?
You can't, as passphrases can only be used in an interactive situation, it cannot be automated.

You will need to save a decrypted (i.e. without the pass phrase) version of that protected key, and use that instead.
 

dayoldy

New Around Here
I have been issued a pass phrase. It's in readable text form - not encrypted. You're telling me to use that?
But... you're also saying that it can only be used interactively, which Merlin won't support...
I'm confused.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top