Connects, no data flow thru tunnel

[jcarerra]

Your current PKI appears to be fine .: do not delete your current certs and keys please.

Good!
What is the next step?
And I will be out beginning 2115Z for about 3 hours.

[jcarerra]

While out, had sone time at a friend's house on his wifi.

Observations
The "Force AES..." setting makes no difference.
Either one was able to get 'connected' status, but no data flow to inet.
I was able to ping the server IP.
I was not able to ping my local net IP's.
I was not able to ping an internet url (google.com)
I =WAS= able to even open the admin page of my router in which the VPN server resides.

Conclusion--no traffic is being forwarded from the VPN out the WAN port on the router, but (at least some types of) traffic is moving between the router and my client within the VPN tunnel. The VPN server in the router though is not sending traffic out the WAN port. AND not sending to LAN addresses either (not able to ping my local net IP's.)

client (remote LAN) >>internet>>VPNserver>>LAN ports local IPs NO
client (remote LAN) >>internet>>VPNserver>>WAN port internet url NO
client (remote LAN) >>internet>>VPNserver>>router admin page YES

[jcarerra]

Just noticed from previously that I had not done this...
Remove "route remote_host 255.255.255.255 net_gateway"

So I have now done that but will not be able to test the result until I can take the tablet to a foreign network tomorrow.

[jcarerra]

Just noticed from previously that I had not done this...
Remove "route remote_host 255.255.255.255 net_gateway"
So I have now done that but will not be able to test the result until I can take the tablet to a foreign network tomorrow.

^^ I did that, but it did not make any difference--data not flow.

See below from server log; any idea of cause? Does not a successful connection mean that certs and keys are OK?

Code: Select all

Mar 15 10:23:25 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:25 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499
Mar 15 10:23:27 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:27 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499
Mar 15 10:23:29 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:29 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499
Mar 15 10:23:31 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:31 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499
Mar 15 10:23:33 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:33 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499
Mar 15 10:23:35 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:35 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499

[Traffic]

See below from server log; any idea of cause? Does not a successful connection mean that certs and keys are OK?
Code:
Mar 15 10:23:25 openvpn[26919]: TabbB/97.68.59.22:21499 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1426429260) Sun Mar 15 10:21:00 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 15 10:23:25 openvpn[26919]: TabbB/97.68.59.22:21499 TLS Error: incoming packet authentication failed from [AF_INET]97.68.59.22:21499

Does this mean you have now connected to your server ?

[jcarerra]

Does this mean you have now connected to your server ?

As I have said all along, the "OpenVPN Connect" android app shows a normal "connect"--actually displays the word "Connected" and puts a key icon in the notifications bar.

HOWEVER, if you, say, open a browser (which is how I test whethere there is a tunnel out to the internet through the server), no traffic flows; no page will open. The "I'm working" symbol runs until it times out.

I can open the admin page for the router where the server resides from the client, so packets ARE flowing between the client and the server. Since packets are (should be) encrypted coming out of the client, I conclude that they are successfully decrypted, or the router admin page would not open.

Second conclusion is that server is not passing the packets on out the WAN port to internet addresses since NO page on any site will open.

[Traffic]

the "OpenVPN Connect" android app shows a normal "connect"

OK

HOWEVER, if you, say, open a browser (which is how I test whethere there is a tunnel out to the internet through the server), no traffic flows

Infact packets do flow but they are subsequently mis-routed or blocked by your router.

Technically, this forum does not provide support for Merlin Firmware so you should be looking elsewhere, here is a suitable start:
official Wiki/documentation for Asuswrt-merlin

However, having read some of that wiki I can understand why you come here ...

Your test to open web pages over the VPN is too advanced a step to understand what is wrong and how to fix it.

Try these tests from your client:

• ping 10.8.0.6 - Your client TUN - MUST WORK
• ping 10.8.0.1 - Your server TUN - MUST WORK
• ping 192.168.0.x - Your Asus router LAN (as you are routing for it) See final Notes below* Should Work
• ping 8.8.8.8 - google DNS by IP address - testing routing to the internet (Probably will not work)
• ping google.com - testing DNS and internet (almost definitely will not work)

Having read the Merlin Firmware wiki you may need:

• # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  • Ensure eth0 is the real name of your WAN adapter .. maybe WAN0

Final Notes:
You are pushing your router as your client DNS server (192.168.0.1) ..
Ensure what ever steps you need have been taken on your router that it can and will resolve DNS for the client.
Or push google DNS servers to the client (Google DNS 8.8.8.8 & 8.8.4.4)

And finally remember, if you take this out into the wild, you will run into routing conflicts because of your server LAN 192.168.0.0/24

Good luck.

[jcarerra]

...Try these tests from your client[/u]:

• ping 10.8.0.6 - Your client TUN - MUST WORK
• ping 10.8.0.1 - Your server TUN - MUST WORK
• ping 192.168.0.x - Your Asus router LAN (as you are routing for it) See final Notes below* Should Work
• ping 8.8.8.8 - google DNS by IP address - testing routing to the internet (Probably will not work)
• ping google.com - testing DNS and internet (almost definitely will not work)

I will do these the next time I am out at a "not me" wifi to test them.
I know the "ping 192.168.0.x - Your Asus router LAN (as you are routing for it)" will work because I can open the admin page that is "at" the router address. But pinging OTHER "dot x's" such as my printer does not work.

... you may need:

• # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  • Ensure eth0 is the real name of your WAN adapter .. maybe WAN0

I am not working in linux, so I can only do that if putting it into the custom commands block as shown previously in an image would work...but I think not. I think that window is putting commands into the server config file.

...You are pushing your router as your client DNS server (192.168.0.1) ..
Ensure what ever steps you need have been taken on your router that it can and will resolve DNS for the client. Or push google DNS servers to the client (Google DNS 8.8.8.8 & 8.8.4.4)

DNS servers are configured in the router (OpenDNS to be exact) and they are dhcp'ed to any client on my lan that gets a dhcp address, gateway, DNS, etc. So the router is providing them in that situation--and provides DNS when I do a non-VPN connection to it from the same client.

And finally remember, if you take this out into the wild, you will run into routing conflicts because of your server LAN 192.168.0.0/24

And as I've said, I usually test this on hotspots around town that are provided by my ISP for its customers to use--and they definitely do not use the 192.168.0 subnet. I will be careful when connecting other places--and after I get this working, I will change my home net to a different one, but I don't want to be changing multiple things while troubleshooting.

[Traffic]

You have clearly not taken the time to understand your router:

am not working in linux,

The router runs Linux ..

so I can only do that if putting it into the custom commands block as shown previously in an image would work

Do not add the iptables command to the openvpn custom config .. it will not work

You must learn how to use your router properly ..

But pinging OTHER "dot x's" such as my printer does not work

which is why you need this:

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

added to your router iptables configuration ..

[jcarerra]

Then I think we are at an impasse. I do not know how to do that; have never seen a "terminal" type of interface accessible through the router admin page.
.
And, it should work without such heavy lifting changes. I am certain that the vast majority of ASUS Merlin OpenVPN users do not have to do that. Tweaking the server and client config, yes. See lots of that. Beyond that, no.

This is too hard. I will buy a commercial VPN solution I guess.

[Traffic]

From the Asus/Merlin Wiki:

Asuswrt is a unified firmware developed by Asus for use in their recent routers. The firmware was originally based on Tomato-RT/Tomato-USB

you might find Tomato documentation useful ..

This is too hard. I will buy a commercial VPN solution I guess

As it stands, I have looked hard to find a way to run a virtual machine for either Tomato or Merlin but as they run on MIPS there is no such solution. The only way to run them is with a router .. as far as I have been able to ascertain. If you really are giving up perhaps you no longer need your router .. you could donate it to the OpenVPN Project that we might be able to offer more comprehensive support .. If you like I can send you my shipping address ... just a thought ..

Sorry we have not been able to resolve this .. perhaps another Merlin user can offer some suggestions.
(Subscribe the topic and await answers) Maybe a Moderator can update the title to reflect ASUS & Merlin.

[jcarerra]

I need the router to provide wifi within the house and to provide the ethernet connections to three hardwired devices, and to provide a firewall level between me and the internet.

And I think this is an Open VPN client or server configuration issue, not a tomato =>ASUSwrt => Merlin's fork issue because many get it to work fine. I'm just not doing something right, but can't find what it is.

[Traffic]

You are not reading the right documentation:

have never seen a "terminal" type of interface

The router can run sshd but the documentation is not on openvpn.net

Good luck