ASUS firmware updated, VPN no longer connects

[jcarerra]

I updated the firmware in ASUS RT-AC66R to a several-versions-newer Merlin ASUS-wrt (378.55), which apparently has put in a new and different OpenVPN server. I say that because it is exporting an ovpn file for the clients with several lines that are different from before.

Using OpenVPn Connect. I now cannot get a connection to establish using either the old ovpn or the new one.

To say I am disappointed would be a monstrous understatement. It took me weeks of reading, studying, posting, and trial and error (mostly error) before getting it to work the first time. I am an old techie, but completely ignorant in vpn's. I've looked at everything I can. Same as before--but doesn't work, with either client ovpn config. Arghh.

Anybody willing to help me resurrect this?
What do you want to see?

[jcarerra]

Ina different thread, which I have closed, was this:

You see the error:

Jul 23 15:15:12 openvpn[648]: Error: private key password verification failed
Jul 23 15:15:12 openvpn[648]: Exiting due to fatal error

Set --verb 4 in your configs for your --log and try again.

Is your key created with a password by ASUS-wrt

please post details of your config

Key? Password?
Only password is the one associated with each authorized client user--entered in the server as authorized users, and entered in the client when connection startup is commanded.
Server is set with option for "Auth mode = static key" and "Username / Password Auth. Only=NO."

As I recall (90%?) ca was created by the OpenVPN+[whatever the firmware contributes] in the original setup and copied to client config. The other certs, keys, dh parameters, were created using easy-rsa tools, and copied into the fields to place them in the server config GUI and into the client ovpn. In server, they are called

Certificate authority
Server certificate
Server key
Static key
Diffie Hellman parameters

In the client config (added by me), they are
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth> NOTE: the newly exported client config file uses <secret></secret> for this section, though I have tried the config with it named both ways.
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

Here is the client ovpn...certs removed of course
how would I add the verb 4? this client does not use dashed so just
verb 4 ?
=========
client
mode p2p
dev tun
ifconfig 10.8.0.2 10.8.0.1
proto udp
remote 50.88.131.153 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
resolv-retry infinite
nobind
=========

[Traffic]

Ina different thread, which I have closed, was this:

Ref: topic19316.html

According to that thread this is a server error .. So we would need your server config and log file please.

how would I add the verb 4?

If there is no specific option in your setup screen try using verb 4 in the custom options field (if there is one).

Have you tried the Asus Forum:
http://www.snbforums.com/forums/asuswrt-merlin.42/

[jcarerra]

I have made some changes since that log from before.
Here is the latest sequence from log.
Verb 4 is not active yet.
And when I make a change, it can be a while before I can get results as I have to drive from the house to connect to a wifi not going through my own router, which is also the vpn server--it never worked trying to tunnel into my own device with client connected to my own device)

One thisg I just noticed is that the server is just constantly looping through attempts to 'get up' as shown here...

Code: Select all

Jul 25 17:34:32 openvpn[716]: Restart pause, 2 second(s)
Jul 25 17:34:34 openvpn[716]: Static Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:34:34 openvpn[716]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:34:34 openvpn[716]: Static Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:34:34 openvpn[716]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:34:34 openvpn[716]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jul 25 17:34:34 openvpn[716]: TUN/TAP device tun21 opened
Jul 25 17:34:34 openvpn[716]: TUN/TAP TX queue length set to 100
Jul 25 17:34:34 openvpn[716]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 25 17:34:34 openvpn[716]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jul 25 17:34:34 openvpn[716]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253
Jul 25 17:34:34 openvpn[716]: UDPv4 link local (bound): [undef]
Jul 25 17:34:34 openvpn[716]: UDPv4 link remote: [undef]
Jul 25 17:35:34 openvpn[716]: Inactivity timeout (--ping-restart), restarting
Jul 25 17:35:34 openvpn[716]: Closing TUN/TAP interface
Jul 25 17:35:34 openvpn[716]: /usr/sbin/ip addr del dev tun21 10.8.0.1/4
Jul 25 17:35:34 openvpn[716]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 25 17:35:34 openvpn[716]: Restart pause, 2 second(s)
Jul 25 17:35:36 openvpn[716]: Static Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:35:36 openvpn[716]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:35:36 openvpn[716]: Static Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:35:36 openvpn[716]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:35:36 openvpn[716]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jul 25 17:35:36 openvpn[716]: TUN/TAP device tun21 opened
Jul 25 17:35:36 openvpn[716]: TUN/TAP TX queue length set to 100
Jul 25 17:35:36 openvpn[716]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 25 17:35:36 openvpn[716]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jul 25 17:35:36 openvpn[716]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253
Jul 25 17:35:36 openvpn[716]: UDPv4 link local (bound): [undef]
Jul 25 17:35:36 openvpn[716]: UDPv4 link remote: [undef]

Server config--
oops, can't upload pics. I will find a place to put them and then IMG them in another post.

[jcarerra]

Server config




If you click on "Content modification...keys..." you get a screen with fields to paste in the static key, ca, serv cert, serv key, dh.

[jcarerra]

I added "verb 4" (no quotes) to the Custom Config area below the dns push line,
turned server off and back on.
Here is log result:

Code: Select all

Jul 25 17:54:01 rc_service: httpd 268:notify_rc restart_chpass;restart_vpnserver1
Jul 25 17:54:02 kernel: tun: Universal TUN/TAP device driver, 1.6
Jul 25 17:54:02 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jul 25 17:54:02 kernel: device tun21 entered promiscuous mode
Jul 25 17:54:05 openvpn[10221]: Current Parameter Settings:
Jul 25 17:54:05 openvpn[10221]:   config = 'config.ovpn'
Jul 25 17:54:05 openvpn[10221]:   mode = 0
Jul 25 17:54:05 openvpn[10221]:   persist_config = DISABLED
Jul 25 17:54:05 openvpn[10221]:   persist_mode = 1
Jul 25 17:54:05 openvpn[10221]:   show_ciphers = DISABLED
Jul 25 17:54:05 openvpn[10221]:   show_digests = DISABLED
Jul 25 17:54:05 openvpn[10221]:   show_engines = DISABLED
Jul 25 17:54:05 openvpn[10221]:   genkey = DISABLED
Jul 25 17:54:05 openvpn[10221]:   key_pass_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   show_tls_ciphers = DISABLED
Jul 25 17:54:05 openvpn[10221]: Connection profiles [default]:
Jul 25 17:54:05 openvpn[10221]:   proto = udp
Jul 25 17:54:05 openvpn[10221]:   local = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   local_port = 1194
Jul 25 17:54:05 openvpn[10221]:   remote = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   remote_port = 1194
Jul 25 17:54:05 openvpn[10221]:   remote_float = DISABLED
Jul 25 17:54:05 openvpn[10221]:   bind_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   bind_local = ENABLED
Jul 25 17:54:05 openvpn[10221]:   connect_retry_seconds = 5
Jul 25 17:54:05 openvpn[10221]:   connect_timeout = 10
Jul 25 17:54:05 openvpn[10221]:   connect_retry_max = 0
Jul 25 17:54:05 openvpn[10221]:   tun_mtu = 1500
Jul 25 17:54:05 openvpn[10221]:   tun_mtu_defined = ENABLED
Jul 25 17:54:05 openvpn[10221]:   link_mtu = 1500
Jul 25 17:54:05 openvpn[10221]:   link_mtu_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tun_mtu_extra = 0
Jul 25 17:54:05 openvpn[10221]:   tun_mtu_extra_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   mtu_discover_type = -1
Jul 25 17:54:05 openvpn[10221]:   fragment = 0
Jul 25 17:54:05 openvpn[10221]:   mssfix = 1450
Jul 25 17:54:05 openvpn[10221]:   explicit_exit_notification = 0
Jul 25 17:54:05 openvpn[10221]: Connection profiles END
Jul 25 17:54:05 openvpn[10221]:   remote_random = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ipchange = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   dev = 'tun21'
Jul 25 17:54:05 openvpn[10221]:   dev_type = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   dev_node = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   lladdr = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   topology = 3
Jul 25 17:54:05 openvpn[10221]:   tun_ipv6 = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ifconfig_local = '10.8.0.1'
Jul 25 17:54:05 openvpn[10221]:   ifconfig_remote_netmask = '10.8.0.2'
Jul 25 17:54:05 openvpn[10221]:   ifconfig_noexec = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ifconfig_nowarn = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_local = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_netbits = 0
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_remote = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   shaper = 0
Jul 25 17:54:05 openvpn[10221]:   mtu_test = 0
Jul 25 17:54:05 openvpn[10221]:   mlock = DISABLED
Jul 25 17:54:05 openvpn[10221]:   keepalive_ping = 15
Jul 25 17:54:05 openvpn[10221]:   keepalive_timeout = 60
Jul 25 17:54:05 openvpn[10221]:   inactivity_timeout = 0
Jul 25 17:54:05 openvpn[10221]:   ping_send_timeout = 15
Jul 25 17:54:05 openvpn[10221]:   ping_rec_timeout = 60
Jul 25 17:54:05 openvpn[10221]:   ping_rec_timeout_action = 2
Jul 25 17:54:05 openvpn[10221]:   ping_timer_remote = DISABLED
Jul 25 17:54:05 openvpn[10221]:   remap_sigusr1 = 0
Jul 25 17:54:05 openvpn[10221]:   persist_tun = DISABLED
Jul 25 17:54:05 openvpn[10221]:   persist_local_ip = DISABLED
Jul 25 17:54:05 openvpn[10221]:   persist_remote_ip = DISABLED
Jul 25 17:54:05 openvpn[10221]:   persist_key = DISABLED
Jul 25 17:54:05 openvpn[10221]:   passtos = DISABLED
Jul 25 17:54:05 openvpn[10221]:   resolve_retry_seconds = 1000000000
Jul 25 17:54:05 openvpn[10221]:   username = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   groupname = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   chroot_dir = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   cd_dir = '/etc/openvpn/server1'
Jul 25 17:54:05 openvpn[10221]:   writepid = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   up_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   down_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   down_pre = DISABLED
Jul 25 17:54:05 openvpn[10221]:   up_restart = DISABLED
Jul 25 17:54:05 openvpn[10221]:   up_delay = DISABLED
Jul 25 17:54:05 openvpn[10221]:   daemon = ENABLED
Jul 25 17:54:05 openvpn[10221]:   inetd = 0
Jul 25 17:54:05 openvpn[10221]:   log = DISABLED
Jul 25 17:54:05 openvpn[10221]:   suppress_timestamps = DISABLED
Jul 25 17:54:05 openvpn[10221]:   nice = 0
Jul 25 17:54:05 openvpn[10221]:   verbosity = 4
Jul 25 17:54:05 openvpn[10221]:   mute = 0
Jul 25 17:54:05 openvpn[10221]:   status_file = 'status'
Jul 25 17:54:05 openvpn[10221]:   status_file_version = 2
Jul 25 17:54:05 openvpn[10221]:   status_file_update_freq = 60
Jul 25 17:54:05 openvpn[10221]:   occ = ENABLED
Jul 25 17:54:05 openvpn[10221]:   rcvbuf = 0
Jul 25 17:54:05 openvpn[10221]:   sndbuf = 0
Jul 25 17:54:05 openvpn[10221]:   sockflags = 0
Jul 25 17:54:05 openvpn[10221]:   fast_io = DISABLED
Jul 25 17:54:05 openvpn[10221]:   lzo = 7
Jul 25 17:54:05 openvpn[10221]:   route_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   route_default_gateway = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   route_default_metric = 0
Jul 25 17:54:05 openvpn[10221]:   route_noexec = DISABLED
Jul 25 17:54:05 openvpn[10221]:   route_delay = 0
Jul 25 17:54:05 openvpn[10221]:   route_delay_window = 30
Jul 25 17:54:05 openvpn[10221]:   route_delay_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   route_nopull = DISABLED
Jul 25 17:54:05 openvpn[10221]:   route_gateway_via_dhcp = DISABLED
Jul 25 17:54:05 openvpn[10221]:   max_routes = 100
Jul 25 17:54:05 openvpn[10221]:   allow_pull_fqdn = DISABLED
Jul 25 17:54:05 openvpn[10221]:   management_addr = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   management_port = 0
Jul 25 17:54:05 openvpn[10221]:   management_user_pass = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   management_log_history_cache = 250
Jul 25 17:54:05 openvpn[10221]:   management_echo_buffer_size = 100
Jul 25 17:54:05 openvpn[10221]:   management_write_peer_info_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   management_client_user = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   management_client_group = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   management_flags = 0
Jul 25 17:54:05 openvpn[10221]:   shared_secret_file = 'static.key'
Jul 25 17:54:05 openvpn[10221]:   key_direction = 0
Jul 25 17:54:05 openvpn[10221]:   ciphername_defined = ENABLED
Jul 25 17:54:05 openvpn[10221]:   ciphername = 'AES-256-CBC'
Jul 25 17:54:05 openvpn[10221]:   authname_defined = ENABLED
Jul 25 17:54:05 openvpn[10221]:   authname = 'SHA1'
Jul 25 17:54:05 openvpn[10221]:   prng_hash = 'SHA1'
Jul 25 17:54:05 openvpn[10221]:   prng_nonce_secret_len = 16
Jul 25 17:54:05 openvpn[10221]:   keysize = 0
Jul 25 17:54:05 openvpn[10221]:   engine = DISABLED
Jul 25 17:54:05 openvpn[10221]:   replay = ENABLED
Jul 25 17:54:05 openvpn[10221]:   mute_replay_warnings = DISABLED
Jul 25 17:54:05 openvpn[10221]:   replay_window = 64
Jul 25 17:54:05 openvpn[10221]:   replay_time = 15
Jul 25 17:54:05 openvpn[10221]:   packet_id_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   use_iv = ENABLED
Jul 25 17:54:05 openvpn[10221]:   test_crypto = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tls_server = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tls_client = DISABLED
Jul 25 17:54:05 openvpn[10221]:   key_method = 2
Jul 25 17:54:05 openvpn[10221]:   ca_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ca_path = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   dh_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   cert_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   priv_key_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   pkcs12_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   cipher_list = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   tls_verify = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   tls_export_cert = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   verify_x509_type = 0
Jul 25 17:54:05 openvpn[10221]:   verify_x509_name = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   crl_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ns_cert_type = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_ku[i] = 0
Jul 25 17:54:05 openvpn[10221]:   remote_cert_eku = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ssl_flags = 0
Jul 25 17:54:05 openvpn[10221]:   tls_timeout = 2
Jul 25 17:54:05 openvpn[10221]:   renegotiate_bytes = 0
Jul 25 17:54:05 openvpn[10221]:   renegotiate_packets = 0
Jul 25 17:54:05 openvpn[10221]:   renegotiate_seconds = 3600
Jul 25 17:54:05 openvpn[10221]:   handshake_window = 60
Jul 25 17:54:05 openvpn[10221]:   transition_window = 3600
Jul 25 17:54:05 openvpn[10221]:   single_session = DISABLED
Jul 25 17:54:05 openvpn[10221]:   push_peer_info = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tls_exit = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tls_auth_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   server_network = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   server_netmask = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   server_network_ipv6 = ::
Jul 25 17:54:05 openvpn[10221]:   server_netbits_ipv6 = 0
Jul 25 17:54:05 openvpn[10221]:   server_bridge_ip = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   server_bridge_netmask = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   server_bridge_pool_start = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   server_bridge_pool_end = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   push_entry = 'dhcp-option DNS 208.67.222.222'
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_start = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_end = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_netmask = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_persist_filename = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ifconfig_pool_persist_refresh_freq = 600
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_pool_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_pool_base = ::
Jul 25 17:54:05 openvpn[10221]:   ifconfig_ipv6_pool_netbits = 0
Jul 25 17:54:05 openvpn[10221]:   n_bcast_buf = 256
Jul 25 17:54:05 openvpn[10221]:   tcp_queue_limit = 64
Jul 25 17:54:05 openvpn[10221]:   real_hash_size = 256
Jul 25 17:54:05 openvpn[10221]:   virtual_hash_size = 256
Jul 25 17:54:05 openvpn[10221]:   client_connect_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   learn_address_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   client_disconnect_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   client_config_dir = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   ccd_exclusive = DISABLED
Jul 25 17:54:05 openvpn[10221]:   tmp_dir = '/tmp'
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_local = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_remote_netmask = 0.0.0.0
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_ipv6_defined = DISABLED
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_ipv6_local = ::/0
Jul 25 17:54:05 openvpn[10221]:   push_ifconfig_ipv6_remote = ::
Jul 25 17:54:05 openvpn[10221]:   enable_c2c = DISABLED
Jul 25 17:54:05 openvpn[10221]:   duplicate_cn = DISABLED
Jul 25 17:54:05 openvpn[10221]:   cf_max = 0
Jul 25 17:54:05 openvpn[10221]:   cf_per = 0
Jul 25 17:54:05 openvpn[10221]:   max_clients = 1024
Jul 25 17:54:05 openvpn[10221]:   max_routes_per_client = 256
Jul 25 17:54:05 openvpn[10221]:   auth_user_pass_verify_script = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   auth_user_pass_verify_script_via_file = DISABLED
Jul 25 17:54:05 openvpn[10221]:   port_share_host = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]:   port_share_port = 0
Jul 25 17:54:05 openvpn[10221]:   client = DISABLED
Jul 25 17:54:05 openvpn[10221]:   pull = DISABLED
Jul 25 17:54:05 openvpn[10221]:   auth_user_pass_file = '[UNDEF]'
Jul 25 17:54:05 openvpn[10221]: OpenVPN 2.3.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 16 2015
Jul 25 17:54:05 openvpn[10221]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Jul 25 17:54:05 openvpn[10223]: Static Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:54:05 openvpn[10223]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:54:05 openvpn[10223]: Static Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:54:05 openvpn[10223]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:54:05 openvpn[10223]: LZO compression initialized
Jul 25 17:54:05 openvpn[10223]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jul 25 17:54:05 openvpn[10223]: TUN/TAP device tun21 opened
Jul 25 17:54:05 openvpn[10223]: TUN/TAP TX queue length set to 100
Jul 25 17:54:05 openvpn[10223]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 25 17:54:05 openvpn[10223]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jul 25 17:54:05 openvpn[10223]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253
Jul 25 17:54:05 openvpn[10223]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ]
Jul 25 17:54:05 openvpn[10223]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Jul 25 17:54:05 openvpn[10223]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Jul 25 17:54:05 openvpn[10223]: Local Options hash (VER=V4): 'd1caf9e5'
Jul 25 17:54:05 openvpn[10223]: Expected Remote Options hash (VER=V4): 'd1caf9e5'
Jul 25 17:54:05 openvpn[10223]: UDPv4 link local (bound): [undef]
Jul 25 17:54:05 openvpn[10223]: UDPv4 link remote: [undef]
-------------------break added full minute here -----------------------------------------
Jul 25 17:55:05 openvpn[10223]: Inactivity timeout (--ping-restart), restarting
Jul 25 17:55:05 openvpn[10223]: TCP/UDP: Closing socket
Jul 25 17:55:05 openvpn[10223]: Closing TUN/TAP interface
Jul 25 17:55:05 openvpn[10223]: /usr/sbin/ip addr del dev tun21 10.8.0.1/4
Jul 25 17:55:05 openvpn[10223]: SIGUSR1[soft,ping-restart] received, process restarting
-------------------break added and so it decides to restart  -----------------------------------------
Jul 25 17:55:05 openvpn[10223]: Restart pause, 2 second(s)
Jul 25 17:55:07 openvpn[10223]: Static Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:55:07 openvpn[10223]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:55:07 openvpn[10223]: Static Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 25 17:55:07 openvpn[10223]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 17:55:07 openvpn[10223]: LZO compression initialized
Jul 25 17:55:07 openvpn[10223]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jul 25 17:55:07 openvpn[10223]: TUN/TAP device tun21 opened
Jul 25 17:55:07 openvpn[10223]: TUN/TAP TX queue length set to 100
Jul 25 17:55:07 openvpn[10223]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 25 17:55:07 openvpn[10223]: /usr/sbin/ip link set dev tun21 up mtu 1500
Jul 25 17:55:07 openvpn[10223]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253
Jul 25 17:55:07 openvpn[10223]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:143 ET:0 EL:3 AF:3/1 ]
Jul 25 17:55:07 openvpn[10223]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Jul 25 17:55:07 openvpn[10223]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Jul 25 17:55:07 openvpn[10223]: Local Options hash (VER=V4): 'd1caf9e5'
Jul 25 17:55:07 openvpn[10223]: Expected Remote Options hash (VER=V4): 'd1caf9e5'
Jul 25 17:55:07 openvpn[10223]: UDPv4 link local (bound): [undef]
Jul 25 17:55:07 openvpn[10223]: UDPv4 link remote: [undef]

[TiTex]

that client config wont work if you are using "Authorization Mode: Static Key"
you are missing the option

Code: Select all

secret static.key

it looks like it's a drop down menu , so if you want to use ssl/tls ( with client/server certs) there should be an option for that in the drop down menu on your router.
i think the certificates are useless with "Authorization Mode: Static Key"

[Traffic]

At least this error appears to be resolved:

Ina different thread, which I have closed, was this:

Traffic wrote:
You see the error:
jcarerra wrote:
Jul 23 15:15:12 openvpn[648]: Error: private key password verification failed
Jul 23 15:15:12 openvpn[648]: Exiting due to fatal error

---
I do not have access to Asus-Merlin so the following comments are only (*1) hunches:

If you are using static.key mode then Titex comments sound accurate .. Your client config is missing the static.key .. Take a look at the HOWTO for general setup help:
static-key-mini-howto

Some other things which look badly wrong:

Jul 25 17:54:05 openvpn[10223]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253

I don't know where you specify your network mask but it looks like you have a mask of 240.0.0.0 (*1)

Jul 25 17:54:05 openvpn[10223]: Local Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'
Jul 25 17:54:05 openvpn[10223]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.0.0 10.8.0.2,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,secret'

This must be a Asus-Merlin thing (*1) because it is wrong #1) --ifconfig should not be an parmeter here #2)--ifconfig parameters are bogus ...

Have you tried Asus:
http://www.snbforums.com/forums/asuswrt-merlin.42/

[jcarerra]

that client config wont work if you are using "Authorization Mode: Static Key"
you are missing the option

Code: Select all

secret static.key

it looks like it's a drop down menu , so if you want to use ssl/tls ( with client/server certs) there should be an option for that in the drop down menu on your router.
i think the certificates are useless with "Authorization Mode: Static Key"

My 99% lack of knowledge of vpn's comes into play here!
OK, one at a time..

a. Before the firmware upgrade, the config did work without secret static.key, but I will add it..ah, where?
I assume you mean the client needs it, but not sure. The server IS told there is a static key by the item "Authorization Mode: Static Key"--and there is a static key put in on the page (not shown) that is opened by clicking the yellow "Content modification of keys..."
But to the guts...I thought that "Authorization Mode: Static Key" added a key verification (in addition to uesr/password to AUTHORIZATION only (login)--not doing anything to the tunnel encryption, which was handled by the cert/keys on each end. Is that wrong?

So when it was working before, are you saying it was using entered static key for encrypting the tunnel and ignoring the keys entered for <cert></cert><key></key>...or what?

b. "there should be an option for that {ssl/tls ( with client/server certs) [but it would be 'keys' would it not?]} in the drop down menu on your router."
Very confused. Is that not the "Authorization Mode: Static Key" item which turns that on?

[jcarerra]

Wow, This is going off the rails fast.

What is blowing my mind is that the config I am using now on the server end is EXACTLY what I was using before the FW update (unless I have screwed up copying the settings back in)--and it worked then.

SO much to address!

One at a time

Code: Select all

Jul 25 17:54:05 openvpn[10223]: /usr/sbin/ip addr add dev tun21 10.8.0.1/4 broadcast 255.255.255.253
I don't know where you specify your network mask but it looks like you have a mask of 240.0.0.0 (*1)

Everything I specify is posted in the images and the posted client ovpn, so I have no idea where that comes from.