Posted: Mon Mar 30, 2020 15:22 Post subject: KeepSolid OpenVPN Working Config
Attached image showing a working configuration (as of Mar/2020) of KeepSolid VPN (aka VPN Unlimited) under DDWRT using OpenVPN.
I am sharing this for three reasons:
[1] I had to relearn the working configuration after updating a router.
[2] I have found KeepSolid's DDWRT Guide to be flawed and technically incorrect, seeing as how it does NOT work.
[3] For anyone else who may be attempting to get this VPN to work in their router.
Server IP/Name: FILL
Port: 1194
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-256-CBC
Hash Algorithm: SHA512
TLS Cipher: NONE
LZO Adaptive
nsCertType verification CHECKED FOR ON
Thank you for this post. I am trying to follow your instructions but getting following error:
Code:
Clientlog:
19691231 19:00:21 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 19:00:21 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19691231 19:00:21 I OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 19 2020
19691231 19:00:21 I library versions: OpenSSL 1.1.1g 21 Apr 2020 LZO 2.09
19691231 19:00:48 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:00:48 W WARNING: Your certificate is not yet valid!
19691231 19:00:53 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19691231 19:00:58 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19691231 19:00:58 W Could not determine IPv4/IPv6 protocol
19691231 19:00:58 I SIGUSR1[soft init_instance] received process restarting
19691231 19:01:03 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:01:03 I TCP/UDP: Preserving recently used remote address: [AF_INET]64.31.33.154:1194
19691231 19:01:03 I UDPv4 link local: (not bound)
19691231 19:01:03 I UDPv4 link remote: [AF_INET]64.31.33.154:1194
19691231 19:01:04 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19691231 19:01:04 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 19:01:04 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 19:01:04 N TLS Error: TLS object -> incoming plaintext read error
19691231 19:01:04 N TLS Error: TLS handshake failed
19691231 19:01:04 I SIGUSR1[soft tls-error] received process restarting
19691231 19:01:09 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:01:09 I TCP/UDP: Preserving recently used remote address: [AF_INET]23.83.37.209:1194
19691231 19:01:09 I UDPv4 link local: (not bound)
19691231 19:01:09 I UDPv4 link remote: [AF_INET]23.83.37.209:1194
19691231 19:01:09 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19691231 19:01:09 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 19:01:09 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 19:01:09 N TLS Error: TLS object -> incoming plaintext read error
19691231 19:01:09 N TLS Error: TLS handshake failed
19691231 19:01:09 I SIGUSR1[soft tls-error] received process restarting
19691231 19:00:00
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed May 20, 2020 11:50 Post subject:
I have not looked in detail but I noticed a couple of things.
You do not have the right time on your router and thus your certificate is not valid.
NAT is disabled, for almost all VPN providers I know you have to enable NAT (this might be an exception)
You can most probably remove all settings in the Additional config save: remote-random and reneg-sec 0 (this one is to make your connection stay up but it is less safe)
Secondly I enabled NAT because I was following the guidelines in this post. I have disabled NAT and removed all additional settings except the two mentioned by you. But unfortunately still didn't work.
Following is the current log:
Code:
Clientlog:
19700101 05:00:21 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19700101 05:00:21 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19700101 05:00:21 I OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 19 2020
19700101 05:00:21 I library versions: OpenSSL 1.1.1g 21 Apr 2020 LZO 2.09
19700101 05:00:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 05:00:49 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 05:00:49 W WARNING: Your certificate is not yet valid!
19700101 05:00:54 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:00:59 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:00:59 W Could not determine IPv4/IPv6 protocol
19700101 05:00:59 I SIGUSR1[soft init_instance] received process restarting
19700101 05:00:59 Restart pause 5 second(s)
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:01:04 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 05:01:09 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:01:09 Socket Buffers: R=[172032->172032] S=[172032->172032]
19700101 05:01:09 I UDPv4 link local: (not bound)
19700101 05:01:09 I UDPv4 link remote: [AF_INET]23.83.37.213:1194
19700101 05:01:09 TLS: Initial packet from [AF_INET]23.83.37.213:1194 sid=1f8e7654 d47630c3
19700101 05:01:10 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19700101 05:01:10 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 05:01:10 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 05:01:10 NOTE: --mute triggered...
19700101 05:01:10 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 05:01:10 I SIGUSR1[soft tls-error] received process restarting
19700101 05:01:10 Restart pause 5 second(s)
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'status 2'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:13 D MANAGEMENT: CMD 'log 500'
19700101 05:00:00
Please suggest what should I do?
Last edited by saadbashir on Wed May 20, 2020 12:46; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed May 20, 2020 12:46 Post subject:
Time is not fixed your date shows 01 01 1970:
19700101 05:01:10 N TLS_ERROR: BIO read tls_read_plaintext error
VPN cannot operate without correct date and time.
That should go automatically so there is something wrong with your settings.
Do not enter anything in the time server field just keep it blank.
I tried removing the NTP server and press apply settings and now suddenly my router has stopped responding. All its lights are continuously on. They aren't flashing or anything. Have unplugged it and the lights are still on. Any idea what I can do to fix this?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed May 20, 2020 13:35 Post subject:
If turning it off and on does not help a reset is the next step.
But bricking your router by removing an entry in the NTP time server field (time works best when left blank) is hard to understand, it indicates that there is something else going on either wrong settings or hardware failure
BTW you did not even tell us your router model and build number (it is recent as you are using OpenVPN 2.4.9)
Latest build 43192 appears to work good.
It is odd. I don't know what happened there. This was a very old router Linksys E1200 V2. Didn't want to risk going out because of all this corona. So since this was compatible I thought I will give it a try.
I have tried reset, 30:30:30 reset but nothing seems to work. Those lights are here to stay!
Is there any other trick up your sleeve? If not, can you recommend a new router in low-mid budget which might work good. Any feedback on Linksys E900? I only need it for VPN Client mode. Thanks
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed May 20, 2020 15:35 Post subject:
Just to add a little to egc's comments...
The inexpensive router most recommended in the forums is the Netgear R7800 (see egc's sig for link to setup), which definitely has the CPU power to handle VPN well. The R7000 (older, cheaper) is also mentioned often, and the (newer, pricey) R9000 is mentioned occasionally. The R7000 and R7800 are often available used for good prices. Part of what's going on with the Netgear models is that you want to stick to those with Qualcomm/Atheros wifi hardware, which is far less troublesome than the Broadcom wifi hardware of some models.
If you want to stick with Linksys, you want the EA8500 or the WRT1900ACSv2 (specifically the ACS and specifically the v2), which also have Atheros wifi. Stay away from the more popular WRT3200ACM (especially) and WRT32X models, as their wifi drivers have issues that drive people nuts. If you go with the WRT1900ACSv2, which I use, note you should add a USB fan. Also, the "v2" is never advertised in commercial listings for that router, but it can be verified by looking at the upper-right corner of the blue label on the bottom of the router. The earlier AC (particularly its v1) and ACSv1 (not marked at all with a version number on the blue label) have been tricky for people. Setup for the WRT1900ACSv2 is per the "Cliff Notes" sticky at the beginning of the Marvell forum. (I'm not familiar enough with the EA8500 to point you at setup info.)
If you are bargain hunting for another router, the right way to go is going to depend on what you can locate at a decent price, but this little list should get you started.
Use the new-build threads in the appropriate (for the particular router) forum to pick a build. Never depend on the router database, which is obsolete and often recommends disastrous build choices. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Egc I have tried simple reset, 30:30:30 reset and even plugging the router into LAN port of computer directly to see if I can access the http page but to no avail. I guess it is time to throw the router in the bin. It has all lights on dim. I have also changed 3 power sources to see if that might be the issue.
Actually I just need VPN because for some odd reason my SMA solar inverter using SIP protocol to share production data and SIP has been blocked by government. Now I need a VPN to bypass and get the data feed from my inverter. So won’t be a lot of data transfer and I am not even sure if it would work so don’t want to spend a lot of money.
In my junk I found some more linksys routers
1) WRT54G2 V1.5
2) E1000 v2.1
3) E1000 v1
Guys, I am thinking of flashing E1000 v2.1 to try my luck tomorrow. As you suggested that the wiki is outdated from where can I get latest firmware which might work with this router? In the forum I could only find a mini.bin. Will mini firmware will have support for VPN client?