[ChrisCa]

upgraded now my router to DD-WRT v3.0-r46604 std (05/09/21). now the openvpn connection was working once for 1 minute, and stopped then. rebooted the router several times, under status sometimes i see shortly client-wait, client-auth and then status page go blank, no connection...

syslog:

daemon.notice openvpn[4523]: SIGTERM[soft,auth-failure] received, process exiting

event_wait : Interrupted system call (code=4)

daemon.warn openvpn[4044]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

daemon.warn openvpn[4044]: --mtu-disc is not supported on this OS

tried different settings now like in the vpnguide, tried the troubleshooting steps, no success...

Settings:
OpenVpn Client enabled
CVE-Mitigation: enabled
Port: 443
Tunnel Device: TUN
Tunnel Protocol:tcp
Encryption Cipher: AES-256-CBC
Hash Algo: SHA1
First Data Cipher: AES-128-GCM
Second Data Cipher:AES-256-GCM
Third Data Cipher: AES-256-CBC
User / Pass enabled
TLS Cipher: none
Compression:no
NAT: enabled
Inbound Firewall on TUN: enabled
Tunnel UDP MSS-Fix: Disabled
TLS Key Choice: TLS Auth


TLS Key:
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

Additional Config:

tls-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
key-direction 1
resolv-retry infinite
keepalive 10 60
nobind
persist-key
persist-tun
persist-remote-ip
verb 3

CA Cert:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Last Version was 46316 what was working, but with frequent vpn drops..

Any ideas?
Thx

[egc]

To what provider is this?

General setup instructions see link in my signature at the bottom

[ChrisCa]

provider is ivpn. router is already setup and was running with ealier builds.

i red already the setup and trouble shooting guides.

As you send me in the other thread
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329010

[egc]

The warnings you have should not be a problem.

Things which can be better (not saying that this will solve your problem):

Remove everything from the additional config only add:

[ChrisCa]

Thank you for the information.

Adapted the settings as you recommended, and yes the router was connected then, shown also in the gui. Speed measure was just 200kbps ..

rebooted the router, but now he don't connect anymore after reboot..

Saved and applied several times yet the vpn config and rebooted, no connect anymore..


cat /var/log/messages | grep openvpn

May 14 13:33:41 ddwrt daemon.notice openvpn[6640]: TCP/UDP: Closing socket
May 14 13:33:41 ddwrt daemon.notice openvpn[6640]: SIGTERM[hard,] received, process exiting
May 14 13:33:41 ddwrt user.info : openvpn : General Killswitch for OpenVPN removed in 3 using wanface br0
May 14 13:33:41 ddwrt user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: Current Parameter Settings:
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: config = '/tmp/openvpncl/openvpn.conf'
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: mode = 0
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: NOTE: --mute triggered...
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: 233 variation(s) on previous 3 message(s) suppressed by --mute
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: OpenVPN 2.5.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 9 2021
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.09
May 14 13:33:41 ddwrt daemon.notice openvpn[6838]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
May 14 13:33:41 link daemon.warn openvpn[6838]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 14 13:33:41 link daemon.notice openvpn[6838]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 14 13:33:41 link daemon.notice openvpn[6838]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 14 13:33:41 link daemon.notice openvpn[6838]: Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
May 14 13:33:41 link daemon.notice openvpn[6838]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
May 14 13:33:41 link daemon.notice openvpn[6838]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
May 14 13:33:41 link daemon.notice openvpn[6838]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
May 14 13:33:41 link daemon.notice openvpn[6838]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: Socket Buffers: R=[87380->87380] S=[16384->16384]
May 14 13:33:41 link daemon.notice openvpn[6838]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
May 14 13:33:41 link daemon.notice openvpn[6838]: TCP connection established with [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: TCPv4_CLIENT link local: (not bound)
May 14 13:33:41 link daemon.notice openvpn[6838]: TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=4422c544 4e21f960
May 14 13:33:41 link daemon.notice openvpn[6838]: VERIFY KU OK
May 14 13:33:41 link daemon.notice openvpn[6838]: NOTE: --mute triggered...
May 14 13:33:42 link daemon.notice openvpn[6838]: 5 variation(s) on previous 3 message(s) suppressed by --mute
May 14 13:33:42 link daemon.notice openvpn[6838]: [xxxx.net] Peer Connection Initiated with [AF_INET]x.x.x.x:443
May 14 13:33:44 link daemon.notice openvpn[6838]: SENT CONTROL [xxxx.net]: 'PUSH_REQUEST' (status=1)
May 14 13:33:44 link daemon.notice openvpn[6838]: AUTH: Received control message: AUTH_FAILED
May 14 13:33:44 link daemon.notice openvpn[6838]: TCP/UDP: Closing socket
May 14 13:33:44 link daemon.notice openvpn[6838]: SIGTERM[soft,auth-failure] received, process exiting

[egc]

The following indicate that you cannot authenticate, so your username/password, tls key or ca.cert are not accepted by the server:

[egc]

Two other things, is this router setup as a WAP ( https://wiki.dd-wrt.com/wiki/index.php/Linking_Routers )?

The other thing, in the other thread you mentioned that your provider might not be compatible with OpenVPN 2.5

Recent changes on DDWRT side have been upgrading to 2.5.2 which was a security fix.

So maybe this is a sign that your provider has difficulty with it?

[ChrisCa]

Tried yet with other servers, get also Auth Failed, no connection..

No, this Router is no WAP, (My other Router 1900acsv2 is the WAP) only Service is OpenVpn, nothing else

should i add the providers additional settings again, or maybe adapt something there?

regrading the version 2.5.2 this could be, when was the upgrade to 2.5.2 so maybe i try downgrade to 2.5.0 and try again?

or do a complete flush and try again with the actual version?

Thx

[egc]

2.5.2 was introduced in 46430.

What seems strange is this:

[eibgrad]

Beware, some low-end VPN providers will produce an AUTH FAIL even when using the proper username/password. This is how they manage their limited resources. The server will refuse your connection, at least temporarily, presumably due to overloading. I see this all the time w/ FastestVPN. They will sometimes also use it to kick you OFF an active connection!

As a practical matter, I have to have several servers (in the form of remote directives) specified in Additional Config so the OpenVPN client can try more than one. If you stick w/ the one server as specified in the Server IP/Name field of the OpenVPN client GUI, you'll be forced to constantly reconfigure that field in hopes of finding a reachable server.

Here's an example of my own Additional Config field w/ FastestVPN.

[SurprisedItWorks]

[egc]

My bad 2.5.2 was introduced in 46430

[ChrisCa]

now after 2 days downgrading 5 versions of my WRT3200ACM, testing every version with the provider config, and the DDWRT VPN Guide,testing different locations and ports, the issue with the [soft,auth-failure] is on provider side, they wrote me that sessions of my account filled up, so that's why no connection was possible anymore!

Thanks ALL for your Tips and Help!

P.S. If someone has a Step by Step Guide for install /configure DNS Encryption / DOT (something like the VPNGuidePDF) would be awesome:)

br